Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:694011
MD5:1611db9a8c67f61ce0760633edd43c48
SHA1:d2ba3efe05c12cfe47b84241e00fae494b2a1e0d
SHA256:9808d6a6b9ae7baef6715e6440988055682a88d1b5b1096148acdddc371ecfd2
Tags:exeSmokeLoader
Infos:

Detection

Djvu, Fabookie, ManusCrypt, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected SmokeLoader
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Fabookie
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Yara detected ManusCrypt
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Detected VMProtect packer
Writes to foreign memory regions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Registers a DLL
Launches processes in debugging mode, may be used to hinder debugging
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Connects to several IPs in different countries
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

  • System is w10x64
  • file.exe (PID: 2904 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1611DB9A8C67F61CE0760633EDD43C48)
    • explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • regsvr32.exe (PID: 3328 cmdline: regsvr32 /s C:\Users\user\AppData\Local\Temp\70E4.dll MD5: D78B75FC68247E8A63ACBA846182740E)
        • regsvr32.exe (PID: 4712 cmdline: /s C:\Users\user\AppData\Local\Temp\70E4.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • 87B9.exe (PID: 5612 cmdline: C:\Users\user\AppData\Local\Temp\87B9.exe MD5: E990ACDB640F13969C55C38E857AB4AB)
        • 87B9.exe (PID: 4652 cmdline: C:\Users\user\AppData\Local\Temp\87B9.exe MD5: E990ACDB640F13969C55C38E857AB4AB)
      • A024.exe (PID: 3064 cmdline: C:\Users\user\AppData\Local\Temp\A024.exe MD5: 2679869D7C3C730553BDB94848DDEEA5)
      • C05F.exe (PID: 2484 cmdline: C:\Users\user\AppData\Local\Temp\C05F.exe MD5: AE9E2CE4CF9B092A5BBFD1D5A609166E)
        • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • C05F.exe (PID: 4936 cmdline: "C:\Users\user\AppData\Local\Temp\C05F.exe" -h MD5: AE9E2CE4CF9B092A5BBFD1D5A609166E)
          • conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • D86C.exe (PID: 5068 cmdline: C:\Users\user\AppData\Local\Temp\D86C.exe MD5: 1A86A0186CC8ABD0BE2907E9ED681756)
      • E9D3.exe (PID: 5264 cmdline: C:\Users\user\AppData\Local\Temp\E9D3.exe MD5: 3191DB3E8A8BD2AA891786059AC8636B)
      • ACE4.exe (PID: 1028 cmdline: C:\Users\user\AppData\Local\Temp\ACE4.exe MD5: AE9E2CE4CF9B092A5BBFD1D5A609166E)
        • conhost.exe (PID: 4216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • C39A.exe (PID: 1700 cmdline: C:\Users\user\AppData\Local\Temp\C39A.exe MD5: 1A86A0186CC8ABD0BE2907E9ED681756)
      • dllhost.exe (PID: 2484 cmdline: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} MD5: 2528137C6745C4EADD87817A1909677E)
      • Conhost.exe (PID: 2176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • erhuush (PID: 2344 cmdline: C:\Users\user\AppData\Roaming\erhuush MD5: 1611DB9A8C67F61CE0760633EDD43C48)
  • svchost.exe (PID: 1900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4632 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • WmiPrvSE.exe (PID: 5656 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 3720 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 6052 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • svchost.exe (PID: 332 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
        • svchost.exe (PID: 2200 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5360 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup
{"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-lFoTUDc1Fx\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0549Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWZ7difN4\\/w6uP6dgqG6\\\\nvftez3eaEgDMUWG64EFNomZk\\/aGagJUZNATseVKViU3SRhi\\/imDMtG6Kd0LzCs0Q\\\\nAqErh4UFa\\/yCKZqYcwV\\/9ubI\\/9lwSfhXyDiJ7Erz3GXu4uCZ2llrOvQQo3EjLKMd\\\\nfDs3N5nABcM0JOzt2lH3ErNF+I+LbRkCEhevBBMlmLVLGn02ynpSOz3ZMFdPUX+T\\\\nCsF54KacWKK5HKQ7LOZmsO61suDKNhMdGlSbRELZzmlBPrlGeOK1Ve0GQQzGi+ns\\\\nzWUqS1a35FJvwUlL7aLbYmlgIOLkrg2nnq5epbuQC0TZMKetJq\\/OVJHsZ7xbthII\\\\nlwIDAQAB\\\\n-----END PUBLIC KEY-----"}
{"C2 list": ["http://zdauctions.com/tmp/", "http://mordo.ru/tmp/"]}
SourceRuleDescriptionAuthorStrings
0000001A.00000003.526622172.0000000000B10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    0000000F.00000000.485672401.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 81 entries
      SourceRuleDescriptionAuthorStrings
      26.2.D86C.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        31.2.rundll32.exe.4d00000.0.unpackSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
        • 0x53366:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
        31.2.rundll32.exe.4d00000.0.unpackJoeSecurity_ManusCryptYara detected ManusCryptJoe Security
          31.2.rundll32.exe.4d00000.0.unpackMALWARE_Win_FabookieDetects Fabookie / ElysiumStealerditekSHen
          • 0x4c6e6:$s1: rwinssyslog
          • 0x4caec:$s2: _kasssperskdy
          • 0x4ca88:$s3: [Title:%s]
          • 0x4cbfc:$s4: [Execute]
          • 0x4cc10:$s5: [Snapshot]
          • 0x4d484:$s6: Mozilla/4.0 (compatible)
          • 0x4de3c:$s9: CUdpClient::Start
          31.2.rundll32.exe.4d00000.0.unpackMALWARE_Win_ChebkaDetects ChebkaditekSHen
          • 0x4dcf4:$s1: -k netsvcs
          • 0x4d484:$s3: Mozilla/4.0 (compatible)
          • 0x4caec:$s4: _kasssperskdy
          • 0x4c6e8:$s5: winssyslog
          • 0x4da4c:$s6: LoaderDll%d
          • 0x4c4c8:$s7: cmd.exe /c rundll32.exe shell32.dll,
          • 0x4c110:$s8: cmd.exe /c start chrome.exe
          • 0x4c270:$s8: cmd.exe /c start msedge.exe
          • 0x4c440:$s8: cmd.exe /c start firefox.exe
          • 0x54f08:$f1: .?AVCHVncManager@@
          • 0x55204:$f2: .?AVCNetstatManager@@
          • 0x5525c:$f3: .?AVCTcpAgentListener@@
          • 0x54ffc:$f4: .?AVIUdpClientListener@@
          • 0x5541c:$f5: .?AVCShellManager@@
          • 0x553e0:$f6: .?AVCScreenSpy@@
          Click to see the 98 entries
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: http://acacaca.org/lancer/get.phpAvira URL Cloud: Label: malware
          Source: http://www.hhiuew33.com/URL Reputation: Label: malware
          Source: http://www.hhiuew33.com/check/safeAvira URL Cloud: Label: malware
          Source: https://blockstream.info/apihttps://sofolisk.com/api/loginvalidAvira URL Cloud: Label: malware
          Source: C:\Users\user\AppData\Local\Temp\964B.exeAvira: detection malicious, Label: HEUR/AGEN.1249525
          Source: C:\Users\user\AppData\Local\Temp\A024.exeAvira: detection malicious, Label: HEUR/AGEN.1249525
          Source: file.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Local\Temp\4A99.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeMetadefender: Detection: 58%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeReversingLabs: Detection: 80%
          Source: C:\Users\user\AppData\Local\Temp\964B.exeReversingLabs: Detection: 57%
          Source: C:\Users\user\AppData\Local\Temp\A024.exeReversingLabs: Detection: 57%
          Source: C:\Users\user\AppData\Local\Temp\ACE4.exeMetadefender: Detection: 53%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\ACE4.exeReversingLabs: Detection: 76%
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeMetadefender: Detection: 53%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeReversingLabs: Detection: 76%
          Source: file.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\964B.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\254.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\erhuushJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\4A99.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\E9D3.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\bchuushJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\519F.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\A024.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\70E4.dllJoe Sandbox ML: detected
          Source: 31.2.rundll32.exe.4d00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
          Source: 36.0.svchost.exe.2f31bfb0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
          Source: 43.0.svchost.exe.156b6b50000.0.unpackAvira: Label: TR/ATRAPS.Gen2
          Source: 00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://zdauctions.com/tmp/", "http://mordo.ru/tmp/"]}
          Source: 15.0.87B9.exe.400000.7.unpackMalware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-lFoTUDc1Fx\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0549Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\
          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 87B9.exe, 87B9.exe, 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: EfiGuardDxe.pdb7 source: E9D3.exe, 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: C:\hototapeges\jof14 godedoraga vihidi69\puwu.pdb source: 87B9.exe, 0000000E.00000000.477984877.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 87B9.exe, 0000000E.00000002.493613078.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 87B9.exe, 0000000F.00000000.484261191.0000000000401000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: symsrv.pdbGCTL source: E9D3.exe, 0000001B.00000003.600314128.0000000004088000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: symsrv.pdb source: E9D3.exe, 0000001B.00000003.600314128.0000000004088000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\verumaxebi\sunaw\gewimovucajaf_hitojubare-hewohazap\kifobiv.pdb source: file.exe, file.exe, 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.302664627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, erhuush, erhuush, 00000007.00000000.423450379.0000000000401000.00000020.00000001.01000000.00000006.sdmp, erhuush, 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 87B9.exe, 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: C:\wuzoyobumo\xisiw.pdb source: E9D3.exe, 0000001B.00000000.542959704.0000000000401000.00000020.00000001.01000000.0000000D.sdmp
          Source: Binary string: CC:\hototapeges\jof14 godedoraga vihidi69\puwu.pdb source: 87B9.exe, 0000000E.00000000.477984877.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 87B9.exe, 0000000E.00000002.493613078.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 87B9.exe, 0000000F.00000000.484261191.0000000000401000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: NC:\verumaxebi\sunaw\gewimovucajaf_hitojubare-hewohazap\kifobiv.pdb source: file.exe, 00000000.00000000.302664627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, erhuush, 00000007.00000000.423450379.0000000000401000.00000020.00000001.01000000.00000006.sdmp
          Source: Binary string: C:\rad_linuv\poniyoy\vixejuni\kugum.pdb source: D86C.exe, 0000001A.00000000.523009146.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, D86C.exe, 0000001A.00000002.544319484.0000000000409000.00000020.00000001.01000000.0000000C.sdmp

          Networking

          barindex
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcouldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdownloading obfs4proxydriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: expected multiple of 2failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wspan has no free spacestack not a power of 2status/bootstrap-phasetimer goroutine (idle)trace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
          Source: Malware configuration extractorURLs: http://acacaca.org/lancer/get.php
          Source: Malware configuration extractorURLs: http://zdauctions.com/tmp/
          Source: Malware configuration extractorURLs: http://mordo.ru/tmp/
          Source: Joe Sandbox ViewIP Address: 85.209.157.230 85.209.157.230
          Source: Joe Sandbox ViewIP Address: 85.209.157.230 85.209.157.230
          Source: unknownNetwork traffic detected: IP country count 15
          Source: A024.exe, 00000011.00000003.924299314.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.925282553.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.917214347.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.906851773.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.915984441.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.922262527.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apcotex.com/
          Source: A024.exe, 00000011.00000003.881509308.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.882065466.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://atbauk.P
          Source: E9D3.exe, 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.g
          Source: E9D3.exe, 0000001B.00000003.588921874.0000000003E7A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: E9D3.exe, 0000001B.00000003.588921874.0000000003E7A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: E9D3.exe, 0000001B.00000003.588921874.0000000003E7A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: 87B9.exe, 0000000F.00000002.505793782.0000000000813000.00000004.00000020.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000003.495972512.0000000000813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
          Source: A024.exe, 00000011.00000003.875583192.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.881509308.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.882065466.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gbm.hhiuew33.com/check/safe
          Source: 87B9.exe, 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://invalidlog.txtlookup
          Source: A024.exe, 00000011.00000003.888609376.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pro-fa.com/
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
          Source: A024.exe, 00000011.00000003.924357065.00000000005CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://usadig.com/
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
          Source: A024.exe, 00000011.00000003.517949411.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.coH
          Source: A024.exe, 00000011.00000003.547616617.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.924299314.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.925282553.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.546820577.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.917214347.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.548588817.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.888609376.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.906851773.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.545474727.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.924357065.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.915984441.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.922262527.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.546061583.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.886216752.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/
          Source: A024.exe, 00000011.00000003.509503649.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.508626394.00000000005AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015239&key=8072fcd4732872d904f5d23b03531d08
          Source: A024.exe, 00000011.00000003.517537044.00000000005A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015377&key=70dd7a55c597dd230199469c3c3d32b6
          Source: A024.exe, 00000011.00000003.516669178.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.517476053.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.518341797.000000000060C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.518053404.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015377&key=70dd7a55c597dd230199469c3c3d32b69-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.523460921.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.526919336.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.520500191.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.524368517.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.524413971.0000000000619000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.526287413.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.524817915.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015443&key=6fbc9ea36028e7a7aef47e3f25de14479-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce
          Source: A024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce(
          Source: A024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce13305129961782216
          Source: A024.exe, 00000011.00000003.526919336.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.526287413.0000000000628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce9-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce:
          Source: A024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30cesafe_see?~:
          Source: A024.exe, 00000011.00000003.534285456.0000000000615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015661&key=253379595e8709edaa7459e6261ab76f
          Source: A024.exe, 00000011.00000003.532604795.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.533629250.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.543036109.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.542736341.00000000005D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015661&key=253379595e8709edaa7459e6261ab76fE9-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.534167479.0000000000606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015661&key=253379595e8709edaa7459e6261ab76fatio
          Source: A024.exe, 00000011.00000003.545927414.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.544149773.000000000060D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f0
          Source: A024.exe, 00000011.00000003.545244186.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.544526983.00000000005CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f09-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.545533996.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.545927414.000000000060D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f0nal
          Source: A024.exe, 00000011.00000003.554398119.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.557376459.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.557673507.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.550845431.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.554435845.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.551602096.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.552783679.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.556736628.00000000005FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cf
          Source: A024.exe, 00000011.00000003.574706830.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.583968460.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.559657315.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.577092251.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.559976733.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.561248557.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.564250091.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.558452855.00000000005CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cf9-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.552783679.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfa001-6
          Source: A024.exe, 00000011.00000003.554435845.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfl2~7
          Source: A024.exe, 00000011.00000003.554435845.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.552783679.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfnalU~
          Source: A024.exe, 00000011.00000003.568208161.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.570943693.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.571506563.0000000000609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779
          Source: A024.exe, 00000011.00000003.568208161.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.570943693.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.571506563.0000000000609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779nal
          Source: A024.exe, 00000011.00000003.568208161.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.570943693.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.571506563.0000000000609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779safe_see?~:
          Source: A024.exe, 00000011.00000003.589560082.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.594896934.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.594939303.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.589735478.0000000000615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08e
          Source: A024.exe, 00000011.00000003.591381087.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.588363720.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.593992131.00000000005C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08e85-A1ED-B2838757AE1B
          Source: A024.exe, 00000011.00000003.587651978.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08e_see?~:
          Source: A024.exe, 00000011.00000003.587651978.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08eal
          Source: A024.exe, 00000011.00000003.587651978.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08enal
          Source: A024.exe, 00000011.00000003.598496754.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.597481454.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.598830142.00000000005A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889
          Source: A024.exe, 00000011.00000003.599358977.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.609649183.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.605981971.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.602536365.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec71288985-A1ED-B2838757AE1B
          Source: A024.exe, 00000011.00000003.598496754.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.597481454.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889al
          Source: A024.exe, 00000011.00000003.598496754.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.597481454.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889nal
          Source: A024.exe, 00000011.00000003.598496754.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.597481454.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889nalU~
          Source: A024.exe, 00000011.00000003.622282517.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.613334781.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.622558054.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.622537055.000000000060B000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.613761354.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612951482.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.621642097.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.615628201.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2017297&key=50a768fcc44c2ec36a174f09d26cbb12
          Source: A024.exe, 00000011.00000003.613334781.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612508450.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.613761354.000000000060D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2017297&key=50a768fcc44c2ec36a174f09d26cbb12nal
          Source: A024.exe, 00000011.00000003.625014209.0000000000604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c0
          Source: A024.exe, 00000011.00000003.625297785.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c085-A1ED-B2838757AE1B
          Source: A024.exe, 00000011.00000003.627283501.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c0961782216
          Source: A024.exe, 00000011.00000003.704521200.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.667878458.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.685584153.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.660801597.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.715848614.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.722927599.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.635485775.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.678649642.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.643595978.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.673144821.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649938670.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.662725732.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.632680017.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.630275020.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.701495973.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.639684625.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.651676419.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.633527727.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.723828395.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.719104693.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.687471126.0000000000615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2017807&key=656ed5c4260156c137520047500fcb5a
          Source: A024.exe, 00000011.00000003.630275020.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2017807&key=656ed5c4260156c137520047500fcb5anal2~7
          Source: A024.exe, 00000011.00000003.650371810.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649505481.0000000000602000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.641826184.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.650989626.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.643110136.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.652530312.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa7
          Source: A024.exe, 00000011.00000003.643638138.00000000005CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa785-A1ED-B2838757AE1B
          Source: A024.exe, 00000011.00000003.650371810.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649505481.0000000000602000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.641826184.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.643110136.0000000000605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa7961782216
          Source: A024.exe, 00000011.00000003.650371810.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.651580919.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649505481.0000000000602000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.641826184.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.643110136.0000000000605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa7=
          Source: A024.exe, 00000011.00000003.663381798.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8
          Source: A024.exe, 00000011.00000003.660658555.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8961782216
          Source: A024.exe, 00000011.00000003.660658555.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8_see?~:
          Source: A024.exe, 00000011.00000003.662594874.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8al2~7
          Source: A024.exe, 00000011.00000003.660658555.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8lU~
          Source: A024.exe, 00000011.00000003.671761218.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.666899275.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018477&key=54f4c00d5b523edeb0b1a231aabf7866
          Source: A024.exe, 00000011.00000003.727725399.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.748899296.00000000005D8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.720945359.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.716149610.000000000063C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.702826706.000000000063C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.730565018.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.719463404.000000000063C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.723724601.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.712109883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.707156985.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.719569853.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.704285105.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.692188238.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.692141628.000000000063C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672
          Source: A024.exe, 00000011.00000003.704285105.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.692188238.00000000005FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672_see?~:
          Source: A024.exe, 00000011.00000003.692188238.00000000005FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672l(~
          Source: A024.exe, 00000011.00000003.704285105.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672nal961782216
          Source: A024.exe, 00000011.00000003.728847971.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.745415146.00000000005A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308d
          Source: A024.exe, 00000011.00000003.728175494.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308dl2~7
          Source: A024.exe, 00000011.00000003.728175494.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308dnal
          Source: A024.exe, 00000011.00000003.808584855.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2021009&key=fed594bb4f69b903f7a0afd5144b280a
          Source: A024.exe, 00000011.00000003.808584855.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.836509333.0000000000605000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2021009&key=fed594bb4f69b903f7a0afd5144b280aal
          Source: A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0
          Source: A024.exe, 00000011.00000003.865979392.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.867253468.000000000060F000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.866853290.000000000060C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c09-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0_see?~:
          Source: A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0al961782216
          Source: A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0l
          Source: A024.exe, 00000011.00000003.876584578.000000000060D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e5295
          Source: A024.exe, 00000011.00000003.876584578.000000000060D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e5295961782216
          Source: A024.exe, 00000011.00000003.874060381.00000000005D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e5295XQ
          Source: A024.exe, 00000011.00000003.885741788.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.889359323.00000000005D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022763&key=3ecacc048d1ccf52ee18d6088a38deba9-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.886216752.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022763&key=3ecacc048d1ccf52ee18d6088a38deba_see?~:
          Source: A024.exe, 00000011.00000003.886216752.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022763&key=3ecacc048d1ccf52ee18d6088a38debal
          Source: A024.exe, 00000011.00000003.886216752.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022763&key=3ecacc048d1ccf52ee18d6088a38debanalU~
          Source: A024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.902751656.000000000060B000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.906851773.00000000005FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6f
          Source: A024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6f961782216
          Source: A024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.902751656.000000000060B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fU~
          Source: A024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fl2~7
          Source: A024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fnal
          Source: A024.exe, 00000011.00000003.921541921.000000000060D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2023623&key=9dd0f4a37d9727289100679ff4679313
          Source: A024.exe, 00000011.00000003.923816270.000000000063A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.925921836.000000000063A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.919462666.0000000000639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2023623&key=9dd0f4a37d9727289100679ff46793139-90CE-806E6F6E6963
          Source: A024.exe, 00000011.00000003.921541921.000000000060D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2023623&key=9dd0f4a37d9727289100679ff4679313_see?~:
          Source: A024.exe, 00000011.00000003.923445203.000000000060D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/?sid=2023623&key=9dd0f4a37d9727289100679ff4679313l(~
          Source: A024.exe, 00000011.00000003.587954388.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.524886511.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.608953979.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.917555901.000000000063A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.508626394.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.919462666.0000000000639000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.627283501.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.845942642.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.507033348.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safe
          Source: A024.exe, 00000011.00000003.506991069.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.508315763.00000000005A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safe&
          Source: A024.exe, 00000011.00000003.531837026.0000000000627000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.532518816.0000000000627000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.534285456.0000000000615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safeEKYn49oSDm
          Source: A024.exe, 00000011.00000003.544493765.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.544055476.0000000000627000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safeG
          Source: A024.exe, 00000011.00000003.518868120.000000000060E000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.520923982.000000000060E000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.523403934.0000000000607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safeGMkM9e
          Source: A024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.517537044.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.615057053.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612816385.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.608953979.00000000005A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safeP
          Source: A024.exe, 00000011.00000003.622282517.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612951482.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.615628201.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safea
          Source: A024.exe, 00000011.00000003.728847971.00000000005A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safee
          Source: A024.exe, 00000011.00000003.507033348.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safele
          Source: A024.exe, 00000011.00000003.508375288.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.507033348.00000000005BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.com/check/safeown
          Source: A024.exe, 00000011.00000003.581737900.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.coww.hhiuew33.com/
          Source: A024.exe, 00000011.00000003.581709317.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hhiuew33.coww.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779
          Source: 87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
          Source: 87B9.exe, 0000000F.00000002.505580671.00000000007E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/
          Source: 87B9.exe, 87B9.exe, 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000002.505696844.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json
          Source: 87B9.exe, 0000000F.00000002.505793782.0000000000813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsond
          Source: 87B9.exe, 0000000F.00000002.505793782.0000000000813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsont
          Source: 87B9.exe, 0000000F.00000002.505580671.00000000007E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/j
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blockchain.infoindex
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blockstream.info/apihttps://sofolisk.com/api/loginvalid
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)gentraceback

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: Yara matchFile source: 26.2.D86C.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.3.D86C.exe.b10000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.3.C39A.exe.940000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.D86C.exe.b00e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.C39A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.C39A.exe.930e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001A.00000003.526622172.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.544780175.0000000000B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.441430475.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.601073617.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387173781.00000000009E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.367270038.0000000004611000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387108841.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.441371767.0000000002470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000003.584704076.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.545012487.0000000000B31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: file.exe, 00000000.00000002.387321713.0000000000C18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Source: Yara matchFile source: 15.0.87B9.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.87B9.exe.26f15a0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.87B9.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.87B9.exe.26f15a0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.87B9.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.87B9.exe.400000.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 87B9.exe PID: 5612, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: 87B9.exe PID: 4652, type: MEMORYSTR

          System Summary

          barindex
          Source: 31.2.rundll32.exe.4d00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Fabookie / ElysiumStealer Author: ditekSHen
          Source: 31.2.rundll32.exe.4d00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
          Source: 31.2.rundll32.exe.4d00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 15.0.87B9.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 14.2.87B9.exe.26f15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 14.2.87B9.exe.26f15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.2.87B9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.2.87B9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 14.2.87B9.exe.26f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 14.2.87B9.exe.26f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 36.0.svchost.exe.2f31bfb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
          Source: 36.0.svchost.exe.2f31bfb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 15.0.87B9.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.2.87B9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.2.87B9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 15.0.87B9.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 15.0.87B9.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 43.0.svchost.exe.156b6b50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
          Source: 43.0.svchost.exe.156b6b50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 36.0.svchost.exe.2f31bfb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
          Source: 36.0.svchost.exe.2f31bfb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 43.0.svchost.exe.156b6b50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chebka Author: ditekSHen
          Source: 43.0.svchost.exe.156b6b50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 0000000F.00000000.485672401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000002B.00000003.595564014.00000156B6AE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 0000001A.00000002.544780175.0000000000B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000027.00000002.601012575.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000000.00000002.387378506.0000000000C29000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000007.00000002.441430475.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 0000001A.00000002.544740114.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000001F.00000002.652754688.0000000004D44000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 00000024.00000003.573535906.000002F31BF40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 00000027.00000002.601073617.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000000.00000002.387173781.00000000009E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 00000001.00000000.367270038.0000000004611000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 00000000.00000002.387108841.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 00000007.00000002.441371767.0000000002470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 00000007.00000002.440994734.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000027.00000002.602802862.0000000000A29000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000000.00000002.387065611.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 0000001A.00000002.545414239.0000000000B89000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects STOP ransomware Author: ditekSHen
          Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 00000007.00000002.441147746.00000000009E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Fabookie / ElysiumStealer Author: ditekSHen
          Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 0000001A.00000002.545012487.0000000000B31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
          Source: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: 0000000E.00000002.494725828.0000000002545000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
          Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Chebka Author: ditekSHen
          Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a Author: unknown
          Source: 0000001B.00000002.865037113.0000000002FE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: Process Memory Space: 87B9.exe PID: 5612, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Process Memory Space: 87B9.exe PID: 4652, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
          Source: Yara matchFile source: 31.2.rundll32.exe.4d00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 36.0.svchost.exe.2f31bfb0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 43.0.svchost.exe.156b6b50000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 36.0.svchost.exe.2f31bfb0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 43.0.svchost.exe.156b6b50000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000002B.00000003.595564014.00000156B6AE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.652754688.0000000004D44000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000003.573535906.000002F31BF40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2200, type: MEMORYSTR
          Source: A024.exe.1.drStatic PE information: .vmp0 and .vmp1 section names
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B4F00_2_0041B4F0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00412EF00_2_00412EF0
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041A7100_2_0041A710
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_0041B4F07_2_0041B4F0
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00412EF07_2_00412EF0
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_0041A7107_2_0041A710
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_05082B6C13_2_05082B6C
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0508100013_2_05081000
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_05081EC013_2_05081EC0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0508251013_2_05082510
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0508335413_2_05083354
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_050849E013_2_050849E0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0508377813_2_05083778
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_05082B7113_2_05082B71
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0515441813_2_05154418
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0515100013_2_05151000
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_05151F2013_2_05151F20
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_051539A013_2_051539A0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_051519DD13_2_051519DD
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_05152AC013_2_05152AC0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_05151C0013_2_05151C00
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0515244013_2_05152440
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_051528B013_2_051528B0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_051515A013_2_051515A0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_0041A5C014_2_0041A5C0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026FCA1014_2_026FCA10
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_02700B0014_2_02700B00
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026FDBE014_2_026FDBE0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026FB00014_2_026FB000
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026F30EE14_2_026F30EE
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_027000D014_2_027000D0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_027118D014_2_027118D0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026FB0B014_2_026FB0B0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_0271F9B014_2_0271F9B0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_0271E9A314_2_0271E9A3
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026FE6E014_2_026FE6E0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026FC76014_2_026FC760
          Source: file.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: file.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: file.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: file.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: D86C.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: D86C.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: D86C.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: D86C.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: E9D3.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: E9D3.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: E9D3.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: E9D3.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ACE4.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ACE4.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ACE4.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C39A.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C39A.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C39A.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C39A.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 254.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 254.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 254.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 254.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 4A99.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 4A99.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 4A99.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 4A99.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 519F.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 519F.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 519F.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 519F.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 87B9.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 87B9.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 87B9.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 87B9.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C05F.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C05F.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C05F.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: bchuush.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: bchuush.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: bchuush.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: bchuush.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: erhuush.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: erhuush.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: erhuush.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: erhuush.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ndfapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wdi.dllJump to behavior
          Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\4A99.exe 8A859913B508241B9C2843BD988A5DC64795EE59C553013663D9B9D5C58589D8
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\87B9.exe 2FC9C8FFBA226D56755019591DE180CF29000B797350C7291AA8DC447A9A1BBB
          Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 31.2.rundll32.exe.4d00000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 31.2.rundll32.exe.4d00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Fabookie author = ditekSHen, description = Detects Fabookie / ElysiumStealer
          Source: 31.2.rundll32.exe.4d00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
          Source: 31.2.rundll32.exe.4d00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 14.2.87B9.exe.26f15a0.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 14.2.87B9.exe.26f15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 14.2.87B9.exe.26f15a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.2.87B9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.2.87B9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.2.87B9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 14.2.87B9.exe.26f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 14.2.87B9.exe.26f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 14.2.87B9.exe.26f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 27.2.E9D3.exe.9dab40.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
          Source: 27.2.E9D3.exe.9d86a0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
          Source: 27.2.E9D3.exe.9d2d00.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
          Source: 27.3.E9D3.exe.3e36ca0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
          Source: 15.0.87B9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 27.3.E9D3.exe.3e31300.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
          Source: 15.0.87B9.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 36.0.svchost.exe.2f31bfb0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 36.0.svchost.exe.2f31bfb0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
          Source: 36.0.svchost.exe.2f31bfb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.2.87B9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.2.87B9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.2.87B9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 27.3.E9D3.exe.3e39140.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09
          Source: 15.0.87B9.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 15.0.87B9.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 15.0.87B9.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 15.0.87B9.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 43.0.svchost.exe.156b6b50000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 43.0.svchost.exe.156b6b50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
          Source: 43.0.svchost.exe.156b6b50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 36.0.svchost.exe.2f31bfb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 36.0.svchost.exe.2f31bfb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
          Source: 36.0.svchost.exe.2f31bfb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 43.0.svchost.exe.156b6b50000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 43.0.svchost.exe.156b6b50000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
          Source: 43.0.svchost.exe.156b6b50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 27.3.E9D3.exe.3860000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
          Source: 0000000F.00000000.485672401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000002B.00000003.595564014.00000156B6AE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 0000002B.00000003.595564014.00000156B6AE0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 0000001A.00000002.544780175.0000000000B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000027.00000002.601012575.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000000.00000002.387378506.0000000000C29000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000007.00000002.441430475.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 0000001A.00000002.544740114.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000001F.00000002.652754688.0000000004D44000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 0000001F.00000002.652754688.0000000004D44000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 00000024.00000003.573535906.000002F31BF40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 00000024.00000003.573535906.000002F31BF40000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 00000027.00000002.601073617.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000000.00000002.387173781.00000000009E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 00000001.00000000.367270038.0000000004611000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 00000000.00000002.387108841.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 00000007.00000002.441371767.0000000002470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 00000007.00000002.440994734.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000027.00000002.602802862.0000000000A29000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000000.00000002.387065611.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 0000001A.00000002.545414239.0000000000B89000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), score = , reference = Internal Research
          Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
          Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
          Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 00000007.00000002.441147746.00000000009E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Fabookie author = ditekSHen, description = Detects Fabookie / ElysiumStealer
          Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 0000001A.00000002.545012487.0000000000B31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
          Source: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: 0000000E.00000002.494725828.0000000002545000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
          Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
          Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Chebka author = ditekSHen, description = Detects Chebka
          Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a681f24a reference_sample = a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 6323ed5b60e728297de19c878cd96b429bfd6d82157b4cf3475f3a3123921ae0, id = a681f24a-7054-4525-bcf8-3ee64a1d8413, last_modified = 2021-08-23
          Source: 0000001B.00000002.865037113.0000000002FE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: Process Memory Space: 87B9.exe PID: 5612, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: Process Memory Space: 87B9.exe PID: 4652, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040DF50 appears 31 times
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: String function: 02718EC0 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: String function: 02720160 appears 31 times
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: String function: 0040DF50 appears 31 times
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004017E3 Sleep,NtTerminateProcess,0_2_004017E3
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402351 NtOpenKey,NtEnumerateKey,NtEnumerateKey,0_2_00402351
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402072 NtQuerySystemInformation,0_2_00402072
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401807 Sleep,NtTerminateProcess,0_2_00401807
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014DF NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004017E2 Sleep,NtTerminateProcess,0_2_004017E2
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004017EE Sleep,NtTerminateProcess,0_2_004017EE
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401EFD NtQuerySystemInformation,0_2_00401EFD
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_004017E3 Sleep,NtTerminateProcess,7_2_004017E3
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402351 NtOpenKey,NtEnumerateKey,NtEnumerateKey,7_2_00402351
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402072 NtQuerySystemInformation,7_2_00402072
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00401807 Sleep,NtTerminateProcess,7_2_00401807
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_004014DF NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,7_2_004014DF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_004017E2 Sleep,NtTerminateProcess,7_2_004017E2
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_004017EE Sleep,NtTerminateProcess,7_2_004017EE
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00401EFD NtQuerySystemInformation,7_2_00401EFD
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_05151000 NtCreateThreadEx,13_2_05151000
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,14_2_026F0110
          Source: file.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: D86C.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: E9D3.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: C39A.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: 254.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: 4A99.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: 519F.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: 87B9.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: bchuush.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: erhuush.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\erhuushJump to behavior
          Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@48/21@0/27
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: file.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\erhuush C:\Users\user\AppData\Roaming\erhuush
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\70E4.dll
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\70E4.dll
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\87B9.exe C:\Users\user\AppData\Local\Temp\87B9.exe
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeProcess created: C:\Users\user\AppData\Local\Temp\87B9.exe C:\Users\user\AppData\Local\Temp\87B9.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A024.exe C:\Users\user\AppData\Local\Temp\A024.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\C05F.exe C:\Users\user\AppData\Local\Temp\C05F.exe
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeProcess created: C:\Users\user\AppData\Local\Temp\C05F.exe "C:\Users\user\AppData\Local\Temp\C05F.exe" -h
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D86C.exe C:\Users\user\AppData\Local\Temp\D86C.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E9D3.exe C:\Users\user\AppData\Local\Temp\E9D3.exe
          Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\ACE4.exe C:\Users\user\AppData\Local\Temp\ACE4.exe
          Source: C:\Users\user\AppData\Local\Temp\ACE4.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\C39A.exe C:\Users\user\AppData\Local\Temp\C39A.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\70E4.dllJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\87B9.exe C:\Users\user\AppData\Local\Temp\87B9.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\A024.exe C:\Users\user\AppData\Local\Temp\A024.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\C05F.exe C:\Users\user\AppData\Local\Temp\C05F.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\D86C.exe C:\Users\user\AppData\Local\Temp\D86C.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E9D3.exe C:\Users\user\AppData\Local\Temp\E9D3.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\ACE4.exe C:\Users\user\AppData\Local\Temp\ACE4.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\C39A.exe C:\Users\user\AppData\Local\Temp\C39A.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\70E4.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeProcess created: C:\Users\user\AppData\Local\Temp\87B9.exe C:\Users\user\AppData\Local\Temp\87B9.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\E9D3.exeProcess created: unknown unknown
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: unknown unknown
          Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Users\user\AppData\Local\Temp\E9D3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\70E4.tmpJump to behavior
          Source: A024.exe, 00000011.00000003.579297798.000000000063B000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.575889606.0000000000637000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.589304762.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url,action_url,username_element,username_value,password_element,hex(password_value) password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for FROM logins;
          Source: A024.exe, 00000011.00000003.715444032.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.630107749.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.679902596.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.644269904.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.639278241.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.727725399.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.558335213.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.671761218.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.505928263.00000000005A9000.00000004.00000001.00020000.00000000.sdmp, A024.exe, 00000011.00000003.664303308.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.748899296.00000000005D8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.720945359.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.702202064.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.865979392.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.523910118.0000000000631000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.924299314.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649017987.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.628472370.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.728175494.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.925282553.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612039610.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.912851900.000000000273D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.917214347.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.721698554.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.634715825.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861975918.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.575889606.0000000000637000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.730565018.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.641455008.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.888609376.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.875583192.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.592140152.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.881509308.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.912820894.000000000273A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.518341797.000000000060C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.906851773.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.548196639.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.518053404.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.627164817.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.650989626.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.723724601.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.712109883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.638714650.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.707156985.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.719569853.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.882065466.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.915984441.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.765470643.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.922262527.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.868205325.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.663381798.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.886216752.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.515135801.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.764984429.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.510924967.000000000063C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.534960284.0000000000637000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.719624084.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.793943037.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.652530312.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.731235866.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.631746103.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.510980177.000000000063D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: A024.exe, 00000011.00000003.579297798.000000000063B000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.575889606.0000000000637000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.589304762.000000000062B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url,action_url,username_element,username_value,password_element,hex(password_value) password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for FROM logins;ty INTEG
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2D774 CreateToolhelp32Snapshot,Module32First,0_2_00C2D774
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4216:120:WilError_01
          Source: C:\Users\user\Desktop\file.exeCommand line argument: msimg32.dll0_2_00409B11
          Source: C:\Users\user\Desktop\file.exeCommand line argument: msimg32.dll0_2_00409B11
          Source: C:\Users\user\AppData\Roaming\erhuushCommand line argument: msimg32.dll7_2_00409B11
          Source: C:\Users\user\AppData\Roaming\erhuushCommand line argument: msimg32.dll7_2_00409B11
          Source: 87B9.exeString found in binary or memory: set-addPolicy
          Source: 87B9.exeString found in binary or memory: id-cmc-addExtensions
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\A024.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\A024.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 87B9.exe, 87B9.exe, 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: EfiGuardDxe.pdb7 source: E9D3.exe, 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: C:\hototapeges\jof14 godedoraga vihidi69\puwu.pdb source: 87B9.exe, 0000000E.00000000.477984877.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 87B9.exe, 0000000E.00000002.493613078.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 87B9.exe, 0000000F.00000000.484261191.0000000000401000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: symsrv.pdbGCTL source: E9D3.exe, 0000001B.00000003.600314128.0000000004088000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: symsrv.pdb source: E9D3.exe, 0000001B.00000003.600314128.0000000004088000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\verumaxebi\sunaw\gewimovucajaf_hitojubare-hewohazap\kifobiv.pdb source: file.exe, file.exe, 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.302664627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, erhuush, erhuush, 00000007.00000000.423450379.0000000000401000.00000020.00000001.01000000.00000006.sdmp, erhuush, 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp
          Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 87B9.exe, 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp
          Source: Binary string: C:\wuzoyobumo\xisiw.pdb source: E9D3.exe, 0000001B.00000000.542959704.0000000000401000.00000020.00000001.01000000.0000000D.sdmp
          Source: Binary string: CC:\hototapeges\jof14 godedoraga vihidi69\puwu.pdb source: 87B9.exe, 0000000E.00000000.477984877.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 87B9.exe, 0000000E.00000002.493613078.0000000000401000.00000020.00000001.01000000.00000008.sdmp, 87B9.exe, 0000000F.00000000.484261191.0000000000401000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: NC:\verumaxebi\sunaw\gewimovucajaf_hitojubare-hewohazap\kifobiv.pdb source: file.exe, 00000000.00000000.302664627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, erhuush, 00000007.00000000.423450379.0000000000401000.00000020.00000001.01000000.00000006.sdmp
          Source: Binary string: C:\rad_linuv\poniyoy\vixejuni\kugum.pdb source: D86C.exe, 0000001A.00000000.523009146.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, D86C.exe, 0000001A.00000002.544319484.0000000000409000.00000020.00000001.01000000.0000000C.sdmp

          Data Obfuscation

          barindex
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
          Source: C:\Users\user\AppData\Roaming\erhuushUnpacked PE file: 7.2.erhuush.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeUnpacked PE file: 26.2.D86C.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeUnpacked PE file: 39.2.C39A.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402847 push ebp; ret 0_2_00402848
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E56 push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E5E push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E6A push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E70 push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E05 push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E1F push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E88 push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E8F push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E96 push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402EA4 push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401AAC push edi; iretd 0_2_00401AAD
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402DB7 push eax; ret 0_2_00402EBF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411C1A push 840F0044h; retf 0000h0_2_00411C35
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C330D7 push esi; retf 0_2_00C330D8
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C330FD push edx; retf 0_2_00C330FF
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C33098 push edx; ret 0_2_00C330A3
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C33040 push edx; ret 0_2_00C330A3
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2F999 push eax; ret 0_2_00C2F9A1
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402847 push ebp; ret 7_2_00402848
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E56 push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E5E push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E6A push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E70 push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E05 push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E1F push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E88 push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E8F push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402E96 push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00402EA4 push eax; ret 7_2_00402EBF
          Source: C:\Users\user\AppData\Roaming\erhuushCode function: 7_2_00401AAC push edi; iretd 7_2_00401AAD
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_00422760 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,14_2_00422760
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\70E4.dll
          Source: 964B.exe.1.drStatic PE information: section name: _RDATA
          Source: 964B.exe.1.drStatic PE information: section name: .vmp0
          Source: 964B.exe.1.drStatic PE information: section name: .vmp1
          Source: A024.exe.1.drStatic PE information: section name: _RDATA
          Source: A024.exe.1.drStatic PE information: section name: .vmp0
          Source: A024.exe.1.drStatic PE information: section name: .vmp1
          Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
          Source: 519F.exe.1.drStatic PE information: real checksum: 0x42de80 should be: 0x426efa
          Source: 964B.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x3c92b7
          Source: 70E4.dll.1.drStatic PE information: real checksum: 0x0 should be: 0x18ae51
          Source: E9D3.exe.1.drStatic PE information: real checksum: 0x42de80 should be: 0x426efa
          Source: A024.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x3c92b7
          Source: C05F.exe.1.drStatic PE information: real checksum: 0x2e80e should be: 0x3c696
          Source: ACE4.exe.1.drStatic PE information: real checksum: 0x2e80e should be: 0x3c696

          Persistence and Installation Behavior

          barindex
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\bchuushJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\erhuushJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\254.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\A024.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\ACE4.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\bchuushJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\87B9.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E9D3.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\C39A.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\4A99.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\erhuushJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\964B.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\519F.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D86C.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\C05F.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeFile created: C:\Users\user\AppData\Local\Temp\db.dllJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\70E4.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
          Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\erhuush:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\bchuush:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\C05F.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\E9D3.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\E9D3.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ACE4.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MICROSECONDMILLISECONDMOVE %S: %WMSWSOCK.DLLNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=190WININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
          Source: D86C.exe, 0000001A.00000002.545246986.0000000000B7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD SPAN STATEBAD STACK SIZEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEEXIT STATUS -1FILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATENEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOBFS4PROXY.EXEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREMOVE APP: %WRUNTIME: BASE=RUNTIME: FULL=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
          Source: C:\Users\user\AppData\Local\Temp\A024.exeRDTSC instruction interceptor: First address: 000000014022773B second address: 00000001401C3B0C instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 arpl dx, bp 0x00000005 jmp 00007FF66CDB3073h 0x0000000a inc ecx 0x0000000b pop ebp 0x0000000c dec ecx 0x0000000d or edi, 4743259Eh 0x00000013 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\A024.exeRDTSC instruction interceptor: First address: 000000014021CEEB second address: 000000014021CEF9 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edx 0x00000004 inc ecx 0x00000005 rcl bh, cl 0x00000007 rcr al, cl 0x00000009 inc ecx 0x0000000a sal cl, cl 0x0000000c inc ecx 0x0000000d pop esi 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
          Source: C:\Windows\explorer.exe TID: 4948Thread sleep time: -65300s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5276Thread sleep time: -50600s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5832Thread sleep time: -51000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1128Thread sleep time: -42800s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5336Thread sleep time: -40600s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\A024.exe TID: 3004Thread sleep time: -420000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\A024.exe TID: 5952Thread sleep time: -420000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\C05F.exe TID: 5484Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 5292Thread sleep time: -180000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_14-16667
          Source: C:\Users\user\AppData\Local\Temp\A024.exeThread delayed: delay time: 420000Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 662Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 653Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 506Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 533Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 510Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 428Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 404Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 406Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 358Jump to behavior
          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\254.exeJump to dropped file
          Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4A99.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_0254671C rdtsc 14_2_0254671C
          Source: C:\Users\user\AppData\Local\Temp\E9D3.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
          Source: C:\Users\user\AppData\Local\Temp\A024.exeThread delayed: delay time: 420000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeAPI call chain: ExitProcess graph end nodegraph_14-16835
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcpacertracegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmsftedit.dllnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wpointtopointproxyconnectreflect.Copyreleasep: m=remote errorremoving appruntime: f= runtime: gp=s ap traffics hs trafficsetupapi.dllshort buffertraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released
          Source: explorer.exe, 00000001.00000000.355092872.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFSWmiPrvSE[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexaddress bad instcgocheckcs default:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp exporterf is nilfinishedfs go1.13.3gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid locationloopbackmac_addrmountvolmsvmmoufno anodeno-cacheno_proxyopPseudoraw-readreadfromrecvfromrunnableruntime.scavengeshutdownstrconv.taskkilltor_modeunixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservyuio.top (forced) blocked= defersc= in use)
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: m=] n=archasn1avx2basebindbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagfailfilefromftpsfuncgziphosthourhttpicmpidleigmpint8jsonkindlinknonenullopenpathpipepop3quitreadsbrkseeksid=smtpsse2sse3tag:tcp4tcp6texttruetypeudp4udp6uintunixuuidvaryvmcixn-- -%s ...
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 100-continue127.0.0.1:%d152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecryption faileddownloading proxyelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysembedded/EULA.txtentersyscallblockexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of removing watchdogruntime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff s.callback is nilscanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:start service: %wthread exhaustiontransfer-encodingtruncated headersunknown caller pcvalidate hash: %wwait for GC cyclewine_get_version
          Source: explorer.exe, 00000001.00000000.355092872.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianProcessingPulseEventRST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUseBridgesUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s casgstatuscmd is nilcomplex128connectiondnsapi.dlldsefix.exedwarf.Attre.keff.orgexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpindicationinvalidptrkeep-alivemSpanInUsenanosecondno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquiresend stateset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%d370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiBridgeCANCELCancelCarianChakmaClass(CommonCookieCopticDELETEExpectFltMgrFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\csrss\ufffd
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptyemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid UTF-8invalid base kernel32.dllkey expansionlast-modifiedlevel 3 resetload64 failedmaster secretname is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeread EULA: %wrebooting nowscvg: inuse: service stateset event: %wsigner is nilsocks connectsrmount errorstill in listtimer expiredtrailing datatriggerRatio=unimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: to unallocated span$WINDIR\watchdog.exe%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsEnumProcessModulesExFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetModuleFileNameExWGetModuleInformationGetProcessMemoryInfoGetWindowsDirectoryWIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtSetInformationFileNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongRtlInitUnicodeStringSHGetKnownFolderPathSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWSetupDiOpenDevRegKeyTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchcreate proxy dir: %wcreate text edit: %wdecode siganture: %wdecode signature: %welectrum.bitkoins.nlelectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comevent message is nilflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowget transactions: %wgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedinvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmove GeoIP files: %wmove Tor GeoIP filesno such struct fieldnon-empty swept listnorm: invalid whencenot an integer classnotetsleep not on g0number has no digitsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubrequest file CDN: %wroot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightstun.ipfire.org:3478systemdrive is emptytime: invalid numbertrace: out of memoryunexpected network: unknown address typeunsupported arch: %suser is not an adminvalue is not presentwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundzlib: invalid header gp.gcscanvalid=true
          Source: 87B9.exe, 0000000F.00000002.505696844.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.505479395.00000000005BD000.00000004.00000001.00020000.00000000.sdmp, A024.exe, 00000011.00000003.509547209.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.508679972.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.511743264.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.599358977.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.609649183.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.622282517.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.747776894.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.591165080.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.729186181.00000000005BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000001.00000000.355092872.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
          Source: E9D3.exe, 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: 11VBoxSFVT(%d)WINDIRWibx@
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad span statebad stack sizebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responseexit status -1file too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofilerateneed more datanil elem type!no module datano such deviceobfs4proxy.exeopen event: %wparse cert: %wprotocol errorread certs: %wremove app: %wruntime: base=runtime: full=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThaiUUIDWEST"%s"\rss\smb\u00
          Source: E9D3.exe, 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: \\.\HGFS`
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> any -> booleancharsetchunkedcmd.execonnectconsolecpu: %sderiveddriversexpiresfloat32float64gctracehttp://invalidlog.txtlookup max-agemessagenil keynop -> number panic: refererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwsarecvwsasendwup_verxen: %wxennet6 data=%q etypes goal
          Source: explorer.exe, 00000001.00000000.355254062.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
          Source: explorer.exe, 00000001.00000000.320840062.00000000059F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: underflowunhandledunzip Torunzip: %ww3m/0.5.1websocketxenevtchn} stack=[ MB goal, actual
          Source: explorer.exe, 00000001.00000000.355509727.0000000008394000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: E9D3.exe, 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: ewaPINGPOSTQEMUROOTG
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecryption faileddownloading proxyelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysembedded/EULA.txtentersyscallblockexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of removing watchdogruntime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff s.callback is nilscanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:start service: %wthread exhaustiontransfer-encodingtruncated headersunknown caller pcvalidate hash: %wwait for GC cyclewine_get_versionwrong medium type but memory size because dotdotdot to non-Go memory $SYSTEMDRIVE\Users, locked to thread298023223876953125: day out of rangeArab Standard TimeAsset %s not foundCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateCompatibleDCCreateDispTypeInfoCreateFileMappingWCreateRemoteThreadCreateWellKnownSidCryptUnprotectDataCuba Standard TimeELinks/0.12~pre5-4EnumProcessModulesExpectation FailedFLOW_CONTROL_ERRORFiji Standard TimeGetBestInterfaceExGetComputerNameExWGetCurrentThreadIdGetExitCodeProcessGetFileAttributesWGetModuleBaseNameWGetModuleFileNameWGetModuleHandleExWGetSidSubAuthorityGetUserDefaultLCIDGetVolumePathNameWGo-http-client/1.1Go-http-client/2.0HKEY_LOCAL_MACHINEInternetSetOptionWIran Standard TimeKey path not foundLookupAccountNameWMakeSelfRelativeSDMethod Not AllowedNtSetContextThreadOmsk Standard TimePASSWORD-ALGORITHMPFXImportCertStorePermanent RedirectProxy-AuthenticateQueryServiceStatusRCodeServerFailureRFS specific errorRegional_IndicatorRoAc
          Source: E9D3.exe, 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: hgfsO
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilAttr(BamumBatakBuhidCall CountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSTermTakriTamilTypeAUUID=\u202allowarraybad nchdirclosecsrssfalsefaultfloatgcinggeoiphttpsimap2imap3imapsint16int32int64matchmkdirmonthntohsobfs4panicparsepgdsepop3sproxyrangermdirrouterune sdsetsleepslicesockssse41sse42ssse3text/tls13tls: torrctotaluint8usageuser=utf-8valuevmusbvmx86write (MB)
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomaindwarf.efenceempty exec: expectfamilygeoip6gopherhangupheaderip+netkilledlistenminutenumberobjectpopcntreadatreasonremoverenamerun-v3rune1 scvg: secondsecureselectsendtoserversocketsocks socks5statusstringstructsweep telnetuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil
          Source: explorer.exe, 00000001.00000000.357720554.000000000CDC8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: (MISSING)(unknown)+infinity, newval=, oldval=-07:00:00-infinity/api/cdn?/api/poll127.0.0.1244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8attributeb.ooze.ccbad indirbroadcastbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0ecdsa.netempty urlfn.48.orgfodhelperfork/execfuncargs(gdi32.dllimage/gifimage/pnginterfaceinterruptipv6-icmplocalhostmSpanDeadmSpanFreemulticastnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqprintableprotocol proxy.exepsapi.dllraw-writereboot inrecover: reflect: rwxrwxrwxscheduledsucceededtask %+v
          Source: explorer.exe, 00000001.00000000.384543601.00000000085A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: E9D3.exe, 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: yvmcixn-Re-
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
          Source: 87B9.exe, 0000000F.00000002.505696844.00000000007F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWps
          Source: E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredUninstallerVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknamehttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(microsecondmillisecondmove %s: %wmswsock.dllnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=190wininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior

          Anti Debugging

          barindex
          Source: C:\Users\user\Desktop\file.exeSystem information queried: CodeIntegrityInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushSystem information queried: CodeIntegrityInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeSystem information queried: CodeIntegrityInformation
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeSystem information queried: CodeIntegrityInformation
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_00422760 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,14_2_00422760
          Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2D051 push dword ptr fs:[00000030h]0_2_00C2D051
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_025450A3 push dword ptr fs:[00000030h]14_2_025450A3
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026F0042 push dword ptr fs:[00000030h]14_2_026F0042
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeProcess queried: DebugPort
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_00414FF0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00414FF0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_0254671C rdtsc 14_2_0254671C
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_00414FF0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00414FF0
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_00410A90 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00410A90
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_0040A7A0 _memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0040A7A0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\explorer.exeFile created: D86C.exe.1.drJump to dropped file
          Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2C847FA0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2F31B9A0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 156B6A90000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1F64A270000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 25205F70000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 22CCE7A0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20983C80000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17AF5440000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2D56CF90000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 21C8C3A0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 251E8270000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1FCB35B0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 19987D90000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 17685D00000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 27ADFBB0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 24FF52B0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 23F9E9B0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DFFC5B0000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 29EED760000 protect: page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeMemory written: C:\Users\user\AppData\Local\Temp\87B9.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_026F0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,14_2_026F0110
          Source: C:\Users\user\Desktop\file.exeThread created: C:\Windows\explorer.exe EIP: 4611B44Jump to behavior
          Source: C:\Users\user\AppData\Roaming\erhuushThread created: unknown EIP: 47B1B44Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\D86C.exeThread created: unknown EIP: 4A91A50
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 47FA0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: 1B9A0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: C:\Windows\System32\svchost.exe EIP: B6A90000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 4A270000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 5F70000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: CE7A0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 83C80000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: F5440000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 6CF90000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 8C3A0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: E8270000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: B35B0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 87D90000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 85D00000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: DFBB0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: F52B0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: 9E9B0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: FC5B0000
          Source: C:\Windows\SysWOW64\rundll32.exeThread created: unknown EIP: ED760000
          Source: C:\Users\user\AppData\Local\Temp\C39A.exeThread created: unknown EIP: 2B41A50
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2C847FA0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2F31B9A0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 156B6A90000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1F64A270000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 25205F70000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 22CCE7A0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 20983C80000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 17AF5440000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2D56CF90000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 21C8C3A0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 251E8270000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1FCB35B0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 19987D90000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 17685D00000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 27ADFBB0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 24FF52B0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 23F9E9B0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1DFFC5B0000
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 29EED760000
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeProcess created: C:\Users\user\AppData\Local\Temp\87B9.exe C:\Users\user\AppData\Local\Temp\87B9.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\E9D3.exeProcess created: unknown unknown
          Source: explorer.exe, 00000001.00000000.365223626.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.317296713.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.346592082.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Managerzx
          Source: explorer.exe, 00000001.00000000.321431487.0000000005C70000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.326833001.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.365223626.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000001.00000000.365223626.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.317296713.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.346592082.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000001.00000000.317144370.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.346300056.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.364699986.00000000009C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanath
          Source: explorer.exe, 00000001.00000000.365223626.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.317296713.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.346592082.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\87B9.exeCode function: 14_2_00418370 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,14_2_00418370
          Source: C:\Users\user\AppData\Local\Temp\E9D3.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 26.2.D86C.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.3.D86C.exe.b10000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.3.C39A.exe.940000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.D86C.exe.b00e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.C39A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.C39A.exe.930e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001A.00000003.526622172.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.544780175.0000000000B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.441430475.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.601073617.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387173781.00000000009E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.367270038.0000000004611000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387108841.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.441371767.0000000002470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000003.584704076.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.545012487.0000000000B31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: A024.exe PID: 3064, type: MEMORYSTR
          Source: C:\Users\user\AppData\Local\Temp\A024.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\A024.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 26.2.D86C.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.3.D86C.exe.b10000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.3.C39A.exe.940000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.D86C.exe.b00e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.C39A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 39.2.C39A.exe.930e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001A.00000003.526622172.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.544780175.0000000000B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.441430475.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.601073617.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387173781.00000000009E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.367270038.0000000004611000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387108841.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.441371767.0000000002470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000003.584704076.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.545012487.0000000000B31000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: A024.exe PID: 3064, type: MEMORYSTR
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts121
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          1
          Disable or Modify Tools
          1
          OS Credential Dumping
          1
          System Time Discovery
          Remote Services1
          Archive Collected Data
          Exfiltration Over Other Network Medium1
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts2
          Native API
          Boot or Logon Initialization Scripts612
          Process Injection
          1
          Deobfuscate/Decode Files or Information
          1
          Input Capture
          1
          File and Directory Discovery
          Remote Desktop Protocol1
          Data from Local System
          Exfiltration Over Bluetooth1
          Application Layer Protocol
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Exploitation for Client Execution
          Logon Script (Windows)Logon Script (Windows)2
          Obfuscated Files or Information
          Security Account Manager15
          System Information Discovery
          SMB/Windows Admin Shares1
          Input Capture
          Automated Exfiltration1
          Proxy
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts3
          Command and Scripting Interpreter
          Logon Script (Mac)Logon Script (Mac)11
          Software Packing
          NTDS551
          Security Software Discovery
          Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading
          LSA Secrets141
          Virtualization/Sandbox Evasion
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          File Deletion
          Cached Domain Credentials3
          Process Discovery
          VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items11
          Masquerading
          DCSync1
          Application Window Discovery
          Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job141
          Virtualization/Sandbox Evasion
          Proc Filesystem1
          Remote System Discovery
          Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)612
          Process Injection
          /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
          Hidden Files and Directories
          Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
          Regsvr32
          Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
          Rundll32
          KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 694011 Sample: file.exe Startdate: 31/08/2022 Architecture: WINDOWS Score: 100 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 12 other signatures 2->90 9 file.exe 2->9         started        12 erhuush 2->12         started        14 WmiPrvSE.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 98 Detected unpacking (changes PE section rights) 9->98 100 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->100 102 Maps a DLL or memory area into another process 9->102 19 explorer.exe 6 28 9->19 injected 104 Machine Learning detection for dropped file 12->104 106 Checks if the current machine is a virtual machine (disk enumeration) 12->106 108 Creates a thread in another existing process (thread injection) 12->108 24 rundll32.exe 14->24         started        64 20.82.154.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->64 66 20.82.228.9 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->66 signatures5 process6 dnsIp7 68 189.156.116.190 UninetSAdeCVMX Mexico 19->68 70 46.194.108.30 TELENOR-NEXTELTelenorNorgeASNO Sweden 19->70 72 18 other IPs or domains 19->72 54 C:\Users\user\AppData\Roaming\erhuush, PE32 19->54 dropped 56 C:\Users\user\AppData\Roaming\bchuush, PE32 19->56 dropped 58 C:\Users\user\AppData\Local\Temp9D3.exe, PE32 19->58 dropped 60 12 other malicious files 19->60 dropped 92 Benign windows process drops PE files 19->92 94 Deletes itself after installation 19->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->96 26 D86C.exe 19->26         started        29 C39A.exe 19->29         started        31 A024.exe 1 19->31         started        36 7 other processes 19->36 34 rundll32.exe 24->34         started        file8 signatures9 process10 dnsIp11 110 Detected unpacking (changes PE section rights) 26->110 112 Machine Learning detection for dropped file 26->112 114 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 26->114 116 Maps a DLL or memory area into another process 29->116 132 2 other signatures 29->132 80 208.95.112.1 TUT-ASUS United States 31->80 82 45.136.151.102 ENZUINC-US Latvia 31->82 118 Antivirus detection for dropped file 31->118 120 Multi AV Scanner detection for dropped file 31->120 122 Tries to harvest and steal browser information (history, passwords, etc) 31->122 124 Tries to detect virtualization through RDTSC time measurements 31->124 126 Writes to foreign memory regions 34->126 128 Allocates memory in foreign processes 34->128 38 svchost.exe 34->38 injected 40 svchost.exe 34->40 injected 130 Contains functionality to inject code into remote processes 36->130 134 2 other signatures 36->134 42 C05F.exe 3 36->42         started        46 87B9.exe 13 36->46         started        48 regsvr32.exe 36->48         started        50 2 other processes 36->50 signatures12 process13 dnsIp14 74 104.21.40.196 CLOUDFLARENETUS United States 42->74 76 172.67.188.70 CLOUDFLARENETUS United States 42->76 62 C:\Users\user\AppData\Local\Temp\db.dll, PE32 42->62 dropped 52 conhost.exe 42->52         started        78 162.0.217.254 ACPCA Canada 46->78 file15 process16

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          file.exe41%ReversingLabsWin32.Ransomware.Stop
          file.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\964B.exe100%AviraHEUR/AGEN.1249525
          C:\Users\user\AppData\Local\Temp\A024.exe100%AviraHEUR/AGEN.1249525
          C:\Users\user\AppData\Local\Temp\964B.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\D86C.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\254.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\C39A.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\erhuush100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\4A99.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\E9D3.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\bchuush100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\519F.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\87B9.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\A024.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\70E4.dll100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\4A99.exe32%ReversingLabsWin32.Trojan.Cutwail
          C:\Users\user\AppData\Local\Temp\87B9.exe59%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\87B9.exe81%ReversingLabsWin32.Ransomware.Stop
          C:\Users\user\AppData\Local\Temp\964B.exe58%ReversingLabsWin64.Trojan.Fabookie
          C:\Users\user\AppData\Local\Temp\A024.exe58%ReversingLabsWin64.Trojan.Fabookie
          C:\Users\user\AppData\Local\Temp\ACE4.exe54%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\ACE4.exe77%ReversingLabsWin32.Backdoor.Manuscrypt
          C:\Users\user\AppData\Local\Temp\C05F.exe54%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\C05F.exe77%ReversingLabsWin32.Backdoor.Manuscrypt
          SourceDetectionScannerLabelLinkDownload
          0.2.file.exe.9b0e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          39.3.C39A.exe.940000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          15.0.87B9.exe.400000.7.unpack100%AviraHEUR/AGEN.1223627Download File
          7.3.erhuush.2470000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          15.0.87B9.exe.400000.5.unpack100%AviraHEUR/AGEN.1223627Download File
          26.2.D86C.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          15.0.87B9.exe.400000.6.unpack100%AviraHEUR/AGEN.1223627Download File
          7.2.erhuush.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          15.0.87B9.exe.400000.9.unpack100%AviraHEUR/AGEN.1223627Download File
          0.3.file.exe.9c0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          31.2.rundll32.exe.4d00000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
          15.0.87B9.exe.400000.10.unpack100%AviraHEUR/AGEN.1223627Download File
          15.0.87B9.exe.400000.8.unpack100%AviraHEUR/AGEN.1223627Download File
          39.2.C39A.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          26.2.D86C.exe.b00e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.file.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          15.2.87B9.exe.400000.0.unpack100%AviraHEUR/AGEN.1223627Download File
          15.0.87B9.exe.400000.4.unpack100%AviraHEUR/AGEN.1223627Download File
          39.2.C39A.exe.930e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          36.0.svchost.exe.2f31bfb0000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
          7.2.erhuush.9c0e67.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          43.0.svchost.exe.156b6b50000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
          26.3.D86C.exe.b10000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://gbm.hhiuew33.com/check/safe0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e5295XQ0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f09-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safeP0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779nal0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c00%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2021009&key=fed594bb4f69b903f7a0afd5144b280a0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2023623&key=9dd0f4a37d9727289100679ff46793130%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8al2~70%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015443&key=6fbc9ea36028e7a7aef47e3f25de14479-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://invalidlog.txtlookup0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2017807&key=656ed5c4260156c137520047500fcb5a0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0l0%Avira URL Cloudsafe
          http://acacaca.org/lancer/get.php100%Avira URL Cloudmalware
          http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f0nal0%Avira URL Cloudsafe
          http://www.hhiuew33.coH0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce0%Avira URL Cloudsafe
          http://www.hhiuew33.com/100%URL Reputationmalware
          http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08eal0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c09617822160%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safee0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015661&key=253379595e8709edaa7459e6261ab76fE9-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safea0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce9-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889nal0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safe100%Avira URL Cloudmalware
          http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e52950%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308dl2~70%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f00%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec7128890%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022763&key=3ecacc048d1ccf52ee18d6088a38deba9-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2017807&key=656ed5c4260156c137520047500fcb5anal2~70%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015239&key=8072fcd4732872d904f5d23b03531d080%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cf9-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2017297&key=50a768fcc44c2ec36a174f09d26cbb120%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308dnal0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safeG0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018477&key=54f4c00d5b523edeb0b1a231aabf78660%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa70%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672nal9617822160%Avira URL Cloudsafe
          http://apcotex.com/0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2023623&key=9dd0f4a37d9727289100679ff46793139-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015377&key=70dd7a55c597dd230199469c3c3d32b60%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fU~0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfa001-60%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08e0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08e85-A1ED-B2838757AE1B0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safe&0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa79617822160%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safele0%Avira URL Cloudsafe
          http://usadig.com/0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fnal0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c085-A1ED-B2838757AE1B0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fl2~70%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa785-A1ED-B2838757AE1B0%Avira URL Cloudsafe
          http://zdauctions.com/tmp/0%Avira URL Cloudsafe
          https://blockstream.info/apihttps://sofolisk.com/api/loginvalid100%Avira URL Cloudmalware
          https://blockchain.infoindex0%URL Reputationsafe
          http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308d0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa7=0%Avira URL Cloudsafe
          http://www.avantbrowser.com)MOT-V9mm/00.620%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889nalU~0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779safe_see?~:0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672_see?~:0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08enal0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce(0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cf0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8_see?~:0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015377&key=70dd7a55c597dd230199469c3c3d32b69-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce:0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c00%Avira URL Cloudsafe
          http://pro-fa.com/0%Avira URL Cloudsafe
          http://www.hhiuew33.coww.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da47790%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfl2~70%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff80%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0_see?~:0%Avira URL Cloudsafe
          http://www.hhiuew33.coww.hhiuew33.com/0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safeown0%Avira URL Cloudsafe
          http://devlog.gregarius.net/docs/ua)Links0%URL Reputationsafe
          http://www.hhiuew33.com/check/?sid=2021009&key=fed594bb4f69b903f7a0afd5144b280aal0%Avira URL Cloudsafe
          http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672l(~0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022763&key=3ecacc048d1ccf52ee18d6088a38debanalU~0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfnalU~0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2017297&key=50a768fcc44c2ec36a174f09d26cbb12nal0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec71288985-A1ED-B2838757AE1B0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0al9617822160%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c09-90CE-806E6F6E69630%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa6720%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e52959617822160%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889al0%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6f9617822160%Avira URL Cloudsafe
          http://www.hhiuew33.com/check/safeEKYn49oSDm0%Avira URL Cloudsafe
          No contacted domains info
          NameMaliciousAntivirus DetectionReputation
          http://acacaca.org/lancer/get.phptrue
          • Avira URL Cloud: malware
          unknown
          http://zdauctions.com/tmp/true
          • Avira URL Cloud: safe
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://gbm.hhiuew33.com/check/safeA024.exe, 00000011.00000003.875583192.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.881509308.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.882065466.00000000005FC000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e5295XQA024.exe, 00000011.00000003.874060381.00000000005D5000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f09-90CE-806E6F6E6963A024.exe, 00000011.00000003.545244186.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.544526983.00000000005CA000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/safePA024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.517537044.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.615057053.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612816385.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.608953979.00000000005A6000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779nalA024.exe, 00000011.00000003.568208161.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.570943693.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.571506563.0000000000609000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c0A024.exe, 00000011.00000003.625014209.0000000000604000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2021009&key=fed594bb4f69b903f7a0afd5144b280aA024.exe, 00000011.00000003.808584855.0000000000607000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2023623&key=9dd0f4a37d9727289100679ff4679313A024.exe, 00000011.00000003.921541921.000000000060D000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8al2~7A024.exe, 00000011.00000003.662594874.0000000000607000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015443&key=6fbc9ea36028e7a7aef47e3f25de14479-90CE-806E6F6E6963A024.exe, 00000011.00000003.523460921.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.526919336.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.520500191.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.524368517.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.524413971.0000000000619000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.526287413.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.524817915.0000000000628000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://invalidlog.txtlookupE9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2017807&key=656ed5c4260156c137520047500fcb5aA024.exe, 00000011.00000003.704521200.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.667878458.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.685584153.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.660801597.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.715848614.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.722927599.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.635485775.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.678649642.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.643595978.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.673144821.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649938670.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.662725732.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.632680017.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.630275020.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.701495973.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.639684625.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.651676419.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.633527727.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.723828395.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.719104693.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.687471126.0000000000615000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0lA024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f0nalA024.exe, 00000011.00000003.545533996.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.545927414.000000000060D000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.coHA024.exe, 00000011.00000003.517949411.00000000005FC000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ceA024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/A024.exe, 00000011.00000003.547616617.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.924299314.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.925282553.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.546820577.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.917214347.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.548588817.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.888609376.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.906851773.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.545474727.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.924357065.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.915984441.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.922262527.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.546061583.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.886216752.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
          • URL Reputation: malware
          unknown
          http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08ealA024.exe, 00000011.00000003.587651978.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c0961782216A024.exe, 00000011.00000003.627283501.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/safeeA024.exe, 00000011.00000003.728847971.00000000005A6000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015661&key=253379595e8709edaa7459e6261ab76fE9-90CE-806E6F6E6963A024.exe, 00000011.00000003.532604795.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.533629250.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.543036109.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.542736341.00000000005D0000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/safeaA024.exe, 00000011.00000003.622282517.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612951482.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.615628201.00000000005BD000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce9-90CE-806E6F6E6963A024.exe, 00000011.00000003.526919336.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.526287413.0000000000628000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889nalA024.exe, 00000011.00000003.598496754.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.597481454.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/safeA024.exe, 00000011.00000003.587954388.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.524886511.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.608953979.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.917555901.000000000063A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.508626394.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.919462666.0000000000639000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.627283501.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.845942642.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.507033348.00000000005BD000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          unknown
          http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e5295A024.exe, 00000011.00000003.876584578.000000000060D000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308dl2~7A024.exe, 00000011.00000003.728175494.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015891&key=b779f07443cbe91981cfefc8943025f0A024.exe, 00000011.00000003.545927414.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.544149773.000000000060D000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889A024.exe, 00000011.00000003.598496754.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.597481454.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.598830142.00000000005A9000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2022763&key=3ecacc048d1ccf52ee18d6088a38deba9-90CE-806E6F6E6963A024.exe, 00000011.00000003.885741788.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.889359323.00000000005D7000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2017807&key=656ed5c4260156c137520047500fcb5anal2~7A024.exe, 00000011.00000003.630275020.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015239&key=8072fcd4732872d904f5d23b03531d08A024.exe, 00000011.00000003.509503649.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.508626394.00000000005AA000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cf9-90CE-806E6F6E6963A024.exe, 00000011.00000003.574706830.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.583968460.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.559657315.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.577092251.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.559976733.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.561248557.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.564250091.00000000005E4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.558452855.00000000005CE000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2017297&key=50a768fcc44c2ec36a174f09d26cbb12A024.exe, 00000011.00000003.622282517.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.613334781.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.622558054.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.622537055.000000000060B000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.613761354.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612951482.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.621642097.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.615628201.00000000005BD000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308dnalA024.exe, 00000011.00000003.728175494.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/safeGA024.exe, 00000011.00000003.544493765.0000000000628000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.544055476.0000000000627000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2018477&key=54f4c00d5b523edeb0b1a231aabf7866A024.exe, 00000011.00000003.671761218.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.666899275.0000000000607000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa7A024.exe, 00000011.00000003.650371810.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649505481.0000000000602000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.641826184.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.650989626.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.643110136.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.652530312.00000000005E1000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672nal961782216A024.exe, 00000011.00000003.704285105.0000000000607000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://apcotex.com/A024.exe, 00000011.00000003.924299314.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.925282553.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.917214347.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.906851773.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.915984441.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.922262527.00000000005FC000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2023623&key=9dd0f4a37d9727289100679ff46793139-90CE-806E6F6E6963A024.exe, 00000011.00000003.923816270.000000000063A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.925921836.000000000063A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.919462666.0000000000639000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2015377&key=70dd7a55c597dd230199469c3c3d32b6A024.exe, 00000011.00000003.517537044.00000000005A6000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fU~A024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.902751656.000000000060B000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          unknown
          https://api.2ip.ua/j87B9.exe, 0000000F.00000002.505580671.00000000007E1000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpfalse
              high
              http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfa001-6A024.exe, 00000011.00000003.552783679.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              unknown
              http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08eA024.exe, 00000011.00000003.589560082.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.594896934.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.594939303.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.589735478.0000000000615000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              unknown
              http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08e85-A1ED-B2838757AE1BA024.exe, 00000011.00000003.591381087.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.588363720.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.593992131.00000000005C8000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              unknown
              http://www.hhiuew33.com/check/safe&A024.exe, 00000011.00000003.506991069.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.508315763.00000000005A9000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              unknown
              https://api.2ip.ua/geo.jsond87B9.exe, 0000000F.00000002.505793782.0000000000813000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa7961782216A024.exe, 00000011.00000003.650371810.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649505481.0000000000602000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.641826184.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.643110136.0000000000605000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://www.hhiuew33.com/check/safeleA024.exe, 00000011.00000003.507033348.00000000005BD000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://usadig.com/A024.exe, 00000011.00000003.924357065.00000000005CA000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fnalA024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://www.hhiuew33.com/check/?sid=2017683&key=2ae600ecd082beb1eedd2a00077025c085-A1ED-B2838757AE1BA024.exe, 00000011.00000003.625297785.00000000005BD000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6fl2~7A024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa785-A1ED-B2838757AE1BA024.exe, 00000011.00000003.643638138.00000000005CA000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                https://blockstream.info/apihttps://sofolisk.com/api/loginvalidE9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                unknown
                https://blockchain.infoindexE9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.hhiuew33.com/check/?sid=2019659&key=1247ed064225139f8d54ea20b7f4308dA024.exe, 00000011.00000003.728847971.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.745415146.00000000005A8000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://www.hhiuew33.com/check/?sid=2018035&key=6fe006e1a6ee76909784c1c112d40fa7=A024.exe, 00000011.00000003.650371810.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.651580919.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.649505481.0000000000602000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.641826184.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.643110136.0000000000605000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://www.avantbrowser.com)MOT-V9mm/00.62E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889nalU~A024.exe, 00000011.00000003.598496754.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.597481454.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://search.msn.com/msnbot.htm)pkcs7:E9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpfalse
                  high
                  http://www.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779safe_see?~:A024.exe, 00000011.00000003.568208161.0000000000606000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.570943693.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.571506563.0000000000609000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672_see?~:A024.exe, 00000011.00000003.704285105.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.692188238.00000000005FD000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2016829&key=3a7045f6ec37d43997a6260b6182f08enalA024.exe, 00000011.00000003.587651978.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce(A024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfA024.exe, 00000011.00000003.554398119.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.557376459.0000000000615000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.557673507.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.550845431.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.554435845.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.551602096.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.552783679.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.556736628.00000000005FF000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8_see?~:A024.exe, 00000011.00000003.660658555.0000000000607000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2015377&key=70dd7a55c597dd230199469c3c3d32b69-90CE-806E6F6E6963A024.exe, 00000011.00000003.516669178.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.517476053.0000000000608000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.518341797.000000000060C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.518053404.0000000000607000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2015571&key=4db054c96026ef6dad1828790e5c30ce:A024.exe, 00000011.00000003.527158732.0000000000606000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://pro-fa.com/A024.exe, 00000011.00000003.888609376.00000000005FC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.coww.hhiuew33.com/check/?sid=2016345&key=1cb93d6dec2bc745d06457ef77da4779A024.exe, 00000011.00000003.581709317.0000000002730000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfl2~7A024.exe, 00000011.00000003.554435845.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2018303&key=1193b4e4de5655538ccc58c723ed2ff8A024.exe, 00000011.00000003.663381798.00000000005E1000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0_see?~:A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.coww.hhiuew33.com/A024.exe, 00000011.00000003.581737900.0000000002733000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.hhiuew33.com/check/safeownA024.exe, 00000011.00000003.508375288.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.507033348.00000000005BD000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.openssl.org/support/faq.html87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    high
                    http://devlog.gregarius.net/docs/ua)LinksE9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.hhiuew33.com/check/?sid=2021009&key=fed594bb4f69b903f7a0afd5144b280aalA024.exe, 00000011.00000003.808584855.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.836509333.0000000000605000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error87B9.exe, 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 87B9.exe, 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672l(~A024.exe, 00000011.00000003.692188238.00000000005FD000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    http://www.hhiuew33.com/check/?sid=2022763&key=3ecacc048d1ccf52ee18d6088a38debanalU~A024.exe, 00000011.00000003.886216752.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    http://www.hhiuew33.com/check/?sid=2016031&key=7e1ca779d9bf4e17f6d764045bd141cfnalU~A024.exe, 00000011.00000003.554435845.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.552783679.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    http://www.hhiuew33.com/check/?sid=2017297&key=50a768fcc44c2ec36a174f09d26cbb12nalA024.exe, 00000011.00000003.613334781.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.612508450.000000000060D000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.613761354.000000000060D000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    unknown
                    https://api.2ip.ua/geo.jsont87B9.exe, 0000000F.00000002.505793782.0000000000813000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec71288985-A1ED-B2838757AE1BA024.exe, 00000011.00000003.599358977.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.609649183.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.605981971.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.602536365.00000000005BD000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://turnitin.com/robot/crawlerinfo.html)gentracebackE9D3.exe, 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmpfalse
                        high
                        http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c0al961782216A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.hhiuew33.com/check/?sid=2022081&key=732a544087b3e9ff829e7663084700c09-90CE-806E6F6E6963A024.exe, 00000011.00000003.865979392.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.867253468.000000000060F000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.857712036.00000000005FC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.861375673.000000000060A000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.866853290.000000000060C000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.hhiuew33.com/check/?sid=2018981&key=44df1fe76965627ca5f86e0117faa672A024.exe, 00000011.00000003.727725399.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.748899296.00000000005D8000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.720945359.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.716149610.000000000063C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.702826706.000000000063C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.730565018.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.719463404.000000000063C000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.723724601.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.712109883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.707156985.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.719569853.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.704285105.0000000000607000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.692188238.00000000005FD000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.692141628.000000000063C000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.hhiuew33.com/check/?sid=2022523&key=489967a14be7e798a418ec88203e5295961782216A024.exe, 00000011.00000003.876584578.000000000060D000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.hhiuew33.com/check/?sid=2016991&key=d06a0819802fb9b8bfa3f83cec712889alA024.exe, 00000011.00000003.598496754.0000000000605000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.597481454.00000000005FC000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.hhiuew33.com/check/?sid=2022899&key=2e1c6e2a11a5fbaa14f06bb550215b6f961782216A024.exe, 00000011.00000003.895949373.000000000060A000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.hhiuew33.com/check/safeEKYn49oSDmA024.exe, 00000011.00000003.531837026.0000000000627000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.532518816.0000000000627000.00000004.00000020.00020000.00000000.sdmp, A024.exe, 00000011.00000003.534285456.0000000000615000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        85.209.157.230
                        unknownNetherlands
                        18978ENZUINC-USfalse
                        185.237.206.60
                        unknownUkraine
                        21100ITLDC-NLUAfalse
                        8.8.8.8
                        unknownUnited States
                        15169GOOGLEUSfalse
                        104.21.1.91
                        unknownUnited States
                        13335CLOUDFLARENETUSfalse
                        210.182.29.70
                        unknownKorea Republic of
                        3786LGDACOMLGDACOMCorporationKRfalse
                        162.0.217.254
                        unknownCanada
                        35893ACPCAfalse
                        20.82.154.241
                        unknownUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                        91.227.16.12
                        unknownRussian Federation
                        207027EXIMIUS-ASRUfalse
                        175.120.254.9
                        unknownKorea Republic of
                        9318SKB-ASSKBroadbandCoLtdKRfalse
                        115.88.24.202
                        unknownKorea Republic of
                        3786LGDACOMLGDACOMCorporationKRfalse
                        189.156.116.190
                        unknownMexico
                        8151UninetSAdeCVMXfalse
                        104.21.86.228
                        unknownUnited States
                        13335CLOUDFLARENETUSfalse
                        196.200.111.5
                        unknownEritrea
                        30987ERITEL-ASERfalse
                        104.21.40.196
                        unknownUnited States
                        13335CLOUDFLARENETUSfalse
                        208.95.112.1
                        unknownUnited States
                        53334TUT-ASUSfalse
                        46.194.108.30
                        unknownSweden
                        2119TELENOR-NEXTELTelenorNorgeASNOfalse
                        20.82.228.9
                        unknownUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                        188.114.97.3
                        unknownEuropean Union
                        13335CLOUDFLARENETUSfalse
                        172.67.188.70
                        unknownUnited States
                        13335CLOUDFLARENETUSfalse
                        5.204.145.65
                        unknownHungary
                        8448PGSM-HUTorokbalintHungaryHUfalse
                        206.221.182.74
                        unknownUnited States
                        23470RELIABLESITEUSfalse
                        222.232.238.243
                        unknownKorea Republic of
                        9318SKB-ASSKBroadbandCoLtdKRfalse
                        45.136.151.102
                        unknownLatvia
                        18978ENZUINC-USfalse
                        104.21.14.22
                        unknownUnited States
                        13335CLOUDFLARENETUSfalse
                        151.251.24.5
                        unknownBulgaria
                        13124IBGCBGfalse
                        188.48.64.249
                        unknownSaudi Arabia
                        25019SAUDINETSTC-ASSAfalse
                        IP
                        192.168.2.1
                        Joe Sandbox Version:35.0.0 Citrine
                        Analysis ID:694011
                        Start date and time:2022-08-31 12:52:58 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 14m 45s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:file.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:46
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:4
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.evad.winEXE@48/21@0/27
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 10.1% (good quality ratio 7.2%)
                        • Quality average: 44.8%
                        • Quality standard deviation: 37.2%
                        HCA Information:
                        • Successful, ratio: 85%
                        • Number of executed functions: 47
                        • Number of non-executed functions: 99
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for rundll32
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, consent.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        TimeTypeDescription
                        12:54:45Task SchedulerRun new task: Firefox Default Browser Agent 57A696630F5C4D61 path: C:\Users\user\AppData\Roaming\erhuush
                        12:55:26API Interceptor25x Sleep call for process: A024.exe modified
                        12:55:38API Interceptor4x Sleep call for process: C05F.exe modified
                        12:56:02API Interceptor4x Sleep call for process: svchost.exe modified
                        12:56:03API Interceptor1x Sleep call for process: dllhost.exe modified
                        12:56:12Task SchedulerRun new task: Firefox Default Browser Agent C1918AB4B2B16CD7 path: C:\Users\user\AppData\Roaming\bchuush
                        12:56:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Windows\rss\csrss.exe"
                        12:56:35Task SchedulerRun new task: csrss path: C:\Windows\rss\csrss.exe
                        12:56:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Windows\rss\csrss.exe"
                        12:57:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tibqanobatib C:\Users\user\tibqanobatib.exe
                        12:57:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Regedit32 C:\Windows\system32\regedit.exe
                        12:57:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tibqanobatib C:\Users\user\tibqanobatib.exe
                        12:57:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Regedit32 C:\Windows\system32\regedit.exe
                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        85.209.157.230file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1051.exe
                        file.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1083.exe
                        wu2Z96cOb9.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1083.exe
                        GFXTXvWhyQ.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1083.exe
                        p23HEjyysu.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1083.exe
                        NJUODEI1fC.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1083.exe
                        M61ridRaIr.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1083.exe
                        Ikd3EuXME8.exeGet hashmaliciousBrowse
                        • stylesheet.faseaegasdfase.com/hp8/g1/rtst1083.exe
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        ENZUINC-USfile.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        file.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        file.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        CBBsLdgEAZ.elfGet hashmaliciousBrowse
                        • 23.245.1.238
                        file.exeGet hashmaliciousBrowse
                        • 85.209.157.230
                        file.exeGet hashmaliciousBrowse
                        • 85.209.157.230
                        file.exeGet hashmaliciousBrowse
                        • 85.209.157.230
                        file.exeGet hashmaliciousBrowse
                        • 85.209.157.230
                        file.exeGet hashmaliciousBrowse
                        • 85.209.157.230
                        file.exeGet hashmaliciousBrowse
                        • 85.209.157.230
                        file.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        file.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        SecuriteInfo.com.Suspicious.Win32.Save.a.22935.12419.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        file.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        file.exeGet hashmaliciousBrowse
                        • 85.209.157.230
                        https://tamilblasters.casa/Get hashmaliciousBrowse
                        • 23.88.0.234
                        file.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        file.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        file.exeGet hashmaliciousBrowse
                        • 85.209.157.230
                        file.exeGet hashmaliciousBrowse
                        • 45.136.151.102
                        ITLDC-NLUAfile.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        file.exeGet hashmaliciousBrowse
                        • 185.237.206.60
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Users\user\AppData\Local\Temp\87B9.exefile.exeGet hashmaliciousBrowse
                          file.exeGet hashmaliciousBrowse
                            C:\Users\user\AppData\Local\Temp\4A99.exefile.exeGet hashmaliciousBrowse
                              Process:C:\Users\user\AppData\Local\Temp\87B9.exe
                              File Type:ASCII text, with very long lines, with no line terminators
                              Category:dropped
                              Size (bytes):500
                              Entropy (8bit):4.506396506853555
                              Encrypted:false
                              SSDEEP:12:YZIW67kt/QVFRbIm/QVAY9QVFRHQVFRRaZRQVFRQQVFRUm62jOH4:YrFQVFRbI0QVAY9QVFRHQVFRGRQVFRQ+
                              MD5:5A28E5DBBA508DE227FFA80021CAEC1C
                              SHA1:317C8045C34B60034850C1A0FF0BEF53F4BC4E09
                              SHA-256:E8457A2D4838AF8EFE1FA83FC689A55D25992A101616733CA26171AEA5B8D0AB
                              SHA-512:EA3283645E38EB004D49B3ADCECE8E7A7C8A00044CA536FB6170C469838A31D96ED204470E66EF48E6FE3C0DD48B1D09BE163415E063695D113EAAE1380C11F1
                              Malicious:false
                              Preview:{"ip":"102.129.143.57","country_code":"CH","country":"Switzerland","country_rus":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0438\u044f","country_ua":"\u0428\u0432\u0435\u0439\u0446\u0430\u0440\u0456\u044f","region":"Zurich","region_rus":"\u0426\u044e\u0440\u0438\u0445","region_ua":"\u0426\u044e\u0440\u0438\u0445","city":"Zurich","city_rus":"\u0426\u044e\u0440\u0438\u0445","city_ua":"\u0426\u044e\u0440\u0438\u0445","latitude":"47.36667","longitude":"8.55","zip_code":"8099","time_zone":"+02:00"}
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):634368
                              Entropy (8bit):7.488233708412827
                              Encrypted:false
                              SSDEEP:12288:UtQGowt81HWeMtebAESjb3bNrjY7wkJRKiHhr6G8nMURe+y:+nKHwt4NU2HhrV8MUy
                              MD5:0B0D2F57CAC71D113C2B65A16E252CF7
                              SHA1:547E251995AEBD577C51E8680B01F1302D2A202C
                              SHA-256:D24D27209363F5A42C1BA673B5E73EC6DB1620E6CC3430ADA0F630EB7C95E718
                              SHA-512:4662B6BF8511E63F10D6B121F0C7B1F27F747E25DFF32931D25EA564529E4678B35FBAB3F43E1DED178E536DA7659D3A3AD02C5CA17564F6C929D303A67DCB9B
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IE...E...E...[.u.R...[.c....bE..B...E......[.d.x...[.t.D...[.q.D...RichE...........................PE..L....]n`......................G..............0....@...........................I.............................................d...P.....I.@Q..............................................................@............................................text............................... ..`.data....OF..0...D..................@....rsrc...@Q....I..R...\..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):305664
                              Entropy (8bit):6.490009058493718
                              Encrypted:false
                              SSDEEP:6144:+UfeUgusPhAWvTslMS/cj358WCJl04AuJJcDdSJy1z:reUIPqo4aS/cj35eJ64A2JSgwZ
                              MD5:AF25BD810507B72F444C8160F2042128
                              SHA1:4F78665E6BB2C828F7A373281A858265AFEF07CC
                              SHA-256:8A859913B508241B9C2843BD988A5DC64795EE59C553013663D9B9D5C58589D8
                              SHA-512:8FCE25BB9680C5F5F37D896FC056FF9A051BD698D39F01EAC183367B89DA31A17CE338E0C480B83BFA724789BEF23A158FB4C203D9FAC456BB42FC2BEE379893
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 32%
                              Joe Sandbox View:
                              • Filename: file.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IE...E...E...[.u.R...[.c....bE..B...E......[.d.x...[.t.D...[.q.D...RichE...........................PE..L....;G`......................B..............0................................D.............................................t...P.....D.@Q..............................................................@............................................text............................... ..`.data...(KA..0...@..................@....rsrc...@Q....D..R...X..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:modified
                              Size (bytes):4342824
                              Entropy (8bit):7.973827881148146
                              Encrypted:false
                              SSDEEP:98304:wj6B1pLc2N6462cb9OlDJHXl5QjJZvlLGXkFl6:wj6B1pLcU6F2kOlKTtLK2Y
                              MD5:3191DB3E8A8BD2AA891786059AC8636B
                              SHA1:560D1DD65F8A4E8E558846002E939B66153C8819
                              SHA-256:A0DA88CED95EE51493D34218890B7E950B1842CED8A1A8F7D464AA5F2397C8F1
                              SHA-512:20984D87B49B1DA21A2D86A6B8A58FB84EDC3F94F8DCDB1DE0F3EB2669C6CF5200039E0040198EC0E2FF59B2F6CE3F6AA86EED92C7392EB04CB9B8D51DA1CE25
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IE...E...E...[.u.R...[.c....bE..B...E......[.d.x...[.t.D...[.q.D...RichE...........................PE..L.../..a.....................................0....@...................................B.....................................t...P.......@Q...........<B.(...............................................@............................................text............................... ..`.data.....~..0....>.................@....rsrc...@........R....A.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):1597440
                              Entropy (8bit):7.06170844167196
                              Encrypted:false
                              SSDEEP:24576:xJ/kttVCipK1QNyLNhJP4asXuomkJqe+gdVRxTmRG0:T/ktOn1CyLN21JdDT
                              MD5:343FF03A8AD7E42A3818D0031B854EA6
                              SHA1:D85B34C560AEAD9B7E1E74BA24D0C42E6506EFA6
                              SHA-256:2756A9CBC8EBC2B00CB513EEF1A3D898003644452351FD47FC929959741B6C51
                              SHA-512:86B0C76A7B70E97F1E7AC7BE107633328FFD382E6B31DA0E6AE8DFB4F2A0A9B8C5293C522CDEC5C3564BB600B75FB8D6526CE3B347C47C7CF1F726009E11F674
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).KIH..IH..IH../.#.(H..'....H...."..I..D.3.oH..'....H.......I..n.!.@H...!.*I......gI..W.k..H..413.GI..IH...H..@0|..I..l?..bI......eH..W.z..H.......I..&>r..I..l?1..I..J0..sH..n. ..I..&>u.\H..J03..H..R.D..I..RichIH..............................................................PE..L...z..c...........!................#.............@..........................`.............@....................................................................Lm...................................................................................text...@........................... ..`.rdata.............................@..@.data...C........ ..................@....idata..............................@....rsrc..................................@.reloc..............................@..B............................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):828928
                              Entropy (8bit):7.686085587439098
                              Encrypted:false
                              SSDEEP:24576:z3EpsCnU+h+6gVij9dfL3EiFoCKpY3LHyYCoIuxN7lEGAzzs:z3EpsU+6gVij9dfL3EiFoCKpY3LHf/xY
                              MD5:E990ACDB640F13969C55C38E857AB4AB
                              SHA1:84F63D8051BE02F40B6EEC7604C7EB3992527D9A
                              SHA-256:2FC9C8FFBA226D56755019591DE180CF29000B797350C7291AA8DC447A9A1BBB
                              SHA-512:E10B6B0F73783C5FD44085C5F7B49D780CB49EE0E10B242AAEB97369E2E9C2F0AFCE9159BDFD65A596C5072CD57FF1A6F58E4F4D882191C2A9F5286411232E49
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Metadefender, Detection: 59%, Browse
                              • Antivirus: ReversingLabs, Detection: 81%
                              Joe Sandbox View:
                              • Filename: file.exe, Detection: malicious, Browse
                              • Filename: file.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.I..............u.......c.....2E................d.(.....t.......q.....Rich............PE..L......a......................J.....@........0....@...........................L......V..........................................P.....L..4..........................................................x...@............................................text...Z........................... ..`.data...HdI..0...X..................@....rsrc....4....L..6...p..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):3923456
                              Entropy (8bit):7.824160991100444
                              Encrypted:false
                              SSDEEP:98304:Ihq+oEPXzLUV3HDX3vxp+Btu6VXeiFHPzvgcB8LsTR:iVoyXzLC3vuDu6RXhP2
                              MD5:2679869D7C3C730553BDB94848DDEEA5
                              SHA1:EE8DA34EC12A1F27E32BCEE4365B0B34462A22F6
                              SHA-256:D982560420D121513BBA42F5D0C6007B874D84AB754E3736D1CD0F2251E90B5D
                              SHA-512:C9191F09AB26624F484EBEE05CB880EA6DB50FEFC8A152F6CFD5BED53E17604AFF243F008366E2EE9B4A76927D1F92F484724B06ECE22AD6F5044C45932338EB
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 58%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...`..c..........#..................+M........@.............................`i........... ................................................. .O......Pi.......h. ............................................=S.0.....h.8............p7..............................text.............................. ..`.rdata...U..........................@..@.data........0......................@....pdata.............................@..@_RDATA.......`......................@..@.vmp0...#....p......................`..`.vmp1.....;..p-...;.................`..h.rsrc........Pi.......;.............@..@................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):3923456
                              Entropy (8bit):7.824160991100444
                              Encrypted:false
                              SSDEEP:98304:Ihq+oEPXzLUV3HDX3vxp+Btu6VXeiFHPzvgcB8LsTR:iVoyXzLC3vuDu6RXhP2
                              MD5:2679869D7C3C730553BDB94848DDEEA5
                              SHA1:EE8DA34EC12A1F27E32BCEE4365B0B34462A22F6
                              SHA-256:D982560420D121513BBA42F5D0C6007B874D84AB754E3736D1CD0F2251E90B5D
                              SHA-512:C9191F09AB26624F484EBEE05CB880EA6DB50FEFC8A152F6CFD5BED53E17604AFF243F008366E2EE9B4A76927D1F92F484724B06ECE22AD6F5044C45932338EB
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 58%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...`..c..........#..................+M........@.............................`i........... ................................................. .O......Pi.......h. ............................................=S.0.....h.8............p7..............................text.............................. ..`.rdata...U..........................@..@.data........0......................@....pdata.............................@..@_RDATA.......`......................@..@.vmp0...#....p......................`..`.vmp1.....;..p-...;.................`..h.rsrc........Pi.......;.............@..@................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):188416
                              Entropy (8bit):6.933168679739018
                              Encrypted:false
                              SSDEEP:3072:DBu/booFZs+4oOYcmtbRkF/pstBaDqwONnct43EpstBaDqwONnct43rBl3N2UR:DBu/boGUoOciF/p/uwONct43Ep/uwON/
                              MD5:AE9E2CE4CF9B092A5BBFD1D5A609166E
                              SHA1:00C12EC16B5116403AE1A9923B114451880B741D
                              SHA-256:CA5795709AF3BC2E03EC02C7307D5C85A844C421E36AFE30EB0F571E79342E87
                              SHA-512:54727C7931293B6498E20B602DA13FF48498F2F52ABDE5CB79A412C128CDA203DB11F616F22D70F37CAD51D8642F5DDC8E3E761A2300545DA8A0F379612F15DA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 54%, Browse
                              • Antivirus: ReversingLabs, Detection: 77%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'d..F...F...F..=IU..F...w..F...d..F...g..F..=IW..F...F...F...x..F...r..F..Rich.F..........PE..L...q..c..........................................@.........................................................................L...d....P..(...............................................................@............................................text............................... ..`.rdata..,+.......0..................@..@.data...D4....... ..................@....rsrc........P.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):188416
                              Entropy (8bit):6.933168679739018
                              Encrypted:false
                              SSDEEP:3072:DBu/booFZs+4oOYcmtbRkF/pstBaDqwONnct43EpstBaDqwONnct43rBl3N2UR:DBu/boGUoOciF/p/uwONct43Ep/uwON/
                              MD5:AE9E2CE4CF9B092A5BBFD1D5A609166E
                              SHA1:00C12EC16B5116403AE1A9923B114451880B741D
                              SHA-256:CA5795709AF3BC2E03EC02C7307D5C85A844C421E36AFE30EB0F571E79342E87
                              SHA-512:54727C7931293B6498E20B602DA13FF48498F2F52ABDE5CB79A412C128CDA203DB11F616F22D70F37CAD51D8642F5DDC8E3E761A2300545DA8A0F379612F15DA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 54%, Browse
                              • Antivirus: ReversingLabs, Detection: 77%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'d..F...F...F..=IU..F...w..F...d..F...g..F..=IW..F...F...F...x..F...r..F..Rich.F..........PE..L...q..c..........................................@.........................................................................L...d....P..(...............................................................@............................................text............................... ..`.rdata..,+.......0..................@..@.data...D4....... ..................@....rsrc........P.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):305152
                              Entropy (8bit):6.478886954913614
                              Encrypted:false
                              SSDEEP:6144:B5ZndmaltrW7h0HRhnWbgg3GsMRfYII57QwzBx:ZnflBYixhnWbgg3IRfo7QwT
                              MD5:1A86A0186CC8ABD0BE2907E9ED681756
                              SHA1:4CA3CEFD0216A01D5C960DEEBD953E91A32F093D
                              SHA-256:6B3493D3F489D5717E9DC889D17C0BC08FB4C117AD6A4E060D9D9A28D35A7A62
                              SHA-512:C64D2B6632B47C39FE3F62F093AC9E1DEAD54D2736E89EC2434BB1FBEE85A67324B48E1601504112E13A5AC961DAF07A076ABC65E7862CE4822B7136CE9C46A0
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IE...E...E...[.u.R...[.c....bE..B...E......[.d.x...[.t.D...[.q.D...RichE...........................PE..L......a......................B..............0....@...........................D......y......................................d...P.....D.@Q..............................................................@............................................text............................... ..`.data....HA..0...>..................@....rsrc...@Q....D..R...V..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):305152
                              Entropy (8bit):6.478886954913614
                              Encrypted:false
                              SSDEEP:6144:B5ZndmaltrW7h0HRhnWbgg3GsMRfYII57QwzBx:ZnflBYixhnWbgg3IRfo7QwT
                              MD5:1A86A0186CC8ABD0BE2907E9ED681756
                              SHA1:4CA3CEFD0216A01D5C960DEEBD953E91A32F093D
                              SHA-256:6B3493D3F489D5717E9DC889D17C0BC08FB4C117AD6A4E060D9D9A28D35A7A62
                              SHA-512:C64D2B6632B47C39FE3F62F093AC9E1DEAD54D2736E89EC2434BB1FBEE85A67324B48E1601504112E13A5AC961DAF07A076ABC65E7862CE4822B7136CE9C46A0
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IE...E...E...[.u.R...[.c....bE..B...E......[.d.x...[.t.D...[.q.D...RichE...........................PE..L......a......................B..............0....@...........................D......y......................................d...P.....D.@Q..............................................................@............................................text............................... ..`.data....HA..0...>..................@....rsrc...@Q....D..R...V..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4342824
                              Entropy (8bit):7.973827881148146
                              Encrypted:false
                              SSDEEP:98304:wj6B1pLc2N6462cb9OlDJHXl5QjJZvlLGXkFl6:wj6B1pLcU6F2kOlKTtLK2Y
                              MD5:3191DB3E8A8BD2AA891786059AC8636B
                              SHA1:560D1DD65F8A4E8E558846002E939B66153C8819
                              SHA-256:A0DA88CED95EE51493D34218890B7E950B1842CED8A1A8F7D464AA5F2397C8F1
                              SHA-512:20984D87B49B1DA21A2D86A6B8A58FB84EDC3F94F8DCDB1DE0F3EB2669C6CF5200039E0040198EC0E2FF59B2F6CE3F6AA86EED92C7392EB04CB9B8D51DA1CE25
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IE...E...E...[.u.R...[.c....bE..B...E......[.d.x...[.t.D...[.q.D...RichE...........................PE..L.../..a.....................................0....@...................................B.....................................t...P.......@Q...........<B.(...............................................@............................................text............................... ..`.data.....~..0....>.................@....rsrc...@........R....A.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Users\user\AppData\Local\Temp\C05F.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):571228
                              Entropy (8bit):7.964552033972383
                              Encrypted:false
                              SSDEEP:12288:+V1e0UgkVT6ZT+3JCnoxgLQImxuCXwbePLJrH8fwpY4SG:+V1edgkV8T0Cnox5f4ePLJTMwpYA
                              MD5:2A03E19D5AF7606E8E9A5C86A5A78880
                              SHA1:93945D1E473713D83316AAA9A297A417FB302DB7
                              SHA-256:15DEA69E1EF7F927CDF56B7B6A31189B825B0CEF06EECA4811006E7BF9D02C9A
                              SHA-512:F263945AF96CB0040D521832038862BFA05F4C9EFD0EDA0AE511DC1AB0CED179E0E64A3054DE42BDC159DB2520FF45F2B56AC08A7AC59BD01B74BBDF4B013F93
                              Malicious:false
                              Preview:O,..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V..*.)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..j*j.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i|..y.Q'....k...}FT.X.jY..Y....o......y..=|6..%..z/........s....>.j.-s.k../.:..........>|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...|/h..jfDX.S...`&*...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^..*.....aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./
                              Process:C:\Users\user\AppData\Local\Temp\C05F.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):61440
                              Entropy (8bit):5.463972317214072
                              Encrypted:false
                              SSDEEP:768:WDKKrolwgA7W2cz1Pii4A1yZHtVtQg0eBU:KKPi2Fii4TrtQg0e
                              MD5:4D11BD6F3172584B3FDA0E9EFCAF0DDB
                              SHA1:0581C7F087F6538A1B6D4F05D928C1DF24236944
                              SHA-256:73314490C80E5EB09F586E12C1F035C44F11AEAA41D2F4B08ACA476132578930
                              SHA-512:6A023496E7EE03C2FF8E3BA445C7D7D5BFE6A1E1E1BAE5C17DCF41E78EDE84A166966579BF8CC7BE7450D2516F869713907775E863670B10EB60C092492D2D04
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)a..H..H..H..r.H..a.H..b..H..oGR.H..H...H..}.H..u.H..w.H..Rich.H..........PE..L....^.c...........!.....p...p..........................................................................................b.......(........&.......................................................... ...@............................................text....g.......p.................. ..`.rdata........... ..................@..@.data...............................@....rsrc....0.......0..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):305152
                              Entropy (8bit):6.478886954913614
                              Encrypted:false
                              SSDEEP:6144:B5ZndmaltrW7h0HRhnWbgg3GsMRfYII57QwzBx:ZnflBYixhnWbgg3IRfo7QwT
                              MD5:1A86A0186CC8ABD0BE2907E9ED681756
                              SHA1:4CA3CEFD0216A01D5C960DEEBD953E91A32F093D
                              SHA-256:6B3493D3F489D5717E9DC889D17C0BC08FB4C117AD6A4E060D9D9A28D35A7A62
                              SHA-512:C64D2B6632B47C39FE3F62F093AC9E1DEAD54D2736E89EC2434BB1FBEE85A67324B48E1601504112E13A5AC961DAF07A076ABC65E7862CE4822B7136CE9C46A0
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IE...E...E...[.u.R...[.c....bE..B...E......[.d.x...[.t.D...[.q.D...RichE...........................PE..L......a......................B..............0....@...........................D......y......................................d...P.....D.@Q..............................................................@............................................text............................... ..`.data....HA..0...>..................@....rsrc...@Q....D..R...V..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):305152
                              Entropy (8bit):6.483208092265872
                              Encrypted:false
                              SSDEEP:6144:45ENjjrw08WQ80GY9zq8IkE1ZgSaV9EzRs5dv:bN7wtjrT9zq8IkEwSazam51
                              MD5:1611DB9A8C67F61CE0760633EDD43C48
                              SHA1:D2BA3EFE05C12CFE47B84241E00FAE494B2A1E0D
                              SHA-256:9808D6A6B9AE7BAEF6715E6440988055682A88D1B5B1096148ACDDDC371ECFD2
                              SHA-512:EE3C91EC327A9D4CE80FACD6C44EE590A30953C194ACDDED35350E2176233E28A0B9A15A7C5D6866048AB5909C55EF912AE7015C270B83A6731CE55D17EB1873
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........IE...E...E...[.u.R...[.c....bE..B...E......[.d.x...[.t.D...[.q.D...RichE...........................PE..L....w.a......................B..............0....@...........................D.....zf......................................d...P.....D.@Q..............................................................@............................................text............................... ..`.data...(JA..0...>..................@....rsrc...@Q....D..R...V..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................
                              Process:C:\Windows\explorer.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0
                              Process:C:\Windows\explorer.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):248375
                              Entropy (8bit):7.99938074693999
                              Encrypted:true
                              SSDEEP:6144:YdMpwBsE++doOge0+m+jERKXOhZRJM4WSlofRFD+y5jRkvJLpow:YdMGBsYmOW1+gJbRJg7Sy5j2xuw
                              MD5:C17ED231E6F77F5D1AFAF1E0AAF42E45
                              SHA1:947847555ECD87F0182E51E7D2ECCE4192D5F180
                              SHA-256:C34BAAA2A58C7FD745EED09DDB6F72F45F026A7A077004E45CFAAB0BADFFC21A
                              SHA-512:CB543B859E6ECF8524C814C144FB939542C3C8FD80FCDD1B0770C0A83E0C52A38F7790BC01D5CCB165F760B6C2CBBF28D32461B1B82F80C1FDB28EF806F03310
                              Malicious:false
                              Preview:-.*a...K.P..Q(...W3...di.......QPA..E..W...v.S.....K.....H.....3...WH..[.....>..^\c..,......F..{LT..*..".!.....#C... .b...I....&......]...5....X-U..:.b.q...>h...JI.]..L.)j.>...z;.Q.LZsQeV.~.T*.a....H....M.W^wY.s.._......s..$..x.\}...).....d......l.?...2%0.H..>...;.W..j.G...{.....6.t.-?w.@P...0.4.T.L...tZ...<....}.-KY...#.r...>....+\....."...+...v...f...6.9w....5..!.R1. ...k..+.a....D........P[.AYTvi...t.8.Z..t.&......@...j.=.iQ.6.O.V............uJkie...k..AL.Z.A|....s_Rf..........Qu.._)}..(....0mI0.6.(...........3y..VY....v^7...l...-#...U.....(@..._.N.}..O.qD.|...<P^LX...:.AO.....x.[.....CD....X.<....~sb......L...;..4...V<[_3A....O....|.......<..".Z.wS`.q.8j....7..Z.1.K....{4:j.W.|..:...3!.R....$..&....M.k.:.6T..J.m"..-.+...f....6.h.?.q~{/W....y..*..#i~"G.B>.I.-t........W.3.t.L......)./..y.0....2..T........V.....9..=.O...x.......#.yd.....l...A..:....K........(....8Ev..f...{*.!p.Rv.:.b...4#oI..zKYS._5..q.2p+..a.xxTM9..vd..[(._...!b
                              Process:C:\Users\user\AppData\Local\Temp\ACE4.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2
                              Entropy (8bit):1.0
                              Encrypted:false
                              SSDEEP:3:y:y
                              MD5:81051BCC2CF1BEDF378224B0A93E2877
                              SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                              SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                              SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                              Malicious:false
                              Preview:..
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.483208092265872
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:305152
                              MD5:1611db9a8c67f61ce0760633edd43c48
                              SHA1:d2ba3efe05c12cfe47b84241e00fae494b2a1e0d
                              SHA256:9808d6a6b9ae7baef6715e6440988055682a88d1b5b1096148acdddc371ecfd2
                              SHA512:ee3c91ec327a9d4ce80facd6c44ee590a30953c194acdded35350e2176233e28a0b9a15a7c5d6866048ab5909c55ef912ae7015c270b83a6731ce55d17eb1873
                              SSDEEP:6144:45ENjjrw08WQ80GY9zq8IkE1ZgSaV9EzRs5dv:bN7wtjrT9zq8IkEwSazam51
                              TLSH:08547C00BB50D435E0B716F8467A83ACB53E7EE1A72450CB62D52AEE67346E1EC3174B
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IE...E...E...[.u.R...[.c.....bE..B...E.......[.d.x...[.t.D...[.q.D...RichE...........................PE..L....w.a...........
                              Icon Hash:c8d0d8e0f0e0f0e8
                              Entrypoint:0x40ae90
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x61837702 [Thu Nov 4 06:00:34 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:0
                              File Version Major:5
                              File Version Minor:0
                              Subsystem Version Major:5
                              Subsystem Version Minor:0
                              Import Hash:4e4ac8ce1e119b957e1ec71265bc4120
                              Instruction
                              mov edi, edi
                              push ebp
                              mov ebp, esp
                              call 00007FF66CB4E4DBh
                              call 00007FF66CB40EC6h
                              pop ebp
                              ret
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              mov edi, edi
                              push ebp
                              mov ebp, esp
                              push FFFFFFFEh
                              push 00430CF0h
                              push 0040E3E0h
                              mov eax, dword ptr fs:[00000000h]
                              push eax
                              add esp, FFFFFF94h
                              push ebx
                              push esi
                              push edi
                              mov eax, dword ptr [00445A94h]
                              xor dword ptr [ebp-08h], eax
                              xor eax, ebp
                              push eax
                              lea eax, dword ptr [ebp-10h]
                              mov dword ptr fs:[00000000h], eax
                              mov dword ptr [ebp-18h], esp
                              mov dword ptr [ebp-70h], 00000000h
                              mov dword ptr [ebp-04h], 00000000h
                              lea eax, dword ptr [ebp-60h]
                              push eax
                              call dword ptr [004011A0h]
                              mov dword ptr [ebp-04h], FFFFFFFEh
                              jmp 00007FF66CB40ED8h
                              mov eax, 00000001h
                              ret
                              mov esp, dword ptr [ebp-18h]
                              mov dword ptr [ebp-78h], 000000FFh
                              mov dword ptr [ebp-04h], FFFFFFFEh
                              mov eax, dword ptr [ebp-78h]
                              jmp 00007FF66CB41008h
                              mov dword ptr [ebp-04h], FFFFFFFEh
                              call 00007FF66CB41044h
                              mov dword ptr [ebp-6Ch], eax
                              push 00000001h
                              call 00007FF66CB4F58Ah
                              add esp, 04h
                              test eax, eax
                              jne 00007FF66CB40EBCh
                              push 0000001Ch
                              call 00007FF66CB40FFCh
                              add esp, 04h
                              call 00007FF66CB48484h
                              test eax, eax
                              jne 00007FF66CB40EBCh
                              push 00000010h
                              Programming Language:
                              • [ASM] VS2008 build 21022
                              • [ C ] VS2008 build 21022
                              • [IMP] VS2005 build 50727
                              • [C++] VS2008 build 21022
                              • [RES] VS2008 build 21022
                              • [LNK] VS2008 build 21022
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x314640x50.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x4480000x5140.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x12f00x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8f880x40.text
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x2a0.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x313c60x31400False0.41850412436548223data6.1342347567019395IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0x330000x414a280x13e00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x4480000x51400x5200False0.4879954268292683data4.8397497268874865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountry
                              AFX_DIALOG_LAYOUT0x44b0f00x2data
                              AFX_DIALOG_LAYOUT0x44b0e80x2data
                              AFX_DIALOG_LAYOUT0x44b0f80x2data
                              AFX_DIALOG_LAYOUT0x44b1000x2data
                              AFX_DIALOG_LAYOUT0x44b1080x2data
                              RT_CURSOR0x44b1100x130data
                              RT_CURSOR0x44b2400xf0data
                              RT_CURSOR0x44b3300x10a8dBase III DBT, version number 0, next free block index 40
                              RT_CURSOR0x44c4080x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
                              RT_ICON0x4485200x6c8dataKoreanNorth Korea
                              RT_ICON0x4485200x6c8dataKoreanSouth Korea
                              RT_ICON0x448be80x568GLS_BINARY_LSB_FIRSTKoreanNorth Korea
                              RT_ICON0x448be80x568GLS_BINARY_LSB_FIRSTKoreanSouth Korea
                              RT_ICON0x4491500x10a8dataKoreanNorth Korea
                              RT_ICON0x4491500x10a8dataKoreanSouth Korea
                              RT_ICON0x44a1f80x988dBase III DBT, version number 0, next free block index 40KoreanNorth Korea
                              RT_ICON0x44a1f80x988dBase III DBT, version number 0, next free block index 40KoreanSouth Korea
                              RT_ICON0x44ab800x468GLS_BINARY_LSB_FIRSTKoreanNorth Korea
                              RT_ICON0x44ab800x468GLS_BINARY_LSB_FIRSTKoreanSouth Korea
                              RT_STRING0x44ce080x156dataKoreanNorth Korea
                              RT_STRING0x44ce080x156dataKoreanSouth Korea
                              RT_STRING0x44cf600x1e0dataKoreanNorth Korea
                              RT_STRING0x44cf600x1e0dataKoreanSouth Korea
                              RT_ACCELERATOR0x44b0980x50dataKoreanNorth Korea
                              RT_ACCELERATOR0x44b0980x50dataKoreanSouth Korea
                              RT_ACCELERATOR0x44b0380x60dataKoreanNorth Korea
                              RT_ACCELERATOR0x44b0380x60dataKoreanSouth Korea
                              RT_GROUP_CURSOR0x44c3d80x30data
                              RT_GROUP_CURSOR0x44ccb00x14data
                              RT_GROUP_ICON0x44afe80x4cdataKoreanNorth Korea
                              RT_GROUP_ICON0x44afe80x4cdataKoreanSouth Korea
                              RT_VERSION0x44ccc80x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                              DLLImport
                              KERNEL32.dllQueryDosDeviceA, LocalFree, SetProcessPriorityBoost, VirtualQuery, GlobalGetAtomNameW, FindResourceA, GetComputerNameExW, GetModuleHandleA, GetTempPathA, BuildCommDCBAndTimeoutsW, GetProcAddress, VirtualProtect, OpenJobObjectW, _lwrite, UnlockFile, GetPrivateProfileStructA, GetDiskFreeSpaceExW, DefineDosDeviceA, SetVolumeMountPointW, GetAtomNameA, FlushConsoleInputBuffer, EnumResourceLanguagesA, GetCPInfoExW, GetThreadContext, lstrlenW, GetProcessAffinityMask, SetConsoleWindowInfo, CreateJobSet, CopyFileW, lstrcpynA, WriteConsoleA, GetCommandLineA, GetLastError, GetCommandLineW, InterlockedIncrement, CreateJobObjectW, InitializeCriticalSection, GetConsoleFontSize, FindNextVolumeA, GlobalFlags, SetConsoleCursorInfo, LoadLibraryW, VerifyVersionInfoA, WriteProfileSectionW, AddAtomW, InterlockedDecrement, LoadLibraryA, FoldStringA, GetDefaultCommConfigW, GetConsoleAliasesLengthA, lstrcpyA, TerminateThread, HeapFree, SetCriticalSectionSpinCount, GetComputerNameA, EnumSystemLocalesW, DisableThreadLibraryCalls, OpenMutexA, LocalFileTimeToFileTime, SearchPathA, SetProcessShutdownParameters, CreateMutexA, FormatMessageA, InterlockedCompareExchange, EnumDateFormatsW, GetConsoleScreenBufferInfo, LocalAlloc, SetFileShortNameA, EnumCalendarInfoExW, GetFileAttributesA, GetSystemWindowsDirectoryA, GetAtomNameW, ReadConsoleInputA, EnumDateFormatsA, _hwrite, GetConsoleAliasA, GetQueuedCompletionStatus, lstrcatW, GetDefaultCommConfigA, GetFullPathNameW, DebugBreakProcess, AddAtomA, SetCurrentDirectoryW, SetCalendarInfoW, FindNextFileA, GetProfileSectionW, SetHandleCount, MoveFileWithProgressW, ReadConsoleOutputCharacterW, CopyFileExW, GetConsoleAliasesLengthW, WideCharToMultiByte, UnhandledExceptionFilter, SetUnhandledExceptionFilter, MoveFileA, DeleteFileA, RaiseException, GetStartupInfoA, HeapValidate, IsBadReadPtr, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, TlsGetValue, GetModuleHandleW, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, SetLastError, Sleep, ExitProcess, GetModuleFileNameA, WriteFile, GetStdHandle, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, DebugBreak, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadFile, SetFilePointer, CloseHandle, SetStdHandle, GetConsoleOutputCP, CreateFileA
                              GDI32.dllGetCharWidth32A, GetBoundsRect, SelectObject, GetCharWidthW
                              ADVAPI32.dllRevertToSelf
                              Language of compilation systemCountry where language is spokenMap
                              KoreanNorth Korea
                              KoreanSouth Korea
                              No network behavior found

                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Click to jump to process

                              Target ID:0
                              Start time:12:53:51
                              Start date:31/08/2022
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x400000
                              File size:305152 bytes
                              MD5 hash:1611DB9A8C67F61CE0760633EDD43C48
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.387378506.0000000000C29000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.387173781.00000000009E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.387173781.00000000009E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.387108841.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.387108841.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.387065611.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              Target ID:1
                              Start time:12:53:58
                              Start date:31/08/2022
                              Path:C:\Windows\explorer.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Explorer.EXE
                              Imagebase:0x7ff618f60000
                              File size:3933184 bytes
                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000000.367270038.0000000004611000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000000.367270038.0000000004611000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                              Reputation:high

                              Target ID:7
                              Start time:12:54:45
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Roaming\erhuush
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Roaming\erhuush
                              Imagebase:0x400000
                              File size:305152 bytes
                              MD5 hash:1611DB9A8C67F61CE0760633EDD43C48
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.441430475.0000000002491000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.441430475.0000000002491000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.441371767.0000000002470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.441371767.0000000002470000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.440994734.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.441147746.00000000009E8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              Reputation:low

                              Target ID:11
                              Start time:12:54:56
                              Start date:31/08/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff61e220000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Target ID:12
                              Start time:12:55:07
                              Start date:31/08/2022
                              Path:C:\Windows\System32\regsvr32.exe
                              Wow64 process (32bit):false
                              Commandline:regsvr32 /s C:\Users\user\AppData\Local\Temp\70E4.dll
                              Imagebase:0x7ff6f0980000
                              File size:24064 bytes
                              MD5 hash:D78B75FC68247E8A63ACBA846182740E
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Target ID:13
                              Start time:12:55:08
                              Start date:31/08/2022
                              Path:C:\Windows\SysWOW64\regsvr32.exe
                              Wow64 process (32bit):true
                              Commandline: /s C:\Users\user\AppData\Local\Temp\70E4.dll
                              Imagebase:0xbf0000
                              File size:20992 bytes
                              MD5 hash:426E7499F6A7346F0410DEAD0805586B
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Target ID:14
                              Start time:12:55:13
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\87B9.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\87B9.exe
                              Imagebase:0x400000
                              File size:828928 bytes
                              MD5 hash:E990ACDB640F13969C55C38E857AB4AB
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000E.00000002.494725828.0000000002545000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 59%, Metadefender, Browse
                              • Detection: 81%, ReversingLabs
                              Reputation:low

                              Target ID:15
                              Start time:12:55:16
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\87B9.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\87B9.exe
                              Imagebase:0x400000
                              File size:828928 bytes
                              MD5 hash:E990ACDB640F13969C55C38E857AB4AB
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000000.485672401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000000.490507253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000002.503363757.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000000.490001086.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000000.492226078.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000000.491102942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 0000000F.00000000.488104570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              Target ID:16
                              Start time:12:55:17
                              Start date:31/08/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff61e220000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Target ID:17
                              Start time:12:55:19
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\A024.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Users\user\AppData\Local\Temp\A024.exe
                              Imagebase:0x140000000
                              File size:3923456 bytes
                              MD5 hash:2679869D7C3C730553BDB94848DDEEA5
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 58%, ReversingLabs
                              Reputation:low

                              Target ID:18
                              Start time:12:55:27
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\C05F.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\C05F.exe
                              Imagebase:0x400000
                              File size:188416 bytes
                              MD5 hash:AE9E2CE4CF9B092A5BBFD1D5A609166E
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 54%, Metadefender, Browse
                              • Detection: 77%, ReversingLabs

                              Target ID:19
                              Start time:12:55:28
                              Start date:31/08/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c72c0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language

                              Target ID:24
                              Start time:12:55:33
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\C05F.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\C05F.exe" -h
                              Imagebase:0x400000
                              File size:188416 bytes
                              MD5 hash:AE9E2CE4CF9B092A5BBFD1D5A609166E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Target ID:25
                              Start time:12:55:33
                              Start date:31/08/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c72c0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Target ID:26
                              Start time:12:55:34
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\D86C.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\D86C.exe
                              Imagebase:0x400000
                              File size:305152 bytes
                              MD5 hash:1A86A0186CC8ABD0BE2907E9ED681756
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001A.00000003.526622172.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001A.00000002.544780175.0000000000B10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000001A.00000002.544780175.0000000000B10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001A.00000002.544740114.0000000000B00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.545414239.0000000000B89000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001A.00000002.545012487.0000000000B31000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000001A.00000002.545012487.0000000000B31000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML

                              Target ID:27
                              Start time:12:55:38
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\E9D3.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\E9D3.exe
                              Imagebase:0x7ff756d70000
                              File size:4342824 bytes
                              MD5 hash:3191DB3E8A8BD2AA891786059AC8636B
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001B.00000002.739912367.0000000002BF5000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: 0000001B.00000003.552567063.0000000003860000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001B.00000002.865037113.0000000002FE0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML

                              Target ID:29
                              Start time:12:55:44
                              Start date:31/08/2022
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff6ac650000
                              File size:488448 bytes
                              MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language

                              Target ID:30
                              Start time:12:55:45
                              Start date:31/08/2022
                              Path:C:\Windows\System32\rundll32.exe
                              Wow64 process (32bit):false
                              Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
                              Imagebase:0x7ff70d330000
                              File size:69632 bytes
                              MD5 hash:73C519F050C20580F8A62C849D49215A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Target ID:31
                              Start time:12:55:45
                              Start date:31/08/2022
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\AppData\Local\Temp\db.dll",open
                              Imagebase:0x1310000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000002.652754688.0000000004D44000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001F.00000002.652754688.0000000004D44000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001F.00000002.652754688.0000000004D44000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_Fabookie, Description: Detects Fabookie / ElysiumStealer, Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000001F.00000002.643002638.0000000001130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown

                              Target ID:33
                              Start time:12:55:50
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\ACE4.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\ACE4.exe
                              Imagebase:0x400000
                              File size:188416 bytes
                              MD5 hash:AE9E2CE4CF9B092A5BBFD1D5A609166E
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 54%, Metadefender, Browse
                              • Detection: 77%, ReversingLabs

                              Target ID:35
                              Start time:12:55:52
                              Start date:31/08/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c72c0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language

                              Target ID:36
                              Start time:12:55:53
                              Start date:31/08/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                              Imagebase:0x7ff61e220000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000024.00000003.573535906.000002F31BF40000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000024.00000003.573535906.000002F31BF40000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000024.00000003.573535906.000002F31BF40000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 00000024.00000000.584962257.000002F31BFB0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                              Target ID:38
                              Start time:12:55:56
                              Start date:31/08/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                              Imagebase:0x7ff61e220000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Target ID:39
                              Start time:12:55:57
                              Start date:31/08/2022
                              Path:C:\Users\user\AppData\Local\Temp\C39A.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\C39A.exe
                              Imagebase:0x400000
                              File size:305152 bytes
                              MD5 hash:1A86A0186CC8ABD0BE2907E9ED681756
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000027.00000002.601597228.00000000009F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000027.00000002.601012575.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000027.00000002.601073617.0000000000940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000027.00000002.601073617.0000000000940000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000027.00000002.602802862.0000000000A29000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000027.00000003.584704076.0000000000940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML

                              Target ID:42
                              Start time:12:56:03
                              Start date:31/08/2022
                              Path:C:\Windows\System32\dllhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
                              Imagebase:0x7ff689080000
                              File size:20888 bytes
                              MD5 hash:2528137C6745C4EADD87817A1909677E
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Target ID:43
                              Start time:12:56:05
                              Start date:31/08/2022
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                              Imagebase:0x7ff61e220000
                              File size:51288 bytes
                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000002B.00000003.595564014.00000156B6AE0000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000002B.00000003.595564014.00000156B6AE0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000002B.00000003.595564014.00000156B6AE0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                              • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_ManusCrypt, Description: Yara detected ManusCrypt, Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_Chebka, Description: Detects Chebka, Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Generic_a681f24a, Description: unknown, Source: 0000002B.00000000.600713527.00000156B6B50000.00000040.00000001.00020000.00000000.sdmp, Author: unknown

                              Target ID:66
                              Start time:12:56:22
                              Start date:31/08/2022
                              Path:C:\Windows\System32\Conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6ac650000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:
                              Has administrator privileges:
                              Programmed in:C, C++ or other language

                              Reset < >

                                Execution Graph

                                Execution Coverage:1.9%
                                Dynamic/Decrypted Code Coverage:23.9%
                                Signature Coverage:19.3%
                                Total number of Nodes:88
                                Total number of Limit Nodes:5
                                execution_graph 24935 40ae90 24936 40ae9a ___security_init_cookie 24935->24936 24939 40aeb0 24936->24939 24940 40aefd _check_managed_app 24939->24940 24953 419610 HeapCreate 24940->24953 24942 40af3b _fast_error_exit 24955 412520 24942->24955 24944 40af51 ___crtGetEnvironmentStringsA ___setargv __setenvp __RTC_Initialize _fast_error_exit 24967 414530 24944->24967 24946 40afca __wincmdln 24973 409b11 24946->24973 24948 40b016 24949 40b028 24948->24949 24981 4145d0 RtlEncodePointer _doexit 24948->24981 24982 414610 RtlEncodePointer _doexit 24949->24982 24952 40ae9f 24954 41963a ___sbh_heap_init __heap_init 24953->24954 24954->24942 24956 412532 __crt_wait_module_handle 24955->24956 24966 41253e __encode_pointer __initptd __mtterm __nh_malloc_dbg __mtinitlocks 24956->24966 24983 414a80 24956->24983 24961 412330 __encode_pointer RtlEncodePointer 24962 412641 24961->24962 24963 412330 __encode_pointer RtlEncodePointer 24962->24963 24964 412655 24963->24964 24965 412330 __encode_pointer RtlEncodePointer 24964->24965 24965->24966 24966->24944 24968 41453f __IsNonwritableInCurrentImage 24967->24968 24998 410b10 24968->24998 24970 414562 __initterm_e 24972 41457d __IsNonwritableInCurrentImage __initterm 24970->24972 25002 40b310 RtlEncodePointer RtlAllocateHeap _atexit 24970->25002 24972->24946 24976 409b1e 7 library calls 24973->24976 24975 409d46 24975->24948 24980 409d12 __wctomb_s_l _malloc 24976->24980 25011 40a970 RtlEncodePointer _memset __fputwc_nolock ___crtMessageWindowW _raise _abort 24976->25011 24978 409ceb 25012 40a7b0 RtlEncodePointer RtlAllocateHeap __realloc_dbg 24978->25012 25003 409630 24980->25003 24981->24949 24982->24952 24994 412400 24983->24994 24985 414a8b __initp_misc_winsig __init_pointers 24997 422680 RtlEncodePointer __encode_pointer 24985->24997 24987 414aeb 24988 412330 __encode_pointer RtlEncodePointer 24987->24988 24989 412622 24988->24989 24990 412330 24989->24990 24991 41234b __crt_wait_module_handle 24990->24991 24992 4123b3 RtlEncodePointer 24991->24992 24993 4123bd 24991->24993 24992->24993 24993->24961 24995 412330 __encode_pointer RtlEncodePointer 24994->24995 24996 41240c 24995->24996 24996->24985 24997->24987 24999 410b1f 24998->24999 25000 410b4d 24999->25000 25001 412330 __encode_pointer RtlEncodePointer 24999->25001 25000->24970 25001->24999 25002->24972 25013 40a280 25003->25013 25007 409659 _memset 25008 40987a 25007->25008 25015 409531 25007->25015 25009 4098f6 LoadLibraryW 25008->25009 25010 40997e 25009->25010 25010->24975 25011->24978 25012->24980 25014 40963d LocalAlloc 25013->25014 25014->25007 25016 40959d VirtualProtect 25015->25016 25016->25007 25018 402ac3 25020 402abb 25018->25020 25019 402b4c 25020->25019 25022 4017e3 25020->25022 25023 4017f1 25022->25023 25024 40181b Sleep 25023->25024 25026 401836 25024->25026 25025 401847 NtTerminateProcess 25027 401853 25025->25027 25026->25025 25027->25019 25028 c2cfd4 25029 c2cfe3 25028->25029 25032 c2d774 25029->25032 25033 c2d78f 25032->25033 25034 c2d798 CreateToolhelp32Snapshot 25033->25034 25035 c2d7b4 Module32First 25033->25035 25034->25033 25034->25035 25036 c2d7c3 25035->25036 25037 c2cfec 25035->25037 25039 c2d433 25036->25039 25040 c2d45e 25039->25040 25041 c2d46f VirtualAlloc 25040->25041 25042 c2d4a7 25040->25042 25041->25042 25043 40b4d7 25045 40b4ea __CrtCheckMemory 25043->25045 25046 40b58a _memset 25045->25046 25047 419810 25045->25047 25049 419821 ___crtExitProcess 25047->25049 25048 419872 _V6_HeapAlloc 25048->25046 25049->25048 25050 41985b RtlAllocateHeap 25049->25050 25050->25048

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _wscanf$__nh_malloc_dbg__realloc_dbg__wctomb_s_l__wremove__wrename_abort_labs_malloc_memset_realloc_wprintf
                                • String ID: msimg32.dll
                                • API String ID: 2019212891-3287713914
                                • Opcode ID: 2ad864a010214a7997f26c51bd4d6d42cc7d3a8671068fa2767f1c33c8d9b0d1
                                • Instruction ID: e422161b7b5bbf4efaa1130811f3b2fcb5ec8ed0f934f484f65b9b74cbfb9347
                                • Opcode Fuzzy Hash: 2ad864a010214a7997f26c51bd4d6d42cc7d3a8671068fa2767f1c33c8d9b0d1
                                • Instruction Fuzzy Hash: AE517EB2902524BBD7156BA29D0DDDF3B6CEF0A355B000076F606B50A1D73C5A45CBBE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 495 4017e2-401803 499 401813 495->499 500 40180a-40180f 495->500 499->500 501 401816-401838 call 401118 Sleep call 401360 499->501 500->501 506 401847-40184d NtTerminateProcess 501->506 507 40183a-401842 call 401432 501->507 509 401853-401859 506->509 510 40185d 506->510 507->506 511 401860-401880 call 401118 509->511 510->509 510->511
                                C-Code - Quality: 100%
                                			E004017E2(void* __edx) {
                                				void* _t4;
                                
                                				 *((intOrPtr*)(_t4 - 0x77)) =  *((intOrPtr*)(_t4 - 0x77)) + __edx;
                                			}




                                0x004017e2

                                APIs
                                • Sleep.KERNELBASE(00001388), ref: 00401823
                                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040184B
                                Memory Dump Source
                                • Source File: 00000000.00000002.386623017.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Similarity
                                • API ID: ProcessSleepTerminate
                                • String ID:
                                • API String ID: 417527130-0
                                • Opcode ID: 4dede37128b39f4f7e7a4df5dc33f26b0f76fbcd4aaa8ffb007c11c557e31b11
                                • Instruction ID: ddaf0562df841adfab300f0276baae716c17d25714fd681a3a6e16616d485b4c
                                • Opcode Fuzzy Hash: 4dede37128b39f4f7e7a4df5dc33f26b0f76fbcd4aaa8ffb007c11c557e31b11
                                • Instruction Fuzzy Hash: EC015233148208EBDB017AA59C41DA97729AB45754F30C537FA03791F1D67D8713A72B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 517 4017e3-4017ec 518 401800 517->518 519 4017f1-401803 517->519 518->519 521 401813 519->521 522 40180a-40180f 519->522 521->522 523 401816-401838 call 401118 Sleep call 401360 521->523 522->523 528 401847-40184d NtTerminateProcess 523->528 529 40183a-401842 call 401432 523->529 531 401853-401859 528->531 532 40185d 528->532 529->528 533 401860-401880 call 401118 531->533 532->531 532->533
                                C-Code - Quality: 18%
                                			E004017E3(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                                				char _v8;
                                				void* __ebx;
                                				void* __edi;
                                				void* __esi;
                                				void* __ebp;
                                				intOrPtr _t8;
                                				char* _t9;
                                				void* _t11;
                                				void* _t13;
                                				intOrPtr* _t14;
                                				intOrPtr _t16;
                                				void* _t17;
                                				void* _t18;
                                				void* _t19;
                                				void* _t20;
                                				intOrPtr* _t21;
                                				intOrPtr* _t22;
                                				void* _t24;
                                				void* _t26;
                                
                                				_push(0x181b);
                                				_t8 =  *_t21;
                                				_t22 = _t21 + 4;
                                				L00401118(_t8, _t13, 0x61, _t19, _t20, _t24);
                                				_t14 = _a4;
                                				Sleep(0x1388);
                                				_t3 =  &_v8; // 0x1b68f34d
                                				_t9 = _t3;
                                				_push(_t9);
                                				_push(_a12);
                                				_push(_a8);
                                				_push(_t14); // executed
                                				L00401360(); // executed
                                				_t25 = _t9;
                                				if(_t9 != 0) {
                                					_push(_a16);
                                					_push(_v8);
                                					_push(_t9);
                                					_push(_t14); // executed
                                					E00401432(_t14, _t17, _t18, _t19, _t26); // executed
                                				}
                                				 *_t14(0xffffffff, 0); // executed
                                				_t11 = 0x181b;
                                				_push(0x61);
                                				_t16 =  *_t22;
                                				L00401118(_t11, _t14, _t16, _t19, _t20, _t25);
                                				return _t11;
                                			}






















                                0x004017f1
                                0x004017f6
                                0x004017f9
                                0x00401816
                                0x0040181b
                                0x00401823
                                0x00401826
                                0x00401826
                                0x00401829
                                0x0040182a
                                0x0040182d
                                0x00401830
                                0x00401831
                                0x00401836
                                0x00401838
                                0x0040183a
                                0x0040183d
                                0x00401840
                                0x00401841
                                0x00401842
                                0x00401842
                                0x0040184b
                                0x00401858
                                0x00401868
                                0x0040186a
                                0x00401877
                                0x00401880

                                APIs
                                • Sleep.KERNELBASE(00001388), ref: 00401823
                                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040184B
                                Memory Dump Source
                                • Source File: 00000000.00000002.386623017.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Similarity
                                • API ID: ProcessSleepTerminate
                                • String ID:
                                • API String ID: 417527130-0
                                • Opcode ID: eed50f69cd3fa7174ad76653e673f5296f9ebb16c169d6494c900a5425ffe511
                                • Instruction ID: 1d0556d2ce3487287f662705d53e2785c513140bae9e3f24436a296874fe77da
                                • Opcode Fuzzy Hash: eed50f69cd3fa7174ad76653e673f5296f9ebb16c169d6494c900a5425ffe511
                                • Instruction Fuzzy Hash: 15017533108208F7D7017A958C42DAA3628AB45754F30C437BA03790F1D57DDB12676B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 539 4017ee-401803 541 401813 539->541 542 40180a-40180f 539->542 541->542 543 401816-401838 call 401118 Sleep call 401360 541->543 542->543 548 401847-40184d NtTerminateProcess 543->548 549 40183a-401842 call 401432 543->549 551 401853-401859 548->551 552 40185d 548->552 549->548 553 401860-401880 call 401118 551->553 552->551 552->553
                                C-Code - Quality: 20%
                                			E004017EE(void* __edi, void* __esi) {
                                				intOrPtr _t8;
                                				intOrPtr* _t9;
                                				void* _t11;
                                				void* _t13;
                                				intOrPtr* _t14;
                                				intOrPtr _t17;
                                				void* _t18;
                                				void* _t19;
                                				intOrPtr* _t25;
                                				intOrPtr* _t26;
                                				void* _t29;
                                				void* _t31;
                                
                                				_t21 = __esi;
                                				_t19 = __edi;
                                				_push(0x181b);
                                				_t8 =  *_t25;
                                				_t26 = _t25 + 4;
                                				L00401118(_t8, _t13, 0x61, __esi, 0x1b68f351, _t29);
                                				_t14 =  *((intOrPtr*)(0x1b68f359));
                                				Sleep(0x1388);
                                				_t9 = 0x1b68f34d;
                                				_push(_t9);
                                				_push( *0x1B68F361);
                                				_push( *0x1B68F35D);
                                				_push(_t14); // executed
                                				L00401360(); // executed
                                				_t30 = _t9;
                                				if(_t9 != 0) {
                                					_push( *0x1B68F365);
                                					_push( *((intOrPtr*)(0x1b68f34d)));
                                					_push(_t9);
                                					_push(_t14); // executed
                                					E00401432(_t14, _t18, _t19, _t21, _t31); // executed
                                				}
                                				 *_t14(0xffffffff, 0); // executed
                                				_t11 = 0x181b;
                                				_push(0x61);
                                				_t17 =  *_t26;
                                				L00401118(_t11, _t14, _t17, _t21, 0x1b68f351, _t30);
                                				return _t11;
                                			}















                                0x004017ee
                                0x004017ee
                                0x004017f1
                                0x004017f6
                                0x004017f9
                                0x00401816
                                0x0040181b
                                0x00401823
                                0x00401826
                                0x00401829
                                0x0040182a
                                0x0040182d
                                0x00401830
                                0x00401831
                                0x00401836
                                0x00401838
                                0x0040183a
                                0x0040183d
                                0x00401840
                                0x00401841
                                0x00401842
                                0x00401842
                                0x0040184b
                                0x00401858
                                0x00401868
                                0x0040186a
                                0x00401877
                                0x00401880

                                APIs
                                • Sleep.KERNELBASE(00001388), ref: 00401823
                                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040184B
                                Memory Dump Source
                                • Source File: 00000000.00000002.386623017.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Similarity
                                • API ID: ProcessSleepTerminate
                                • String ID:
                                • API String ID: 417527130-0
                                • Opcode ID: 0a9656e0e1b5f21b45c9f82a7808bfe019579950b80e51e68eaabb0023cd3f01
                                • Instruction ID: 6a2648c31bf342f80e2744bc490c75df06b0a743f4722301b2fbabc3dba0a0aa
                                • Opcode Fuzzy Hash: 0a9656e0e1b5f21b45c9f82a7808bfe019579950b80e51e68eaabb0023cd3f01
                                • Instruction Fuzzy Hash: 54016733508304ABDB017AA18C42EA937289B45754F24C577BB13790F2D57DCB12A72B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 559 c2d774-c2d78d 560 c2d78f-c2d791 559->560 561 c2d793 560->561 562 c2d798-c2d7a4 CreateToolhelp32Snapshot 560->562 561->562 563 c2d7a6-c2d7ac 562->563 564 c2d7b4-c2d7c1 Module32First 562->564 563->564 569 c2d7ae-c2d7b2 563->569 565 c2d7c3-c2d7c4 call c2d433 564->565 566 c2d7ca-c2d7d2 564->566 570 c2d7c9 565->570 569->560 569->564 570->566
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00C2D79C
                                • Module32First.KERNEL32(00000000,00000224), ref: 00C2D7BC
                                Memory Dump Source
                                • Source File: 00000000.00000002.387378506.0000000000C29000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C29000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c29000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                • String ID:
                                • API String ID: 3833638111-0
                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                • Instruction ID: c1748467ad12143ef9350e9dee1750b0800ec6872a71a0b080b5f15551a7a10a
                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                • Instruction Fuzzy Hash: F3F0F6321003216FD7203BF8B88CBAE72E8AF68B29F100528E653D18C0DB74ED454660
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 572 401807-401838 call 401118 Sleep call 401360 579 401847-40184d NtTerminateProcess 572->579 580 40183a-401842 call 401432 572->580 582 401853-401859 579->582 583 40185d 579->583 580->579 584 401860-401880 call 401118 582->584 583->582 583->584
                                C-Code - Quality: 24%
                                			E00401807(signed int __edx, void* __edi, void* __esi) {
                                				void* _t9;
                                				void* _t10;
                                				void* _t12;
                                				void* _t14;
                                				intOrPtr* _t15;
                                				intOrPtr _t18;
                                				void* _t21;
                                				void* _t25;
                                				intOrPtr* _t27;
                                				signed char _t30;
                                				void* _t32;
                                
                                				_t23 = __esi;
                                				_t21 = __edi;
                                				_t20 = __edx |  *(_t25 + 0x7b);
                                				_t30 = __edx |  *(_t25 + 0x7b);
                                				L00401118(_t9, _t14, 0x61, __esi, _t25, _t30);
                                				_t15 =  *((intOrPtr*)(_t25 + 8));
                                				Sleep(0x1388);
                                				_t4 = _t25 - 4; // 0x1b68f34d
                                				_t10 = _t4;
                                				_push(_t10);
                                				_push( *((intOrPtr*)(_t25 + 0x10)));
                                				_push( *((intOrPtr*)(_t25 + 0xc)));
                                				_push(_t15); // executed
                                				L00401360(); // executed
                                				_t31 = _t10;
                                				if(_t10 != 0) {
                                					_push( *((intOrPtr*)(_t25 + 0x14)));
                                					_push( *((intOrPtr*)(_t25 - 4)));
                                					_push(_t10);
                                					_push(_t15); // executed
                                					E00401432(_t15, _t20, _t21, _t23, _t32); // executed
                                				}
                                				 *_t15(0xffffffff, 0); // executed
                                				_t12 = 0x181b;
                                				_push(0x61);
                                				_t18 =  *_t27;
                                				L00401118(_t12, _t15, _t18, _t23, _t25, _t31);
                                				return _t12;
                                			}














                                0x00401807
                                0x00401807
                                0x00401807
                                0x00401807
                                0x00401816
                                0x0040181b
                                0x00401823
                                0x00401826
                                0x00401826
                                0x00401829
                                0x0040182a
                                0x0040182d
                                0x00401830
                                0x00401831
                                0x00401836
                                0x00401838
                                0x0040183a
                                0x0040183d
                                0x00401840
                                0x00401841
                                0x00401842
                                0x00401842
                                0x0040184b
                                0x00401858
                                0x00401868
                                0x0040186a
                                0x00401877
                                0x00401880

                                APIs
                                • Sleep.KERNELBASE(00001388), ref: 00401823
                                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040184B
                                Memory Dump Source
                                • Source File: 00000000.00000002.386623017.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Similarity
                                • API ID: ProcessSleepTerminate
                                • String ID:
                                • API String ID: 417527130-0
                                • Opcode ID: fa61b3bfe6e1efcc42a3172324d87a3747898b17389843dd474e8030b106d628
                                • Instruction ID: d1e85a843a3bf15b3ffbd62fd2fe31d474754e63a526ee7ed21e8696c92682af
                                • Opcode Fuzzy Hash: fa61b3bfe6e1efcc42a3172324d87a3747898b17389843dd474e8030b106d628
                                • Instruction Fuzzy Hash: 2FF04F33204208FBDB007BA18C42EAD3729AB45754F20C537BA13790F2D679CA12A72B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                APIs
                                • _check_managed_app.LIBCMTD ref: 0040AF2C
                                • __heap_init.LIBCMTD ref: 0040AF36
                                  • Part of subcall function 00419610: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,0040AF3B,00000001), ref: 00419626
                                • _fast_error_exit.LIBCMTD ref: 0040AF44
                                  • Part of subcall function 0040B090: ___crtExitProcess.LIBCMTD ref: 0040B0B4
                                • __mtinit.LIBCMTD ref: 0040AF4C
                                • _fast_error_exit.LIBCMTD ref: 0040AF57
                                • __RTC_Initialize.LIBCMTD ref: 0040AF69
                                • ___crtGetEnvironmentStringsA.LIBCMTD ref: 0040AF93
                                • ___setargv.LIBCMTD ref: 0040AF9D
                                • __setenvp.LIBCMTD ref: 0040AFB0
                                • __cinit.LIBCMTD ref: 0040AFC5
                                • __wincmdln.LIBCMTD ref: 0040AFE2
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInitializeProcessStrings___setargv__cinit__heap_init__mtinit__setenvp__wincmdln_check_managed_app
                                • String ID:
                                • API String ID: 2258361453-0
                                • Opcode ID: 4086065ac970038e79a776750f7548aa05e0e09ea29f0b4c0b31f8981395e636
                                • Instruction ID: a7ddb7468b00b09513485c08426ead2e5ea3c26d69e3af7857e19453d79bf949
                                • Opcode Fuzzy Hash: 4086065ac970038e79a776750f7548aa05e0e09ea29f0b4c0b31f8981395e636
                                • Instruction Fuzzy Hash: 6B41B3F1D003099BDB00ABB2AC0679E76B4AF54748F10013EE515AB2C2EB799540CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 133 40af25-40af2c call 40b0c0 136 40af31-40af36 call 419610 133->136 138 40af3b-40af40 136->138 139 40af42-40af44 call 40b090 138->139 140 40af4c call 412520 138->140 143 40af49 139->143 144 40af51-40af53 140->144 143->140 145 40af55-40af5c call 40b090 144->145 146 40af5f-40af69 call 40d700 call 419590 144->146 145->146 152 40af6e-40af75 call 4190f0 146->152 154 40af7a-40af7c 152->154 155 40af88 154->155 156 40af7e-40af85 call 414650 154->156 159 40af8e-40af93 call 418ed0 155->159 156->155 161 40af98-40afa4 call 418a40 159->161 164 40afb0 call 4188a0 161->164 165 40afa6-40afa8 call 414650 161->165 169 40afb5-40afb7 164->169 168 40afad 165->168 168->164 170 40afc3-40afd4 call 414530 169->170 171 40afb9-40afc0 call 414650 169->171 176 40afe2-40aff0 call 4187d0 170->176 177 40afd6-40afdf call 414650 170->177 171->170 182 40aff2-40aff9 176->182 183 40affb 176->183 177->176 184 40b002-40b011 call 409b11 182->184 183->184 186 40b016-40b01d 184->186 187 40b028-40b089 call 414610 186->187 188 40b01f-40b023 call 4145d0 186->188 188->187
                                APIs
                                • _check_managed_app.LIBCMTD ref: 0040AF2C
                                • __heap_init.LIBCMTD ref: 0040AF36
                                  • Part of subcall function 00419610: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,0040AF3B,00000001), ref: 00419626
                                • _fast_error_exit.LIBCMTD ref: 0040AF44
                                  • Part of subcall function 0040B090: ___crtExitProcess.LIBCMTD ref: 0040B0B4
                                • __mtinit.LIBCMTD ref: 0040AF4C
                                • _fast_error_exit.LIBCMTD ref: 0040AF57
                                • __RTC_Initialize.LIBCMTD ref: 0040AF69
                                • ___crtGetEnvironmentStringsA.LIBCMTD ref: 0040AF93
                                • ___setargv.LIBCMTD ref: 0040AF9D
                                • __setenvp.LIBCMTD ref: 0040AFB0
                                • __cinit.LIBCMTD ref: 0040AFC5
                                • __wincmdln.LIBCMTD ref: 0040AFE2
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInitializeProcessStrings___setargv__cinit__heap_init__mtinit__setenvp__wincmdln_check_managed_app
                                • String ID:
                                • API String ID: 2258361453-0
                                • Opcode ID: b4164f6d4685f9dc647e4ff3c01fe10f2011dd5ecc3773d6662f2e0acad5b2fb
                                • Instruction ID: 9f0ef44384bb957edc35c3b29ca9c2b5aa09c4f6599d807b4947cf27e1b66438
                                • Opcode Fuzzy Hash: b4164f6d4685f9dc647e4ff3c01fe10f2011dd5ecc3773d6662f2e0acad5b2fb
                                • Instruction Fuzzy Hash: CF3173F1D003059AEB10BBB2AD067DE7660AF5434CF10013FE9196B2C2FB799954CA9B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 194 40b4d7-40b4e8 195 40b4ea-40b4f8 194->195 196 40b53f-40b54e 194->196 197 40b530-40b539 195->197 198 40b4fa-40b501 call 40c8d0 195->198 199 40b550-40b559 196->199 200 40b55c-40b563 196->200 197->196 212 40b503-40b521 call 40df70 198->212 213 40b524-40b52e 198->213 199->200 201 40b55b 199->201 202 40b565-40b588 200->202 203 40b5da-40b5e6 200->203 201->200 202->203 215 40b58a-40b58e 202->215 205 40b5e8-40b5f0 203->205 206 40b5f9-40b5fd 203->206 205->206 208 40b5f2 205->208 209 40b62c-40b638 206->209 210 40b5ff-40b61b call 4198d0 206->210 208->206 217 40b674-40b681 call 419810 209->217 218 40b63a-40b63e 209->218 226 40b61d 210->226 227 40b61e-40b627 210->227 212->213 229 40b523 212->229 213->196 221 40b590-40b5b0 call 4198d0 215->221 222 40b5b5-40b5d2 call 4198d0 215->222 225 40b686-40b690 217->225 218->217 224 40b640-40b64c 218->224 241 40b5b2 221->241 242 40b5b3 221->242 243 40b5d4 222->243 244 40b5d5 222->244 224->217 231 40b64e-40b652 224->231 232 40b6a0-40b6b3 225->232 233 40b692-40b69b 225->233 226->227 235 40b812-40b83f call 40b820 227->235 229->213 231->217 237 40b654-40b671 call 4198d0 231->237 238 40b6b5-40b6f9 232->238 239 40b6fe-40b70a 232->239 233->235 237->217 251 40b673 237->251 246 40b7b8-40b80f call 40a2b0 * 3 238->246 247 40b70c-40b71b 239->247 248 40b71d 239->248 241->242 242->244 243->244 244->235 246->235 253 40b727-40b740 247->253 248->253 251->217 256 40b742-40b748 253->256 257 40b74e-40b755 253->257 256->257 259 40b764-40b767 257->259 260 40b757-40b762 257->260 262 40b76d-40b7b2 259->262 260->262 262->246
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _memset$CheckMemory__heap_alloc_base
                                • String ID:
                                • API String ID: 4254127243-0
                                • Opcode ID: 782c486867dbfdf79707c8b7b84721dc0e730895fb2ba11e1fecccc80f7ba8a3
                                • Instruction ID: 10aa9e1e72f509eec9c2030512bc02d8ab3a9285472f538c0d3528d51176eff9
                                • Opcode Fuzzy Hash: 782c486867dbfdf79707c8b7b84721dc0e730895fb2ba11e1fecccc80f7ba8a3
                                • Instruction Fuzzy Hash: 59A14A79A002049FDB14DF44DC85BAE77B1FB89314F20826AE9056B3D2D379AD40CF99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 265 409630-409654 call 40a280 LocalAlloc 268 409659-409660 265->268 269 409666-409733 268->269 270 40973a-40973b 268->270 269->270 270->268 271 409741 270->271 272 409746-40974c 271->272 274 40975a-409760 272->274 275 40974e-409753 272->275 277 409762-409767 274->277 278 40976c-409773 274->278 275->274 277->278 278->272 279 409775 278->279 281 409777-40977d 279->281 282 40979a-4097a1 281->282 283 40977f-409793 281->283 284 4097a3-4097d1 call 40a2b0 282->284 285 4097d8-4097df 282->285 283->282 284->285 285->281 287 4097e1-4097e9 285->287 291 40981b 287->291 292 4097eb-4097f5 287->292 294 40981d-409827 291->294 296 4097f7-409805 292->296 297 40980c-409819 call 409429 292->297 299 409830-409836 294->299 300 409829 294->300 296->297 297->291 297->292 304 409844-40984b 299->304 305 409838-40983f 299->305 300->299 304->294 308 40984d-409865 304->308 305->304 312 409867-40986a 308->312 313 409871-409878 312->313 314 40986c call 409531 312->314 313->312 317 40987a-409896 call 40937f 313->317 314->313 322 409898-40989f 317->322 323 4098a1-4098ae 322->323 324 4098b5-4098bb 322->324 323->324 326 4098c2-4098c9 324->326 327 4098bd call 409523 324->327 326->322 328 4098cb 326->328 327->326 331 4098d0-4098d7 328->331 333 4098d9-4098e8 331->333 334 4098ee-4098ef 331->334 333->334 334->331 337 4098f1-40997c call 40917c LoadLibraryW 334->337 343 4099f2-4099f9 337->343 344 40997e-4099ec 337->344 345 409b0a-409b10 343->345 346 4099ff-409b07 343->346 344->343 346->345
                                APIs
                                • LocalAlloc.KERNELBASE(00000000), ref: 00409649
                                • _memset.LIBCMT ref: 004097B4
                                • LoadLibraryW.KERNELBASE(00844200), ref: 00409966
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: AllocLibraryLoadLocal_memset
                                • String ID: msimg32.dll
                                • API String ID: 3001991562-3287713914
                                • Opcode ID: 3c6d298495194a7d43d133cce53dba0bfa3f0cc23cecebb99af27589142207ee
                                • Instruction ID: 4bbf95d1d07f5b793a551445cec3f97fb7520ad9971ce6f5d0ca53ce5d14d8fc
                                • Opcode Fuzzy Hash: 3c6d298495194a7d43d133cce53dba0bfa3f0cc23cecebb99af27589142207ee
                                • Instruction Fuzzy Hash: A4D1E1B6800258BFE7016BB0EDC8EAB776CFB19349B005436F646E1572D6788D85CB78
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 387 4190f0-41918a call 40b910 392 419194-4191a7 387->392 393 41918c-41918f 387->393 395 4191b2-4191bf 392->395 394 41957a-41958b 393->394 396 4191c1-41921d 395->396 397 41921f-419225 395->397 396->395 399 419423-419439 397->399 400 41922b-41922f 397->400 403 41956b-419578 399->403 404 41943f-419454 399->404 400->399 402 419235-419256 400->402 405 419263 402->405 406 419258-419261 402->406 403->394 407 419462-41946d 404->407 408 419456-41945c 404->408 409 41926d-41927d 405->409 406->409 410 41947b-419488 407->410 411 41946f-419479 407->411 408->407 414 419554-419563 408->414 412 419288-419291 409->412 415 41948e-4194a2 410->415 411->415 416 419353-41935a 412->416 417 419297-4192b6 call 40b910 412->417 418 419566 414->418 424 419539-41954c 415->424 425 4194a8-4194ac 415->425 420 419377-41937d 416->420 426 4192c5-4192df 417->426 427 4192b8-4192c0 417->427 418->403 420->399 423 419383-419389 420->423 428 41938f-419395 423->428 429 41941e 423->429 431 419552 424->431 425->424 432 4194b2-4194c3 425->432 433 4192ea-4192fc 426->433 427->416 428->429 430 41939b-4193a4 428->430 429->420 430->429 435 4193a6-4193af 430->435 431->418 432->424 444 4194c5-4194d9 432->444 436 41934e 433->436 437 4192fe-41934c 433->437 438 4193c1-419405 call 41c4e0 435->438 439 4193b1-4193bf 435->439 436->412 437->433 449 419407-41940a 438->449 450 41940f-41941b 438->450 439->429 439->438 447 4194db-4194eb 444->447 448 4194ed-4194f9 444->448 451 41950b-419521 call 41c4e0 447->451 448->451 452 4194fb-419508 448->452 449->394 450->429 455 419523-419526 451->455 456 419528-419537 451->456 452->451 455->394 456->431
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __nh_malloc_dbg
                                • String ID:
                                • API String ID: 2526938719-0
                                • Opcode ID: 1dedd40c212b86d737cc42a500783f936d07058c4a6aec1a18194dda0f85cf9a
                                • Instruction ID: 7fdf9e2f47d08c1cdaf3c05fa1e569e8f274e39fd4e0f730588c364ff7165eea
                                • Opcode Fuzzy Hash: 1dedd40c212b86d737cc42a500783f936d07058c4a6aec1a18194dda0f85cf9a
                                • Instruction Fuzzy Hash: 8FE11B74E04249DFDB24CFA8C894BADFBB1BB49314F24825ED8656B392C7349886CF45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 457 40952f-40962e VirtualProtect
                                APIs
                                • VirtualProtect.KERNELBASE(00000040,?), ref: 0040962A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: msimg32.dll
                                • API String ID: 544645111-3287713914
                                • Opcode ID: 17b0aac0a531702174b7c65180c391707bf38b3425d045184fdffbf97c0d013b
                                • Instruction ID: 9b7cfc5e17716be782b59f166dd39e07db881f3a278859cfbeeeb5f88a7b37f4
                                • Opcode Fuzzy Hash: 17b0aac0a531702174b7c65180c391707bf38b3425d045184fdffbf97c0d013b
                                • Instruction Fuzzy Hash: F7219A98E08AC1DAF306C768ED08B913E965723749F0A00BD91954A2B2E7FB5158C77F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 461 409531-40962e VirtualProtect
                                APIs
                                • VirtualProtect.KERNELBASE(00000040,?), ref: 0040962A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: msimg32.dll
                                • API String ID: 544645111-3287713914
                                • Opcode ID: 86775875dd883554000b779353b5ca5ef6f1083c8ec8bb8f7521579d1f137b51
                                • Instruction ID: 07589be915f535defbfa72ec759fc0598ce49b4d87d3ca622b32015d16d1199b
                                • Opcode Fuzzy Hash: 86775875dd883554000b779353b5ca5ef6f1083c8ec8bb8f7521579d1f137b51
                                • Instruction Fuzzy Hash: 6521A998E0CAC1DAF306C768ED08B913E965723749F0A00BD91954A2B2E7FB5158C77F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 464 40b43f-40b449 465 40b450-40b454 464->465 466 40b44b-40b44e 464->466 468 40b464-40b472 call 4196a0 465->468 469 40b456-40b462 465->469 467 40b483-40b486 466->467 472 40b481 468->472 473 40b474-40b47f 468->473 469->467 474 40b426-40b43a call 40b490 472->474 473->467 474->464
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: QQ
                                • API String ID: 0-3460843698
                                • Opcode ID: 75285a33f3e3a8226227495b54544be31729fa98091c7b21b9d872baf7ad745d
                                • Instruction ID: 8ebcda0000eecf523cbd085e01e090e350d6b15ac35dbad072ca10934f5ebcd5
                                • Opcode Fuzzy Hash: 75285a33f3e3a8226227495b54544be31729fa98091c7b21b9d872baf7ad745d
                                • Instruction Fuzzy Hash: D301FBB5A00109EBDB04DF54D840BAE73B4EB48304F10816AFD09A7382D339DB51DB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 476 40b84e-40b863 477 40b865-40b883 call 40df70 476->477 478 40b886-40b88a 476->478 477->478 485 40b885 477->485 480 40b8b9-40b8de call 40b420 478->480 481 40b88c-40b8b7 call 410ed0 call 410c60 478->481 487 40b8e3-40b8ed 480->487 491 40b904-40b907 481->491 485->478 489 40b901 487->489 490 40b8ef-40b8fe call 40a2b0 487->490 489->491 490->489
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __invalid_parameter_memset
                                • String ID:
                                • API String ID: 3961059608-0
                                • Opcode ID: 05b10813307af71d25597e47c8649d7a6d084c0bb43746682a81a9517d95371d
                                • Instruction ID: 1324000d97abd66836b031af892333075081cfb50ad0cef0dc97aef94c640520
                                • Opcode Fuzzy Hash: 05b10813307af71d25597e47c8649d7a6d084c0bb43746682a81a9517d95371d
                                • Instruction Fuzzy Hash: DC1166B1A40208BBDB04DF94CC82F9E3375EB54704F10856AF908BB3D1E778EA508799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __nh_malloc_dbg
                                • String ID:
                                • API String ID: 2526938719-0
                                • Opcode ID: f9bf8707853167085b66593613993b00e5ed86952c72447d674ae544adeca308
                                • Instruction ID: c4f57cec82e4bd0dba32cc6c1f0b5ad598e6c7fbc5f644fcfa7b04f801fa35e6
                                • Opcode Fuzzy Hash: f9bf8707853167085b66593613993b00e5ed86952c72447d674ae544adeca308
                                • Instruction Fuzzy Hash: 95E020B1E84308A9E7309AA5580775C7720E744B31F20472FE235362C2D77504404F09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __encode_pointer.LIBCMTD ref: 00412407
                                  • Part of subcall function 00412330: __crt_wait_module_handle.LIBCMTD ref: 0041237C
                                  • Part of subcall function 00412330: RtlEncodePointer.NTDLL(?), ref: 004123B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: EncodePointer__crt_wait_module_handle__encode_pointer
                                • String ID:
                                • API String ID: 2010845264-0
                                • Opcode ID: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                • Instruction ID: 017c5cb46a1c4d55b1340ad0c3270c38816836f5326e70259e7eaab19cdf7902
                                • Opcode Fuzzy Hash: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                • Instruction Fuzzy Hash: 13A0127244420C23E00020933903B03750C43C0638F080021F91C051422886B5604097
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • ___security_init_cookie.LIBCMTD ref: 0040AE95
                                  • Part of subcall function 0040AEB0: _check_managed_app.LIBCMTD ref: 0040AF2C
                                  • Part of subcall function 0040AEB0: __heap_init.LIBCMTD ref: 0040AF36
                                  • Part of subcall function 0040AEB0: _fast_error_exit.LIBCMTD ref: 0040AF44
                                  • Part of subcall function 0040AEB0: __mtinit.LIBCMTD ref: 0040AF4C
                                  • Part of subcall function 0040AEB0: _fast_error_exit.LIBCMTD ref: 0040AF57
                                  • Part of subcall function 0040AEB0: __RTC_Initialize.LIBCMTD ref: 0040AF69
                                  • Part of subcall function 0040AEB0: ___crtGetEnvironmentStringsA.LIBCMTD ref: 0040AF93
                                  • Part of subcall function 0040AEB0: ___setargv.LIBCMTD ref: 0040AF9D
                                  • Part of subcall function 0040AEB0: __setenvp.LIBCMTD ref: 0040AFB0
                                  • Part of subcall function 0040AEB0: __cinit.LIBCMTD ref: 0040AFC5
                                  • Part of subcall function 0040AEB0: __wincmdln.LIBCMTD ref: 0040AFE2
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _fast_error_exit$EnvironmentInitializeStrings___crt___security_init_cookie___setargv__cinit__heap_init__mtinit__setenvp__wincmdln_check_managed_app
                                • String ID:
                                • API String ID: 2731678867-0
                                • Opcode ID: ee8f2d7c38ba407090a88614530fa8bfefe5418cda479201f07807e08c8461eb
                                • Instruction ID: 4163ddfda7dbc0b273293bbe506c37d36eb456cb6e14ae8899fefb7f074ccf43
                                • Opcode Fuzzy Hash: ee8f2d7c38ba407090a88614530fa8bfefe5418cda479201f07807e08c8461eb
                                • Instruction Fuzzy Hash: DCA02232080B0C02020033E3200B80B320E08C032C382002FBA0C022032C3CB8A000EF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00C2D484
                                Memory Dump Source
                                • Source File: 00000000.00000002.387378506.0000000000C29000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C29000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c29000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                • Instruction ID: cfc63c62d0c90ba13af681c36c5d70acb37e439cc15c3841b02a59110d57d969
                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                • Instruction Fuzzy Hash: E2113C79A00208EFDB01DF98C985E98BBF5AF08751F158094F9489B362D375EA50EF80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386623017.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID: PPPP
                                • API String ID: 0-1462104750
                                • Opcode ID: c9c0241cd0afcbd3fd31c594775fe31887d42f61bb82ab006a020ba5247fe7de
                                • Instruction ID: 42034d581ce3fc54d6be9e219e9e8320d81d709d73c932a33cf25b948e6a08f8
                                • Opcode Fuzzy Hash: c9c0241cd0afcbd3fd31c594775fe31887d42f61bb82ab006a020ba5247fe7de
                                • Instruction Fuzzy Hash: 38418EF2019A827FE3124F20DC5ACFB7B7DD94921130886CAF894DB952C6595895C7F3
                                Uniqueness

                                Uniqueness Score: -1.00%

                                C-Code - Quality: 22%
                                			E00402351(void* __eax, intOrPtr* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi) {
                                				void* _t36;
                                				void* _t37;
                                				void* _t38;
                                				void* _t39;
                                				void* _t41;
                                				void* _t42;
                                				signed int _t43;
                                				signed int _t44;
                                				signed int _t45;
                                				signed int _t46;
                                				signed char _t47;
                                				signed int _t50;
                                				signed int _t51;
                                				signed int _t52;
                                				signed int _t53;
                                				signed char _t54;
                                				void* _t70;
                                				void* _t72;
                                				void* _t77;
                                				void* _t79;
                                				void* _t81;
                                				void* _t82;
                                
                                				_t79 = __esi;
                                				_t70 = __edx;
                                				_pop(_t84);
                                				asm("fst qword [0x9c2ddd94]");
                                				_t72 = __eax + 0x3af0294;
                                				_push(_t72);
                                				_t36 = __edi - 1;
                                				_push(_t36);
                                				_push(_t36);
                                				_t37 = _t72;
                                				ss = _t36;
                                				_push(_t37);
                                				_push(_t37);
                                				asm("fst dword [edi]");
                                				_t38 = _t37;
                                				_t39 = _t36;
                                				ss = _t37;
                                				asm("adc [eax+0x50], dl");
                                				ss = _t39;
                                				_t41 = _t38 + 1;
                                				_push(_t41);
                                				_push(_t41);
                                				_push(_t41);
                                				_t42 = _t39;
                                				ss = _t41;
                                				_push(_t42);
                                				_push(_t42);
                                				_push(_t42);
                                				es = _t42;
                                				_t43 = _t42 + 0xc3af02b4;
                                				asm("fcom qword [eax+0x50]");
                                				asm("aad 0x90");
                                				_t77 = _t43;
                                				asm("aad 0x96");
                                				_push(_t43);
                                				_push(_t43);
                                				_push(_t43);
                                				_push(__edx);
                                				asm("scasd");
                                				_t44 = _t43 & 0xc0c3afb4;
                                				_push(_t44);
                                				_push(_t44);
                                				_push(_t44);
                                				 *0xd45f50bc =  *0xd45f50bc >> __ecx;
                                				asm("repe push eax");
                                				_push(_t44);
                                				_push(_t44);
                                				asm("scasd");
                                				_t45 = _t44 & 0xaf103abc;
                                				_t82 = _t81 +  *((intOrPtr*)(_t45 - 0x27));
                                				asm("adc eax, 0xbc05dda4");
                                				asm("movsb");
                                				_t46 = _t45 & 0xc0c3afb4;
                                				_push(_t46);
                                				_push(_t46);
                                				_push(_t46);
                                				asm("aad 0x90");
                                				_t47 = _t46 & 0xbc2dd329;
                                				_push(_t47);
                                				asm("fist dword [0x4410dba4]");
                                				asm("fst dword [0x6baf61a8]");
                                				_t50 = (_t47 & 0x00000023) - 0xdd3323a8 + 0x503a02bc;
                                				es = _t50;
                                				asm("scasd");
                                				_t51 = _t50 & 0xc4c3afb4;
                                				_push(_t51);
                                				_push(_t51);
                                				_push(_t51);
                                				 *0x162450bc =  *0x162450bc >> __ecx +  *((intOrPtr*)(_t77 + 0x25afbc25));
                                				asm("rcl dword [0x25af52bc], cl");
                                				_push(0xdda015d9);
                                				_t52 = _t51 + 0x25af02bc;
                                				es = _t52;
                                				asm("scasd");
                                				_t53 = _t52 & 0xc4c3afb4;
                                				_push(_t53);
                                				_push(_t53);
                                				_push(_t53);
                                				asm("aad 0x90");
                                				_t54 = _t53 & 0xbc2dd347;
                                				asm("fist dword [0x4010dda0]");
                                				 *__ebx =  *__ebx + (_t54 & 0x00000041);
                                				asm("aad 0x90");
                                				asm("scasd");
                                				ss = _t54;
                                				goto L1;
                                			}

























                                0x00402351
                                0x00402351
                                0x00402356
                                0x00402357
                                0x0040235d
                                0x0040235e
                                0x0040235f
                                0x00402360
                                0x00402361
                                0x00402363
                                0x00402364
                                0x00402366
                                0x00402367
                                0x0040236a
                                0x0040236c
                                0x0040236d
                                0x0040236e
                                0x00402370
                                0x00402375
                                0x00402376
                                0x00402377
                                0x00402378
                                0x00402379
                                0x0040237b
                                0x0040237c
                                0x0040237e
                                0x0040237f
                                0x00402380
                                0x00402382
                                0x00402386
                                0x0040238b
                                0x0040238f
                                0x00402391
                                0x00402392
                                0x00402394
                                0x00402395
                                0x00402396
                                0x004023a0
                                0x004023a1
                                0x004023a2
                                0x004023a7
                                0x004023a8
                                0x004023a9
                                0x004023aa
                                0x004023b0
                                0x004023b2
                                0x004023b3
                                0x004023b4
                                0x004023b5
                                0x004023ba
                                0x004023bd
                                0x004023c8
                                0x004023cc
                                0x004023d1
                                0x004023d2
                                0x004023d3
                                0x004023d4
                                0x004023d6
                                0x004023db
                                0x004023de
                                0x004023e4
                                0x004023ef
                                0x004023f8
                                0x004023f9
                                0x004023fa
                                0x004023ff
                                0x00402400
                                0x00402401
                                0x00402402
                                0x00402408
                                0x00402413
                                0x00402418
                                0x00402423
                                0x00402424
                                0x00402425
                                0x0040242a
                                0x0040242b
                                0x0040242c
                                0x0040242d
                                0x0040242f
                                0x00402437
                                0x0040243d
                                0x00402444
                                0x00402448
                                0x0040244e
                                0x0040244f

                                Memory Dump Source
                                • Source File: 00000000.00000002.386623017.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb95eb28c3ea5ceec2e3033c146810c6e2f5aab3d7c853bbb481ccd21ba1313a
                                • Instruction ID: c5558df752f303d9b12da3b49636c5f29c6388f54a3b64fc1eef45c3947951cf
                                • Opcode Fuzzy Hash: cb95eb28c3ea5ceec2e3033c146810c6e2f5aab3d7c853bbb481ccd21ba1313a
                                • Instruction Fuzzy Hash: 63417AF311AA857FF3118A94EC4ADFB7B2CD5681393084485FD40DB403C268C8A18BB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Memory Dump Source
                                • Source File: 00000000.00000002.387378506.0000000000C29000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C29000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_c29000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                • Instruction ID: 1f6a2f75c2e6e93589fcf906e85326adb32d419ce6d942cbeb874e38180baec2
                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                • Instruction Fuzzy Hash: 9311C2723401109FD700DF55EC81FA273EAEB98320B298055ED05CB722D675EC02C760
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Memory Dump Source
                                • Source File: 00000000.00000002.386623017.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 13551ef71cb1a6f447fbd5480a6cb103b1654af51dbb33939e4de5ef2e619886
                                • Instruction ID: 1d2253bcee00caf847626527a2ca008675ce4aadaffea8765609509fba5c1da7
                                • Opcode Fuzzy Hash: 13551ef71cb1a6f447fbd5480a6cb103b1654af51dbb33939e4de5ef2e619886
                                • Instruction Fuzzy Hash: 80D022B2864CA0AFEB006210CC1896B7FAC8C15210708C080B801E9119C30810218BB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Memory Dump Source
                                • Source File: 00000000.00000002.386623017.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c4fbf70458648bca6f8a21e4b213d349669eb636f4c34a3048d8fef98564362
                                • Instruction ID: 19ab161c9d805c9666a3c863c0cbb36cd8fc6fea7ed9fd7909dadc4bd56c9e04
                                • Opcode Fuzzy Hash: 2c4fbf70458648bca6f8a21e4b213d349669eb636f4c34a3048d8fef98564362
                                • Instruction Fuzzy Hash: 48D022B2804CA4AFEB006600CC149AB7FAD8C14310B08C040B801E5119C3091026CBB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C6D2
                                • _wcscat_s.LIBCMTD ref: 0041C8EA
                                  • Part of subcall function 00421870: __invalid_parameter.LIBCMTD ref: 004218E2
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C8F3
                                  • Part of subcall function 0040DBB0: __invoke_watson.LIBCMTD ref: 0040DBD1
                                • _wcscat_s.LIBCMTD ref: 0041C922
                                  • Part of subcall function 00421870: _memset.LIBCMT ref: 0042194B
                                  • Part of subcall function 00421870: __invalid_parameter.LIBCMTD ref: 004219A7
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C92B
                                • __snwprintf_s.LIBCMTD ref: 0041C984
                                  • Part of subcall function 0041BFE0: __vsnprintf_s_l.LIBCMTD ref: 0041C002
                                • __invoke_watson_if_oneof.LIBCMTD ref: 0041C9BD
                                • _wcscpy_s.LIBCMTD ref: 0041CA02
                                • __invoke_watson_if_error.LIBCMTD ref: 0041CA0B
                                • __cftoe.LIBCMTD ref: 0041CA7F
                                • __invoke_watson_if_oneof.LIBCMTD ref: 0041CAAE
                                • _wcscpy_s.LIBCMTD ref: 0041CAE6
                                • __invoke_watson_if_error.LIBCMTD ref: 0041CAEF
                                • __itow_s.LIBCMTD ref: 0041C6C9
                                  • Part of subcall function 00426280: _xtow_s@20.LIBCMTD ref: 004262AB
                                • __strftime_l.LIBCMTD ref: 0041C789
                                • __invoke_watson_if_oneof.LIBCMTD ref: 0041C7C2
                                • _wcscpy_s.LIBCMTD ref: 0041C807
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C810
                                • _wcscpy_s.LIBCMTD ref: 0041C863
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C86C
                                • _wcscat_s.LIBCMTD ref: 0041C89D
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C8A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __invoke_watson_if_error$_wcscpy_s$__invoke_watson_if_oneof_wcscat_s$__invalid_parameter$__cftoe__invoke_watson__itow_s__snwprintf_s__strftime_l__vsnprintf_s_l_memset_xtow_s@20
                                • String ID: D\@$h8[@$t8j$t9j
                                • API String ID: 2582952045-1301031898
                                • Opcode ID: 8c649d36ace655ee30945a0357195b502b76c5f9a91b9f55d6bee1a9a8e625e2
                                • Instruction ID: 02178abfe23e56a54a67b4c7eb7c84d33cb54055c7f1e4f72fd57db3d001e6e7
                                • Opcode Fuzzy Hash: 8c649d36ace655ee30945a0357195b502b76c5f9a91b9f55d6bee1a9a8e625e2
                                • Instruction Fuzzy Hash: 660293B4A80714AADB20EF50DC8ABDF7374AB44745F5440AAF608762C1D7B89AC4CF99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __inc.LIBCMTD ref: 0041654C
                                • _isdigit.LIBCMTD ref: 00416572
                                • ___check_float_string.LIBCMTD ref: 004165D2
                                • __inc.LIBCMTD ref: 004165F0
                                • _isdigit.LIBCMTD ref: 004166A2
                                • ___check_float_string.LIBCMTD ref: 00416702
                                • ___check_float_string.LIBCMTD ref: 00416689
                                  • Part of subcall function 00416C60: __nh_malloc_dbg.LIBCMTD ref: 00416CBD
                                • __inc.LIBCMTD ref: 0041664D
                                  • Part of subcall function 00416DC0: __filbuf.LIBCMTD ref: 00416E01
                                • ___check_float_string.LIBCMTD ref: 00416796
                                • __inc.LIBCMTD ref: 004167B4
                                • ___check_float_string.LIBCMTD ref: 004167F7
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00416B66
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: ___check_float_string$__inc$Locale_isdigit$UpdateUpdate::~___filbuf__nh_malloc_dbg
                                • String ID: +
                                • API String ID: 1483831053-2126386893
                                • Opcode ID: 3f1cdc535125063f7d7ef7ae872c682c660c3678df03c0684fb82a37ac454917
                                • Instruction ID: 45a2f262c5410c48cc6ad1d3327226c1787b0f07e4967d97fcea125fd92b63d4
                                • Opcode Fuzzy Hash: 3f1cdc535125063f7d7ef7ae872c682c660c3678df03c0684fb82a37ac454917
                                • Instruction Fuzzy Hash: 26F16FB1D042199BCF14CF99C894AEEBB75AF44308F1482AED819A7342D739EA84CF55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __inc$__hextodec__un_inc_isxdigit
                                • String ID: 8$F
                                • API String ID: 3652663768-3144575033
                                • Opcode ID: c694fde765daef34fe86b015504b5841358a78d6cc7151bbf1d403a4172b6c69
                                • Instruction ID: 4e8990ed9834d67cabe5cdc1a52b903055c43b73c622471bf65cd64a9ca038d8
                                • Opcode Fuzzy Hash: c694fde765daef34fe86b015504b5841358a78d6cc7151bbf1d403a4172b6c69
                                • Instruction Fuzzy Hash: 1B028EB0D052698BCF25CF64C8943EEBBB1AF15308F1481DAD8196B342D33A9AC5CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
                                • String ID: -$9
                                • API String ID: 3451365851-1631151375
                                • Opcode ID: 73748dadc7ea5df593242549316a037bffe645614e081454c675fba9bebad1a7
                                • Instruction ID: a721a5725b6536229582cc34f6c4b56e6aafc0d91daa9a2dae563fcae3e2e464
                                • Opcode Fuzzy Hash: 73748dadc7ea5df593242549316a037bffe645614e081454c675fba9bebad1a7
                                • Instruction Fuzzy Hash: 9BF14BB1E012298FDB24CF58DC99BAEB7B1FB84304F5481DAD419A7281D7789E80CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
                                • String ID: 9
                                • API String ID: 3455034128-2366072709
                                • Opcode ID: 530e62bac20449fc3ef16af2ea562a2331bce4f960ca9bf1045f95520d08cb73
                                • Instruction ID: 87f28a10b6e7806872ac3917b900aa704c7eb3b4201bc77d767262b33af21855
                                • Opcode Fuzzy Hash: 530e62bac20449fc3ef16af2ea562a2331bce4f960ca9bf1045f95520d08cb73
                                • Instruction Fuzzy Hash: FDF16CB1E002299FDF24DF58DC81BAEB7B1BF85304F54419AE109A7241D778AE84CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042673B
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426771
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426792
                                • wcsncnt.LIBCMTD ref: 004267C9
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042682F
                                • _wcslen.LIBCMTD ref: 00426A3F
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426A4D
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Locale$UpdateUpdate::~_$_wcslenwcsncnt
                                • String ID:
                                • API String ID: 1043867012-0
                                • Opcode ID: fc4f0b37faa7f4946a6c5e9665ee82d9b71174bf5f156293fab80b3a31791081
                                • Instruction ID: 7f75a814af551cf217c73b50f5ce39038cad51a7708300b5ccdc52a67e21c884
                                • Opcode Fuzzy Hash: fc4f0b37faa7f4946a6c5e9665ee82d9b71174bf5f156293fab80b3a31791081
                                • Instruction Fuzzy Hash: 84D12775A00218DFCB08DF94D894BEEB7B1FF85304F60C55AE4126B290DB38AE86DB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter_get_int_arg_wctomb_s_write_string
                                • String ID: -
                                • API String ID: 2357813345-2547889144
                                • Opcode ID: d2fd1506c183ec86f59f6aee48fb561d843edaa370c390d2ac749d9266cd7004
                                • Instruction ID: 09383132ef6e3c52153bc865bd17f4b6936478b15fe0a08a49ab86f91775dfed
                                • Opcode Fuzzy Hash: d2fd1506c183ec86f59f6aee48fb561d843edaa370c390d2ac749d9266cd7004
                                • Instruction Fuzzy Hash: F8A18C70E012298BDB24DF59DC49BAEB7B0EB84305F5481DAE1197B281D778AEC0CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _write_multi_char$_get_int_arg_strlen_wctomb_s_write_string
                                • String ID: -$I@
                                • API String ID: 2232461714-3662616159
                                • Opcode ID: c4d7bbb1e4a35970b1e2731a79c68ebfb12efde7635d023d49e88d8b318ebf39
                                • Instruction ID: 504cf34f6a1f140e24b7c590ea058f5024a33f02ea29967f28fa7e95d4e844db
                                • Opcode Fuzzy Hash: c4d7bbb1e4a35970b1e2731a79c68ebfb12efde7635d023d49e88d8b318ebf39
                                • Instruction Fuzzy Hash: 7EA18F74E012298FDB24CF55DC49BEEB7B0EB88305F5481DAD0196B291D778AE80CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Locale__inc$UpdateUpdate::~___mbtowc_l__un_inc_memset
                                • String ID: $]${${
                                • API String ID: 2643002128-1336171634
                                • Opcode ID: a0d6f3a7a88c6dea91ec17ea94e745941b8181ae169e3f2fdeed4f4618f4c2ce
                                • Instruction ID: 733e9da3a28c0a21848e95e8901b80b5ba50e6ecae14809abc89287093d81474
                                • Opcode Fuzzy Hash: a0d6f3a7a88c6dea91ec17ea94e745941b8181ae169e3f2fdeed4f4618f4c2ce
                                • Instruction Fuzzy Hash: A6B1D670D09798CBCF15CBA9D4946EDBBB1AF46304F14C19FE869AB342C2389A81CF15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _write_multi_char$__mbtowc_l_get_int_arg_strlen_write_string
                                • String ID: I@
                                • API String ID: 909868375-3008766272
                                • Opcode ID: 5160bf8aaf3c93fb7daea3ac61722fa4b3b9303f281fa05acda3142a6fb74e5b
                                • Instruction ID: aeb1a302864e0295b61b224f0f41cef40e82057aba0da1d2740614cba2eebc2e
                                • Opcode Fuzzy Hash: 5160bf8aaf3c93fb7daea3ac61722fa4b3b9303f281fa05acda3142a6fb74e5b
                                • Instruction Fuzzy Hash: 1AA181B0E002289FDB24DF55DC81BAEB7B5BF44304F54819AE61967282D738AE84CF5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter__mbtowc_l_get_int_arg_write_string
                                • String ID:
                                • API String ID: 2386203720-0
                                • Opcode ID: f607765c8f2682145a9edb787064b82d444e2ed9b0f04ad2e4101b47de9843e8
                                • Instruction ID: 08d3cf6121706dbf829b6d05311f1c81cf8396b18442ce7c14708cc00a2cbdda
                                • Opcode Fuzzy Hash: f607765c8f2682145a9edb787064b82d444e2ed9b0f04ad2e4101b47de9843e8
                                • Instruction Fuzzy Hash: 61A1AFF0E002289BDB24DF55DC85BAEB774AF84304F50419AE6197B282D778AE84CF5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __inc$__mbtowc_l__un_inc
                                • String ID: $c
                                • API String ID: 579247601-3797896886
                                • Opcode ID: 98046de7fd322e1f917b2e6fd8048b3892d2d27587e911f3b1c5c2ec91a3c4cd
                                • Instruction ID: 7ecbc0b786a77850220586fe59660f87f2dbd110734eb0342331823304e5aa8a
                                • Opcode Fuzzy Hash: 98046de7fd322e1f917b2e6fd8048b3892d2d27587e911f3b1c5c2ec91a3c4cd
                                • Instruction Fuzzy Hash: B8918F70D05758DBCF24CF95D8946EEBB71AF85308F14819AE829AB342D7389AC1CF09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Message___crt__invoke_watson_if_error__invoke_watson_if_oneof__snwprintf_s_raise_wcscpy_s
                                • String ID: ^9@$`D@
                                • API String ID: 1485069716-273578848
                                • Opcode ID: 61b2dbe9ec1f8faa36acc654127eec5d54c4783b504d953776bc1184599c36c0
                                • Instruction ID: c0e6340a1cda6ef02aac5938a198a3969f3bcb851ff0069ec62fe23309543b73
                                • Opcode Fuzzy Hash: 61b2dbe9ec1f8faa36acc654127eec5d54c4783b504d953776bc1184599c36c0
                                • Instruction Fuzzy Hash: 7C316AB5A40218ABDB24DB91DC46FDA73B5BB58744F0041EAF308762C1D6B85EC08F99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: BytesCheck$HeapPointerValid__free_base_memset
                                • String ID: tDj
                                • API String ID: 25084783-2513116121
                                • Opcode ID: b9adceee1fe61f2cee6d43c756ee87a5a7a58a641edfea7588e9ec640f752860
                                • Instruction ID: faefe7da996400bbef58c54e5170c74f93222f4de7125747aeed027e64bc3a06
                                • Opcode Fuzzy Hash: b9adceee1fe61f2cee6d43c756ee87a5a7a58a641edfea7588e9ec640f752860
                                • Instruction Fuzzy Hash: C591B175A40204EBEB28DB84DDC2F6A7375AB44708F344269F604BB2C2D279EE41D79D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __inc$__mbtowc_l__un_inc
                                • String ID: ${
                                • API String ID: 579247601-4046706400
                                • Opcode ID: c4822b5e9e88f4911f299a29db30f343fa9385594b584e860edcc568e7ba0c09
                                • Instruction ID: f8bebf5dfd94e6c9dc363e16e45155c9ab91aad30fd5ed40b4ee189f875d7f82
                                • Opcode Fuzzy Hash: c4822b5e9e88f4911f299a29db30f343fa9385594b584e860edcc568e7ba0c09
                                • Instruction Fuzzy Hash: C54190B4D05758DBCF24CB95D8446EEBB71AF85305F14C1AEE429A7202D7389AC5CF09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: '$0$9
                                • API String ID: 3120068967-269856862
                                • Opcode ID: 61ff73877e2c891499c3fb64a8486ea2c305938b2ba7b0e0e707b528870ff651
                                • Instruction ID: 26c336a9f065971cb0d320951b209e2e278aa466309384de1234029c3de788cf
                                • Opcode Fuzzy Hash: 61ff73877e2c891499c3fb64a8486ea2c305938b2ba7b0e0e707b528870ff651
                                • Instruction Fuzzy Hash: B941F4B1E15229DFDB24CF58E899BAEB7B5FB84304F5481DAD448A7240C7389E81CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: '$0$9
                                • API String ID: 3120068967-269856862
                                • Opcode ID: 0685f91b45cbdf0ca138cdfba6d584006a9b8105de1a8e68d10636028a782ff3
                                • Instruction ID: 66da96a2bac71dcb13fa53c53b410c2ec7dc3b67ccd4c81c7949b8dad1257f88
                                • Opcode Fuzzy Hash: 0685f91b45cbdf0ca138cdfba6d584006a9b8105de1a8e68d10636028a782ff3
                                • Instruction Fuzzy Hash: AE41D3719082299FDB64CF58C989BEEB7B5BB84304F1445DAE409AB241C7389EC1CF45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __inc$__hextodec__un_inc_isdigit_isxdigit
                                • String ID: 0$p
                                • API String ID: 500523077-2059906072
                                • Opcode ID: 04da5069397b075e653506d4188bde8c25525b423427e154921d5491573031cb
                                • Instruction ID: 6b59d60e470b2688df4fca62ab249f9125279fcdb80552354e7482094790bb3c
                                • Opcode Fuzzy Hash: 04da5069397b075e653506d4188bde8c25525b423427e154921d5491573031cb
                                • Instruction Fuzzy Hash: 75414CB1D042A99ACF25CF65C8942EEBB71AF05308F2581EFD81966302D239DAC5CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 0$9
                                • API String ID: 3120068967-1975997740
                                • Opcode ID: adf89d3c19f081dca0014650f750430d885a7cf6bbcb9a16a6fa2b3a43d07e97
                                • Instruction ID: 74cb3aa1fb84b278cd05ca6ea8a4370dc3a41d3c72b4f31d23988da057b4ed0c
                                • Opcode Fuzzy Hash: adf89d3c19f081dca0014650f750430d885a7cf6bbcb9a16a6fa2b3a43d07e97
                                • Instruction Fuzzy Hash: 114105B1E15228DFDB24CF58E889BAEBBB5FB84304F50819AD448A7240C7385E81CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 0$9
                                • API String ID: 3120068967-1975997740
                                • Opcode ID: 65d4fb54393684fd377d7b0f3d77692b0563070c7f279eb9e5d07005dacc9ba6
                                • Instruction ID: e675631b09abcb4a3db81451e5924fefa61cd99c30674d547d3908986f46349b
                                • Opcode Fuzzy Hash: 65d4fb54393684fd377d7b0f3d77692b0563070c7f279eb9e5d07005dacc9ba6
                                • Instruction Fuzzy Hash: 5041E2B1D082299FDB64CF48C989BEEB7B5BB84304F1445DAE449AB241C7389EC1CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: '$9
                                • API String ID: 3120068967-1823400153
                                • Opcode ID: b53842285cc36683f1c6ce8fb90574166aff5df858b6c8ef311ad64556746230
                                • Instruction ID: 88a54ba87f90a9f5b032cfd84d745c94e298abe8153fd9a8b2ffa27ed5e4d3c8
                                • Opcode Fuzzy Hash: b53842285cc36683f1c6ce8fb90574166aff5df858b6c8ef311ad64556746230
                                • Instruction Fuzzy Hash: 994107B1E10129AFDF24CF48D981BAEB7B5FF85318F50409AD148AB241D7789E81CF5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __hextodec__inc_isxdigit
                                • String ID: +$p
                                • API String ID: 3003077261-1790238857
                                • Opcode ID: f8efa3abca31849c5592b86eeb0e740c30bf76091945ac1854910c1bafb44064
                                • Instruction ID: adce234988b22d8bd5ae00344cc608b77643e63ba8c088d33e61c2c02cac5546
                                • Opcode Fuzzy Hash: f8efa3abca31849c5592b86eeb0e740c30bf76091945ac1854910c1bafb44064
                                • Instruction Fuzzy Hash: 33317E70D042999BCF25CFA8C8553EEBB71AF05308F1581EBD85966303D2399AC5CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __set_error_mode$_strlen
                                • String ID: jjj$t/j
                                • API String ID: 3008368703-194299851
                                • Opcode ID: 5237a7f9a8c83429df2317257b9317bfec3c0575f1e6d1d1950fffdc02ce5e66
                                • Instruction ID: 6db5c2610d0dec12d3da948c66cac38ab562fe90bf1a157d35b76242cbf996f9
                                • Opcode Fuzzy Hash: 5237a7f9a8c83429df2317257b9317bfec3c0575f1e6d1d1950fffdc02ce5e66
                                • Instruction Fuzzy Hash: 0A21C174904208FBDB20DB94DD45BEE3770EB89314F2082AAE40567391D3799E91DF8A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __raise_exc.LIBCMTD ref: 0041E231
                                  • Part of subcall function 0041E800: __raise_exc_ex.LIBCMTD ref: 0041E81F
                                • __umatherr.LIBCMTD ref: 0041E286
                                  • Part of subcall function 0041EB40: __ctrlfp.LIBCMTD ref: 0041EB90
                                • __ctrlfp.LIBCMTD ref: 0041E2AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __ctrlfp$__raise_exc__raise_exc_ex__umatherr
                                • String ID: Q.$RB
                                • API String ID: 3448981373-1859500299
                                • Opcode ID: 79aa403e752d0bb788226e970f0c201ec913c65f09f5babb0604909f941a5acb
                                • Instruction ID: 65805f5889b076a55894a1ab3ee9b8424b6840a77c5e5b563534fe767c40347b
                                • Opcode Fuzzy Hash: 79aa403e752d0bb788226e970f0c201ec913c65f09f5babb0604909f941a5acb
                                • Instruction Fuzzy Hash: 9A11A5FA800104DBCF14EF95ECC6ADA7374BF48304F0446DDED454A14AEA35D9A8CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • ___libm_error_support.LIBCMTD ref: 0040A155
                                  • Part of subcall function 0040E600: __encode_pointer.LIBCMTD ref: 0040E6E1
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: ___libm_error_support__encode_pointer
                                • String ID:
                                • API String ID: 3390238661-0
                                • Opcode ID: f2b5aa644959d262cfab37b3245a945c98fff48b4c57d48cb8fde3180fc3fbeb
                                • Instruction ID: 7b92bbdbbb07480f0aed9223c0c225ba86dfd7bf963a0cba62cf58ff75b82bfd
                                • Opcode Fuzzy Hash: f2b5aa644959d262cfab37b3245a945c98fff48b4c57d48cb8fde3180fc3fbeb
                                • Instruction Fuzzy Hash: 98412935C04704D6CB21AF79DA4516E77B0EF85344F10CB7AF88876291EB348959D34B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __getbuf__isatty__write
                                • String ID: 8uA
                                • API String ID: 2861569966-2259325327
                                • Opcode ID: cc1b0abdc2988826ec5a43669376b69e5abb6e32c2e8dc166d42234ab6b96b39
                                • Instruction ID: 0dd3b1d60e5f64f8659b5d50802fca4c560dc3e1392e070fed4939187e0a6d64
                                • Opcode Fuzzy Hash: cc1b0abdc2988826ec5a43669376b69e5abb6e32c2e8dc166d42234ab6b96b39
                                • Instruction Fuzzy Hash: 87510874A00208EFDB04CF94D491AADFBB1FF89324F548299E8856B391C739EA81CF44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _memset$__invalid_parameter
                                • String ID: P
                                • API String ID: 2178901135-3110715001
                                • Opcode ID: c1c4b16355b8126a1f74390666c0cf54e97bcb35e05dabf74a386e16d8580c85
                                • Instruction ID: 246fb221c4c39f57b5f0615587a7835857ec6ffcce735e185f1bf46c02527c7d
                                • Opcode Fuzzy Hash: c1c4b16355b8126a1f74390666c0cf54e97bcb35e05dabf74a386e16d8580c85
                                • Instruction Fuzzy Hash: AB418974B04319EBCF24CF58D8857AE7771FB41328F21866AE8252A3C0D3799995CF89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 9
                                • API String ID: 3120068967-2366072709
                                • Opcode ID: a9d99888770cab9d7e0f0c34f27cf5cecb2e14e8e89c15b6abf3e2c8dcae7157
                                • Instruction ID: 0f748674789098517c81c6bfd64f9e761f8b5fa2f9a4a8db8edf5eac7631dedc
                                • Opcode Fuzzy Hash: a9d99888770cab9d7e0f0c34f27cf5cecb2e14e8e89c15b6abf3e2c8dcae7157
                                • Instruction Fuzzy Hash: F04117B1E10129AFDF24CF48D881BAEB7B4FF85318F50409AD148AB241D7789E85CF4A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 9
                                • API String ID: 3120068967-2366072709
                                • Opcode ID: 71fc9a78994e6d16d0c1169087281eb279d550b6d0d5854cb0eb6f4c469db18a
                                • Instruction ID: 7d622ab20ed276f116396610c0aec0db95fc003ade2d99466f96e2832dab4621
                                • Opcode Fuzzy Hash: 71fc9a78994e6d16d0c1169087281eb279d550b6d0d5854cb0eb6f4c469db18a
                                • Instruction Fuzzy Hash: 2041E4B1E15229DFEB24CF58EC99BAEB7B5FB84300F50859AD449A7240D7385E81CF48
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 9
                                • API String ID: 3120068967-2366072709
                                • Opcode ID: d9517b125610d09cf6686e9e1e60e3f7890620e4f9ac7ed4a8b95ee4aad8908b
                                • Instruction ID: c5f49ca03594f23acbc4f4cd6f5b4d54cf19c5277b46b3f938c6ca43fe85ffb3
                                • Opcode Fuzzy Hash: d9517b125610d09cf6686e9e1e60e3f7890620e4f9ac7ed4a8b95ee4aad8908b
                                • Instruction Fuzzy Hash: F54106B1E10129AFDB24CF48DD81BAEB7B5FF85314F508199D148AB241D7789E80CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 9
                                • API String ID: 3120068967-2366072709
                                • Opcode ID: 20673bb0dd0d476465353f81658d8a072f6559d7ea614f6567867374e6f90a8a
                                • Instruction ID: a4f503f4a05c619a2cb2715f3afc384eec036e56c76c5104009c60b3daeeaa8c
                                • Opcode Fuzzy Hash: 20673bb0dd0d476465353f81658d8a072f6559d7ea614f6567867374e6f90a8a
                                • Instruction Fuzzy Hash: 6041E471E0862A9FDB64DF48C989BEEB7B5BB84300F1485DAE009A7241D7389EC1CF45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _get_int64_arg$__aulldiv__aullrem
                                • String ID: 9
                                • API String ID: 2124759748-2366072709
                                • Opcode ID: 52b33b09ba93cfe225179afbd334edf23daf10a9ddb99f53eed7ec5f04d9215f
                                • Instruction ID: 584235817bc73f8ae962284972e65426d18d9de26950287a78096d0aaed1cb15
                                • Opcode Fuzzy Hash: 52b33b09ba93cfe225179afbd334edf23daf10a9ddb99f53eed7ec5f04d9215f
                                • Instruction Fuzzy Hash: FF41D5B1E15228DFDB24CF58E889BAEB7B5FB84300F60859AD449A7240D7385E81CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _get_int64_arg$__aulldiv__aullrem
                                • String ID: 9
                                • API String ID: 2124759748-2366072709
                                • Opcode ID: 86485ad8320365a21d973e09cedde198a619cafc6831d8c362282d666b7d4256
                                • Instruction ID: 80de0027016aba27cfb710d9a3c87b46e20102838d83ac131788fc0b50bedefa
                                • Opcode Fuzzy Hash: 86485ad8320365a21d973e09cedde198a619cafc6831d8c362282d666b7d4256
                                • Instruction Fuzzy Hash: 4041E4B1E082299FDB64DF58C989BEEB7B5BB84300F1045DAE409A7241D7389EC1CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: _get_int64_arg$__aulldiv__aullrem
                                • String ID: 9
                                • API String ID: 2124759748-2366072709
                                • Opcode ID: 0dfdaa36073ef9f1184e557c8796e4b4eb4d7ebd374c62414a2cd066758d1c8f
                                • Instruction ID: 0be7bbea8f8936df4ac83a2c52f3f5a9c458ef7ad509494722a83a080cae16c0
                                • Opcode Fuzzy Hash: 0dfdaa36073ef9f1184e557c8796e4b4eb4d7ebd374c62414a2cd066758d1c8f
                                • Instruction Fuzzy Hash: A64105B1E00129AFDB24CF48D981B9EB7B4FF85318F50419AE148A7201D7789E80CF5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • ___dtold.LIBCMTD ref: 0041FAAA
                                • _$I10_OUTPUT.LIBCMTD ref: 0041FAD2
                                • _wcscpy_s.LIBCMTD ref: 0041FB12
                                  • Part of subcall function 0040D730: __invalid_parameter.LIBCMTD ref: 0040D7A2
                                • __invoke_watson_if_error.LIBCMTD ref: 0041FB1B
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: I10____dtold__invalid_parameter__invoke_watson_if_error_wcscpy_s
                                • String ID:
                                • API String ID: 289039318-0
                                • Opcode ID: 92aaf2b82aea1797b1c4990a34dc3c2eaf7d02ca6b795ae88429b16248d6c0e2
                                • Instruction ID: 5976e6ebbafa2d317bb44c7ecfea3bb8eedc22a98761cefad2f2701c318cf0c0
                                • Opcode Fuzzy Hash: 92aaf2b82aea1797b1c4990a34dc3c2eaf7d02ca6b795ae88429b16248d6c0e2
                                • Instruction Fuzzy Hash: 20214DB5A002089BCB04EFA4D942ADEB7F4EF8C704F108569F90567382E634E915CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __whiteout.LIBCMTD ref: 00415B5F
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00416B66
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Locale$UpdateUpdate::~___whiteout
                                • String ID: n
                                • API String ID: 2661511698-2013832146
                                • Opcode ID: 2516c8dfc543d407d4c8a144eb9cf6009eb1a8c8fb2bed4a5b4bfbd473836ec5
                                • Instruction ID: ecfd4378f8583d72b307479f6d223e2097ebd30da65c6bdb4e1d2919ce9eeb8a
                                • Opcode Fuzzy Hash: 2516c8dfc543d407d4c8a144eb9cf6009eb1a8c8fb2bed4a5b4bfbd473836ec5
                                • Instruction Fuzzy Hash: B241A070909659CBCF24CF54D4957EEBBB1AF41315F14829BD8156B282C338AEC1CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __whiteout.LIBCMTD ref: 00415B5F
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00416B66
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Locale$UpdateUpdate::~___whiteout
                                • String ID: n
                                • API String ID: 2661511698-2013832146
                                • Opcode ID: d2cf797c362700c7c598d5f58046728f5b52e3385e363cb4ed932ee8fd006abd
                                • Instruction ID: ecfd4378f8583d72b307479f6d223e2097ebd30da65c6bdb4e1d2919ce9eeb8a
                                • Opcode Fuzzy Hash: d2cf797c362700c7c598d5f58046728f5b52e3385e363cb4ed932ee8fd006abd
                                • Instruction Fuzzy Hash: B241A070909659CBCF24CF54D4957EEBBB1AF41315F14829BD8156B282C338AEC1CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __whiteout.LIBCMTD ref: 00415B5F
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00416B66
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Locale$UpdateUpdate::~___whiteout
                                • String ID: n
                                • API String ID: 2661511698-2013832146
                                • Opcode ID: 81b4a4ac1d906f0f7d1c4b56dcd511b19de96e8159785e3cfc507fb03a1586ed
                                • Instruction ID: 877292e96ff1bb00e21e4e8a2193c3722173543034e2bdd30c2b242f653ec0a3
                                • Opcode Fuzzy Hash: 81b4a4ac1d906f0f7d1c4b56dcd511b19de96e8159785e3cfc507fb03a1586ed
                                • Instruction Fuzzy Hash: 4A318270909668CBCF24CF55D4957EEBBB0AF41315F14829BD8656B282C338AEC1CF19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.386662790.0000000000409000.00000020.00000001.01000000.00000003.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_409000_file.jbxd
                                Similarity
                                • API ID: Locale__hextodec__inc__un_inc_isdigit_isxdigit$UpdateUpdate::~_
                                • String ID: p
                                • API String ID: 1652772854-2181537457
                                • Opcode ID: 1588b932da412bbf87f59dad724f1803a9f1c0a02590b428f0eafa555efa337b
                                • Instruction ID: 2e713e9dbd54042634f8fed090cb0d75afbde769bb5addf1dc00d549ecf89bff
                                • Opcode Fuzzy Hash: 1588b932da412bbf87f59dad724f1803a9f1c0a02590b428f0eafa555efa337b
                                • Instruction Fuzzy Hash: 25219071D042698ACF25CF65C8443FEBBB5AF05308F1581EBD81966302D239CAC1CF89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Execution Graph

                                Execution Coverage:1.8%
                                Dynamic/Decrypted Code Coverage:13.4%
                                Signature Coverage:0%
                                Total number of Nodes:82
                                Total number of Limit Nodes:4
                                execution_graph 24711 402ac3 24713 402abb 24711->24713 24712 402b4c 24713->24712 24715 4017e3 24713->24715 24716 4017f1 24715->24716 24717 40181b Sleep 24716->24717 24719 401836 24717->24719 24718 401847 NtTerminateProcess 24720 401853 24718->24720 24719->24718 24720->24712 24740 4157cf 2 API calls 11 library calls 24626 40ae90 24627 40ae9a ___security_init_cookie 24626->24627 24630 40aeb0 24627->24630 24631 40aefd _check_managed_app 24630->24631 24644 419610 HeapCreate 24631->24644 24633 40af3b _fast_error_exit 24646 412520 24633->24646 24635 40af51 ___crtGetEnvironmentStringsA ___setargv __setenvp __RTC_Initialize _fast_error_exit 24658 414530 24635->24658 24637 40afca __wincmdln 24664 409b11 24637->24664 24639 40b016 24640 40b028 24639->24640 24672 4145d0 RtlEncodePointer _doexit 24639->24672 24673 414610 RtlEncodePointer _doexit 24640->24673 24643 40ae9f 24645 41963a ___sbh_heap_init __heap_init 24644->24645 24645->24633 24647 412532 __crt_wait_module_handle 24646->24647 24657 41253e __encode_pointer __initptd __mtterm __nh_malloc_dbg __mtinitlocks 24647->24657 24674 414a80 24647->24674 24652 412330 __encode_pointer RtlEncodePointer 24653 412641 24652->24653 24654 412330 __encode_pointer RtlEncodePointer 24653->24654 24655 412655 24654->24655 24656 412330 __encode_pointer RtlEncodePointer 24655->24656 24656->24657 24657->24635 24659 41453f __IsNonwritableInCurrentImage 24658->24659 24689 410b10 24659->24689 24661 414562 __initterm_e 24663 41457d __IsNonwritableInCurrentImage __initterm 24661->24663 24693 40b310 RtlEncodePointer RtlAllocateHeap _atexit 24661->24693 24663->24637 24665 409b1e 7 library calls 24664->24665 24671 409d12 __wctomb_s_l _malloc 24665->24671 24702 40a970 RtlEncodePointer _memset _raise ___mtold12 _abort 24665->24702 24667 409d46 24667->24639 24669 409ceb 24703 40a7b0 RtlEncodePointer RtlAllocateHeap __realloc_dbg 24669->24703 24694 409630 24671->24694 24672->24640 24673->24643 24685 412400 24674->24685 24676 414a8b __initp_misc_winsig __init_pointers 24688 422680 RtlEncodePointer __encode_pointer 24676->24688 24678 414aeb 24679 412330 __encode_pointer RtlEncodePointer 24678->24679 24680 412622 24679->24680 24681 412330 24680->24681 24682 41234b __crt_wait_module_handle 24681->24682 24683 4123b3 RtlEncodePointer 24682->24683 24684 4123bd 24682->24684 24683->24684 24684->24652 24686 412330 __encode_pointer RtlEncodePointer 24685->24686 24687 41240c 24686->24687 24687->24676 24688->24678 24690 410b1f 24689->24690 24691 410b4d 24690->24691 24692 412330 __encode_pointer RtlEncodePointer 24690->24692 24691->24661 24692->24690 24693->24663 24704 40a280 24694->24704 24698 409659 _memset 24699 40987a 24698->24699 24706 409531 24698->24706 24700 4098f6 LoadLibraryW 24699->24700 24701 40997e 24700->24701 24701->24667 24702->24669 24703->24671 24705 40963d LocalAlloc 24704->24705 24705->24698 24707 40959d VirtualProtect 24706->24707 24707->24698 24709 40297d Sleep NtTerminateProcess 24733 40b051 RtlEncodePointer _raise 24723 40b4d7 24725 40b4ea __CrtCheckMemory 24723->24725 24726 40b58a _memset 24725->24726 24727 419810 24725->24727 24728 419821 ___crtExitProcess 24727->24728 24729 419872 _V6_HeapAlloc 24728->24729 24730 41985b RtlAllocateHeap 24728->24730 24729->24726 24730->24729 24755 4017e2 Sleep NtTerminateProcess 24722 40af25 6 API calls 10 library calls 24742 40952f VirtualProtect

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _wscanf$__nh_malloc_dbg__realloc_dbg__wctomb_s_l__wremove__wrename_abort_labs_malloc_memset_realloc_wprintf
                                • String ID: msimg32.dll
                                • API String ID: 2019212891-3287713914
                                • Opcode ID: 2ad864a010214a7997f26c51bd4d6d42cc7d3a8671068fa2767f1c33c8d9b0d1
                                • Instruction ID: e422161b7b5bbf4efaa1130811f3b2fcb5ec8ed0f934f484f65b9b74cbfb9347
                                • Opcode Fuzzy Hash: 2ad864a010214a7997f26c51bd4d6d42cc7d3a8671068fa2767f1c33c8d9b0d1
                                • Instruction Fuzzy Hash: AE517EB2902524BBD7156BA29D0DDDF3B6CEF0A355B000076F606B50A1D73C5A45CBBE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 495 4017e2-401803 499 401813 495->499 500 40180a-40180f 495->500 499->500 501 401816-401838 call 401118 Sleep call 401360 499->501 500->501 506 401847-40184d NtTerminateProcess 501->506 507 40183a-401842 call 401432 501->507 509 401853-401859 506->509 510 40185d 506->510 507->506 511 401860-401880 call 401118 509->511 510->509 510->511
                                C-Code - Quality: 100%
                                			E004017E2(void* __edx) {
                                				void* _t4;
                                
                                				 *((intOrPtr*)(_t4 - 0x77)) =  *((intOrPtr*)(_t4 - 0x77)) + __edx;
                                			}




                                0x004017e2

                                APIs
                                • Sleep.KERNELBASE(00001388), ref: 00401823
                                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040184B
                                Memory Dump Source
                                • Source File: 00000007.00000002.440669610.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_400000_erhuush.jbxd
                                Similarity
                                • API ID: ProcessSleepTerminate
                                • String ID:
                                • API String ID: 417527130-0
                                • Opcode ID: 4dede37128b39f4f7e7a4df5dc33f26b0f76fbcd4aaa8ffb007c11c557e31b11
                                • Instruction ID: ddaf0562df841adfab300f0276baae716c17d25714fd681a3a6e16616d485b4c
                                • Opcode Fuzzy Hash: 4dede37128b39f4f7e7a4df5dc33f26b0f76fbcd4aaa8ffb007c11c557e31b11
                                • Instruction Fuzzy Hash: EC015233148208EBDB017AA59C41DA97729AB45754F30C537FA03791F1D67D8713A72B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 517 4017e3-4017ec 518 401800 517->518 519 4017f1-401803 517->519 518->519 521 401813 519->521 522 40180a-40180f 519->522 521->522 523 401816-401838 call 401118 Sleep call 401360 521->523 522->523 528 401847-40184d NtTerminateProcess 523->528 529 40183a-401842 call 401432 523->529 531 401853-401859 528->531 532 40185d 528->532 529->528 533 401860-401880 call 401118 531->533 532->531 532->533
                                C-Code - Quality: 18%
                                			E004017E3(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                                				char _v8;
                                				void* __ebx;
                                				void* __edi;
                                				void* __esi;
                                				void* __ebp;
                                				intOrPtr _t8;
                                				char* _t9;
                                				void* _t11;
                                				void* _t13;
                                				intOrPtr* _t14;
                                				intOrPtr _t16;
                                				void* _t17;
                                				void* _t18;
                                				void* _t19;
                                				void* _t20;
                                				intOrPtr* _t21;
                                				intOrPtr* _t22;
                                				void* _t24;
                                				void* _t26;
                                
                                				_push(0x181b);
                                				_t8 =  *_t21;
                                				_t22 = _t21 + 4;
                                				L00401118(_t8, _t13, 0x61, _t19, _t20, _t24);
                                				_t14 = _a4;
                                				Sleep(0x1388);
                                				_t3 =  &_v8; // 0x1b68f34d
                                				_t9 = _t3;
                                				_push(_t9);
                                				_push(_a12);
                                				_push(_a8);
                                				_push(_t14); // executed
                                				L00401360(); // executed
                                				_t25 = _t9;
                                				if(_t9 != 0) {
                                					_push(_a16);
                                					_push(_v8);
                                					_push(_t9);
                                					_push(_t14); // executed
                                					E00401432(_t14, _t17, _t18, _t19, _t26); // executed
                                				}
                                				 *_t14(0xffffffff, 0); // executed
                                				_t11 = 0x181b;
                                				_push(0x61);
                                				_t16 =  *_t22;
                                				L00401118(_t11, _t14, _t16, _t19, _t20, _t25);
                                				return _t11;
                                			}






















                                0x004017f1
                                0x004017f6
                                0x004017f9
                                0x00401816
                                0x0040181b
                                0x00401823
                                0x00401826
                                0x00401826
                                0x00401829
                                0x0040182a
                                0x0040182d
                                0x00401830
                                0x00401831
                                0x00401836
                                0x00401838
                                0x0040183a
                                0x0040183d
                                0x00401840
                                0x00401841
                                0x00401842
                                0x00401842
                                0x0040184b
                                0x00401858
                                0x00401868
                                0x0040186a
                                0x00401877
                                0x00401880

                                APIs
                                • Sleep.KERNELBASE(00001388), ref: 00401823
                                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040184B
                                Memory Dump Source
                                • Source File: 00000007.00000002.440669610.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_400000_erhuush.jbxd
                                Similarity
                                • API ID: ProcessSleepTerminate
                                • String ID:
                                • API String ID: 417527130-0
                                • Opcode ID: eed50f69cd3fa7174ad76653e673f5296f9ebb16c169d6494c900a5425ffe511
                                • Instruction ID: 1d0556d2ce3487287f662705d53e2785c513140bae9e3f24436a296874fe77da
                                • Opcode Fuzzy Hash: eed50f69cd3fa7174ad76653e673f5296f9ebb16c169d6494c900a5425ffe511
                                • Instruction Fuzzy Hash: 15017533108208F7D7017A958C42DAA3628AB45754F30C437BA03790F1D57DDB12676B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 539 4017ee-401803 541 401813 539->541 542 40180a-40180f 539->542 541->542 543 401816-401838 call 401118 Sleep call 401360 541->543 542->543 548 401847-40184d NtTerminateProcess 543->548 549 40183a-401842 call 401432 543->549 551 401853-401859 548->551 552 40185d 548->552 549->548 553 401860-401880 call 401118 551->553 552->551 552->553
                                C-Code - Quality: 20%
                                			E004017EE(void* __edi, void* __esi) {
                                				intOrPtr _t8;
                                				intOrPtr* _t9;
                                				void* _t11;
                                				void* _t13;
                                				intOrPtr* _t14;
                                				intOrPtr _t17;
                                				void* _t18;
                                				void* _t19;
                                				intOrPtr* _t25;
                                				intOrPtr* _t26;
                                				void* _t29;
                                				void* _t31;
                                
                                				_t21 = __esi;
                                				_t19 = __edi;
                                				_push(0x181b);
                                				_t8 =  *_t25;
                                				_t26 = _t25 + 4;
                                				L00401118(_t8, _t13, 0x61, __esi, 0x1b68f351, _t29);
                                				_t14 =  *((intOrPtr*)(0x1b68f359));
                                				Sleep(0x1388);
                                				_t9 = 0x1b68f34d;
                                				_push(_t9);
                                				_push( *0x1B68F361);
                                				_push( *0x1B68F35D);
                                				_push(_t14); // executed
                                				L00401360(); // executed
                                				_t30 = _t9;
                                				if(_t9 != 0) {
                                					_push( *0x1B68F365);
                                					_push( *((intOrPtr*)(0x1b68f34d)));
                                					_push(_t9);
                                					_push(_t14); // executed
                                					E00401432(_t14, _t18, _t19, _t21, _t31); // executed
                                				}
                                				 *_t14(0xffffffff, 0); // executed
                                				_t11 = 0x181b;
                                				_push(0x61);
                                				_t17 =  *_t26;
                                				L00401118(_t11, _t14, _t17, _t21, 0x1b68f351, _t30);
                                				return _t11;
                                			}















                                0x004017ee
                                0x004017ee
                                0x004017f1
                                0x004017f6
                                0x004017f9
                                0x00401816
                                0x0040181b
                                0x00401823
                                0x00401826
                                0x00401829
                                0x0040182a
                                0x0040182d
                                0x00401830
                                0x00401831
                                0x00401836
                                0x00401838
                                0x0040183a
                                0x0040183d
                                0x00401840
                                0x00401841
                                0x00401842
                                0x00401842
                                0x0040184b
                                0x00401858
                                0x00401868
                                0x0040186a
                                0x00401877
                                0x00401880

                                APIs
                                • Sleep.KERNELBASE(00001388), ref: 00401823
                                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040184B
                                Memory Dump Source
                                • Source File: 00000007.00000002.440669610.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_400000_erhuush.jbxd
                                Similarity
                                • API ID: ProcessSleepTerminate
                                • String ID:
                                • API String ID: 417527130-0
                                • Opcode ID: 0a9656e0e1b5f21b45c9f82a7808bfe019579950b80e51e68eaabb0023cd3f01
                                • Instruction ID: 6a2648c31bf342f80e2744bc490c75df06b0a743f4722301b2fbabc3dba0a0aa
                                • Opcode Fuzzy Hash: 0a9656e0e1b5f21b45c9f82a7808bfe019579950b80e51e68eaabb0023cd3f01
                                • Instruction Fuzzy Hash: 54016733508304ABDB017AA18C42EA937289B45754F24C577BB13790F2D57DCB12A72B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 559 401807-401838 call 401118 Sleep call 401360 566 401847-40184d NtTerminateProcess 559->566 567 40183a-401842 call 401432 559->567 569 401853-401859 566->569 570 40185d 566->570 567->566 571 401860-401880 call 401118 569->571 570->569 570->571
                                C-Code - Quality: 24%
                                			E00401807(signed int __edx, void* __edi, void* __esi) {
                                				void* _t9;
                                				void* _t10;
                                				void* _t12;
                                				void* _t14;
                                				intOrPtr* _t15;
                                				intOrPtr _t18;
                                				void* _t21;
                                				void* _t25;
                                				intOrPtr* _t27;
                                				signed char _t30;
                                				void* _t32;
                                
                                				_t23 = __esi;
                                				_t21 = __edi;
                                				_t20 = __edx |  *(_t25 + 0x7b);
                                				_t30 = __edx |  *(_t25 + 0x7b);
                                				L00401118(_t9, _t14, 0x61, __esi, _t25, _t30);
                                				_t15 =  *((intOrPtr*)(_t25 + 8));
                                				Sleep(0x1388);
                                				_t4 = _t25 - 4; // 0x1b68f34d
                                				_t10 = _t4;
                                				_push(_t10);
                                				_push( *((intOrPtr*)(_t25 + 0x10)));
                                				_push( *((intOrPtr*)(_t25 + 0xc)));
                                				_push(_t15); // executed
                                				L00401360(); // executed
                                				_t31 = _t10;
                                				if(_t10 != 0) {
                                					_push( *((intOrPtr*)(_t25 + 0x14)));
                                					_push( *((intOrPtr*)(_t25 - 4)));
                                					_push(_t10);
                                					_push(_t15); // executed
                                					E00401432(_t15, _t20, _t21, _t23, _t32); // executed
                                				}
                                				 *_t15(0xffffffff, 0); // executed
                                				_t12 = 0x181b;
                                				_push(0x61);
                                				_t18 =  *_t27;
                                				L00401118(_t12, _t15, _t18, _t23, _t25, _t31);
                                				return _t12;
                                			}














                                0x00401807
                                0x00401807
                                0x00401807
                                0x00401807
                                0x00401816
                                0x0040181b
                                0x00401823
                                0x00401826
                                0x00401826
                                0x00401829
                                0x0040182a
                                0x0040182d
                                0x00401830
                                0x00401831
                                0x00401836
                                0x00401838
                                0x0040183a
                                0x0040183d
                                0x00401840
                                0x00401841
                                0x00401842
                                0x00401842
                                0x0040184b
                                0x00401858
                                0x00401868
                                0x0040186a
                                0x00401877
                                0x00401880

                                APIs
                                • Sleep.KERNELBASE(00001388), ref: 00401823
                                • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040184B
                                Memory Dump Source
                                • Source File: 00000007.00000002.440669610.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_400000_erhuush.jbxd
                                Similarity
                                • API ID: ProcessSleepTerminate
                                • String ID:
                                • API String ID: 417527130-0
                                • Opcode ID: fa61b3bfe6e1efcc42a3172324d87a3747898b17389843dd474e8030b106d628
                                • Instruction ID: d1e85a843a3bf15b3ffbd62fd2fe31d474754e63a526ee7ed21e8696c92682af
                                • Opcode Fuzzy Hash: fa61b3bfe6e1efcc42a3172324d87a3747898b17389843dd474e8030b106d628
                                • Instruction Fuzzy Hash: 2FF04F33204208FBDB007BA18C42EAD3729AB45754F20C537BA13790F2D679CA12A72B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                APIs
                                • _check_managed_app.LIBCMTD ref: 0040AF2C
                                • __heap_init.LIBCMTD ref: 0040AF36
                                  • Part of subcall function 00419610: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,0040AF3B,00000001), ref: 00419626
                                • _fast_error_exit.LIBCMTD ref: 0040AF44
                                  • Part of subcall function 0040B090: ___crtExitProcess.LIBCMTD ref: 0040B0B4
                                • __mtinit.LIBCMTD ref: 0040AF4C
                                • _fast_error_exit.LIBCMTD ref: 0040AF57
                                • __RTC_Initialize.LIBCMTD ref: 0040AF69
                                • ___crtGetEnvironmentStringsA.LIBCMTD ref: 0040AF93
                                • ___setargv.LIBCMTD ref: 0040AF9D
                                • __setenvp.LIBCMTD ref: 0040AFB0
                                • __cinit.LIBCMTD ref: 0040AFC5
                                • __wincmdln.LIBCMTD ref: 0040AFE2
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInitializeProcessStrings___setargv__cinit__heap_init__mtinit__setenvp__wincmdln_check_managed_app
                                • String ID:
                                • API String ID: 2258361453-0
                                • Opcode ID: 4086065ac970038e79a776750f7548aa05e0e09ea29f0b4c0b31f8981395e636
                                • Instruction ID: a7ddb7468b00b09513485c08426ead2e5ea3c26d69e3af7857e19453d79bf949
                                • Opcode Fuzzy Hash: 4086065ac970038e79a776750f7548aa05e0e09ea29f0b4c0b31f8981395e636
                                • Instruction Fuzzy Hash: 6B41B3F1D003099BDB00ABB2AC0679E76B4AF54748F10013EE515AB2C2EB799540CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 133 40af25-40af2c call 40b0c0 136 40af31-40af36 call 419610 133->136 138 40af3b-40af40 136->138 139 40af42-40af44 call 40b090 138->139 140 40af4c call 412520 138->140 143 40af49 139->143 144 40af51-40af53 140->144 143->140 145 40af55-40af5c call 40b090 144->145 146 40af5f-40af69 call 40d700 call 419590 144->146 145->146 152 40af6e-40af75 call 4190f0 146->152 154 40af7a-40af7c 152->154 155 40af88 154->155 156 40af7e-40af85 call 414650 154->156 159 40af8e-40af93 call 418ed0 155->159 156->155 161 40af98-40afa4 call 418a40 159->161 164 40afb0 call 4188a0 161->164 165 40afa6-40afa8 call 414650 161->165 169 40afb5-40afb7 164->169 168 40afad 165->168 168->164 170 40afc3-40afd4 call 414530 169->170 171 40afb9-40afc0 call 414650 169->171 176 40afe2-40aff0 call 4187d0 170->176 177 40afd6-40afdf call 414650 170->177 171->170 182 40aff2-40aff9 176->182 183 40affb 176->183 177->176 184 40b002-40b011 call 409b11 182->184 183->184 186 40b016-40b01d 184->186 187 40b028-40b089 call 414610 186->187 188 40b01f-40b023 call 4145d0 186->188 188->187
                                APIs
                                • _check_managed_app.LIBCMTD ref: 0040AF2C
                                • __heap_init.LIBCMTD ref: 0040AF36
                                  • Part of subcall function 00419610: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,0040AF3B,00000001), ref: 00419626
                                • _fast_error_exit.LIBCMTD ref: 0040AF44
                                  • Part of subcall function 0040B090: ___crtExitProcess.LIBCMTD ref: 0040B0B4
                                • __mtinit.LIBCMTD ref: 0040AF4C
                                • _fast_error_exit.LIBCMTD ref: 0040AF57
                                • __RTC_Initialize.LIBCMTD ref: 0040AF69
                                • ___crtGetEnvironmentStringsA.LIBCMTD ref: 0040AF93
                                • ___setargv.LIBCMTD ref: 0040AF9D
                                • __setenvp.LIBCMTD ref: 0040AFB0
                                • __cinit.LIBCMTD ref: 0040AFC5
                                • __wincmdln.LIBCMTD ref: 0040AFE2
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: ___crt_fast_error_exit$CreateEnvironmentExitHeapInitializeProcessStrings___setargv__cinit__heap_init__mtinit__setenvp__wincmdln_check_managed_app
                                • String ID:
                                • API String ID: 2258361453-0
                                • Opcode ID: b4164f6d4685f9dc647e4ff3c01fe10f2011dd5ecc3773d6662f2e0acad5b2fb
                                • Instruction ID: 9f0ef44384bb957edc35c3b29ca9c2b5aa09c4f6599d807b4947cf27e1b66438
                                • Opcode Fuzzy Hash: b4164f6d4685f9dc647e4ff3c01fe10f2011dd5ecc3773d6662f2e0acad5b2fb
                                • Instruction Fuzzy Hash: CF3173F1D003059AEB10BBB2AD067DE7660AF5434CF10013FE9196B2C2FB799954CA9B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 194 40b4d7-40b4e8 195 40b4ea-40b4f8 194->195 196 40b53f-40b54e 194->196 199 40b530-40b539 195->199 200 40b4fa-40b501 call 40c8d0 195->200 197 40b550-40b559 196->197 198 40b55c-40b563 196->198 197->198 201 40b55b 197->201 202 40b565-40b588 198->202 203 40b5da-40b5e6 198->203 199->196 212 40b503-40b521 call 40df70 200->212 213 40b524-40b52e 200->213 201->198 202->203 215 40b58a-40b58e 202->215 205 40b5e8-40b5f0 203->205 206 40b5f9-40b5fd 203->206 205->206 208 40b5f2 205->208 209 40b62c-40b638 206->209 210 40b5ff-40b61b call 4198d0 206->210 208->206 217 40b674-40b681 call 419810 209->217 218 40b63a-40b63e 209->218 226 40b61d 210->226 227 40b61e-40b627 210->227 212->213 229 40b523 212->229 213->196 221 40b590-40b5b0 call 4198d0 215->221 222 40b5b5-40b5d2 call 4198d0 215->222 225 40b686-40b690 217->225 218->217 224 40b640-40b64c 218->224 244 40b5b2 221->244 245 40b5b3 221->245 238 40b5d4 222->238 239 40b5d5 222->239 224->217 231 40b64e-40b652 224->231 234 40b6a0-40b6b3 225->234 235 40b692-40b69b 225->235 226->227 237 40b812-40b83f call 40b820 227->237 229->213 231->217 233 40b654-40b671 call 4198d0 231->233 233->217 251 40b673 233->251 241 40b6b5-40b6f9 234->241 242 40b6fe-40b70a 234->242 235->237 238->239 239->237 247 40b7b8-40b80f call 40a2b0 * 3 241->247 248 40b70c-40b71b 242->248 249 40b71d 242->249 244->245 245->239 247->237 253 40b727-40b740 248->253 249->253 251->217 256 40b742-40b748 253->256 257 40b74e-40b755 253->257 256->257 258 40b764-40b767 257->258 259 40b757-40b762 257->259 261 40b76d-40b7b2 258->261 259->261 261->247
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _memset$CheckMemory__heap_alloc_base
                                • String ID:
                                • API String ID: 4254127243-0
                                • Opcode ID: 782c486867dbfdf79707c8b7b84721dc0e730895fb2ba11e1fecccc80f7ba8a3
                                • Instruction ID: 10aa9e1e72f509eec9c2030512bc02d8ab3a9285472f538c0d3528d51176eff9
                                • Opcode Fuzzy Hash: 782c486867dbfdf79707c8b7b84721dc0e730895fb2ba11e1fecccc80f7ba8a3
                                • Instruction Fuzzy Hash: 59A14A79A002049FDB14DF44DC85BAE77B1FB89314F20826AE9056B3D2D379AD40CF99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 265 409630-409654 call 40a280 LocalAlloc 268 409659-409660 265->268 269 409666-409733 268->269 270 40973a-40973b 268->270 269->270 270->268 271 409741 270->271 273 409746-40974c 271->273 274 40975a-409760 273->274 275 40974e-409753 273->275 276 409762-409767 274->276 277 40976c-409773 274->277 275->274 276->277 277->273 279 409775 277->279 280 409777-40977d 279->280 282 40979a-4097a1 280->282 283 40977f-409793 280->283 284 4097a3-4097d1 call 40a2b0 282->284 285 4097d8-4097df 282->285 283->282 284->285 285->280 287 4097e1-4097e9 285->287 289 40981b 287->289 290 4097eb-4097f5 287->290 296 40981d-409827 289->296 293 4097f7-409805 290->293 294 40980c-409819 call 409429 290->294 293->294 294->289 294->290 301 409830-409836 296->301 302 409829 296->302 303 409844-40984b 301->303 304 409838-40983f 301->304 302->301 303->296 308 40984d-409865 303->308 304->303 312 409867-40986a 308->312 314 409871-409878 312->314 315 40986c call 409531 312->315 314->312 317 40987a-409896 call 40937f 314->317 315->314 322 409898-40989f 317->322 323 4098a1-4098ae 322->323 324 4098b5-4098bb 322->324 323->324 325 4098c2-4098c9 324->325 326 4098bd call 409523 324->326 325->322 330 4098cb 325->330 326->325 331 4098d0-4098d7 330->331 334 4098d9-4098e8 331->334 335 4098ee-4098ef 331->335 334->335 335->331 337 4098f1-40997c call 40917c LoadLibraryW 335->337 343 4099f2-4099f9 337->343 344 40997e-4099ec 337->344 345 409b0a-409b10 343->345 346 4099ff-409b07 343->346 344->343 346->345
                                APIs
                                • LocalAlloc.KERNELBASE(00000000), ref: 00409649
                                • _memset.LIBCMT ref: 004097B4
                                • LoadLibraryW.KERNELBASE(00844200), ref: 00409966
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: AllocLibraryLoadLocal_memset
                                • String ID: msimg32.dll
                                • API String ID: 3001991562-3287713914
                                • Opcode ID: 3c6d298495194a7d43d133cce53dba0bfa3f0cc23cecebb99af27589142207ee
                                • Instruction ID: 4bbf95d1d07f5b793a551445cec3f97fb7520ad9971ce6f5d0ca53ce5d14d8fc
                                • Opcode Fuzzy Hash: 3c6d298495194a7d43d133cce53dba0bfa3f0cc23cecebb99af27589142207ee
                                • Instruction Fuzzy Hash: A4D1E1B6800258BFE7016BB0EDC8EAB776CFB19349B005436F646E1572D6788D85CB78
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 387 4190f0-41918a call 40b910 392 419194-4191a7 387->392 393 41918c-41918f 387->393 395 4191b2-4191bf 392->395 394 41957a-41958b 393->394 396 4191c1-41921d 395->396 397 41921f-419225 395->397 396->395 399 419423-419439 397->399 400 41922b-41922f 397->400 403 41956b-419578 399->403 404 41943f-419454 399->404 400->399 402 419235-419256 400->402 405 419263 402->405 406 419258-419261 402->406 403->394 407 419462-41946d 404->407 408 419456-41945c 404->408 409 41926d-41927d 405->409 406->409 412 41947b-419488 407->412 413 41946f-419479 407->413 408->407 411 419554-419563 408->411 414 419288-419291 409->414 418 419566 411->418 415 41948e-4194a2 412->415 413->415 416 419353-41935a 414->416 417 419297-4192b6 call 40b910 414->417 426 419539-41954c 415->426 427 4194a8-4194ac 415->427 419 419377-41937d 416->419 428 4192c5-4192df 417->428 429 4192b8-4192c0 417->429 418->403 419->399 421 419383-419389 419->421 424 41938f-419395 421->424 425 41941e 421->425 424->425 431 41939b-4193a4 424->431 425->419 432 419552 426->432 427->426 433 4194b2-4194c3 427->433 434 4192ea-4192fc 428->434 429->416 431->425 437 4193a6-4193af 431->437 432->418 433->426 443 4194c5-4194d9 433->443 435 41934e 434->435 436 4192fe-41934c 434->436 435->414 436->434 441 4193c1-419405 call 41c4e0 437->441 442 4193b1-4193bf 437->442 449 419407-41940a 441->449 450 41940f-41941b 441->450 442->425 442->441 445 4194db-4194eb 443->445 446 4194ed-4194f9 443->446 451 41950b-419521 call 41c4e0 445->451 446->451 452 4194fb-419508 446->452 449->394 450->425 455 419523-419526 451->455 456 419528-419537 451->456 452->451 455->394 456->432
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __nh_malloc_dbg
                                • String ID:
                                • API String ID: 2526938719-0
                                • Opcode ID: 1dedd40c212b86d737cc42a500783f936d07058c4a6aec1a18194dda0f85cf9a
                                • Instruction ID: 7fdf9e2f47d08c1cdaf3c05fa1e569e8f274e39fd4e0f730588c364ff7165eea
                                • Opcode Fuzzy Hash: 1dedd40c212b86d737cc42a500783f936d07058c4a6aec1a18194dda0f85cf9a
                                • Instruction Fuzzy Hash: 8FE11B74E04249DFDB24CFA8C894BADFBB1BB49314F24825ED8656B392C7349886CF45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 457 40952f-40962e VirtualProtect
                                APIs
                                • VirtualProtect.KERNELBASE(00000040,?), ref: 0040962A
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: msimg32.dll
                                • API String ID: 544645111-3287713914
                                • Opcode ID: 17b0aac0a531702174b7c65180c391707bf38b3425d045184fdffbf97c0d013b
                                • Instruction ID: 9b7cfc5e17716be782b59f166dd39e07db881f3a278859cfbeeeb5f88a7b37f4
                                • Opcode Fuzzy Hash: 17b0aac0a531702174b7c65180c391707bf38b3425d045184fdffbf97c0d013b
                                • Instruction Fuzzy Hash: F7219A98E08AC1DAF306C768ED08B913E965723749F0A00BD91954A2B2E7FB5158C77F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 461 409531-40962e VirtualProtect
                                APIs
                                • VirtualProtect.KERNELBASE(00000040,?), ref: 0040962A
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: msimg32.dll
                                • API String ID: 544645111-3287713914
                                • Opcode ID: 86775875dd883554000b779353b5ca5ef6f1083c8ec8bb8f7521579d1f137b51
                                • Instruction ID: 07589be915f535defbfa72ec759fc0598ce49b4d87d3ca622b32015d16d1199b
                                • Opcode Fuzzy Hash: 86775875dd883554000b779353b5ca5ef6f1083c8ec8bb8f7521579d1f137b51
                                • Instruction Fuzzy Hash: 6521A998E0CAC1DAF306C768ED08B913E965723749F0A00BD91954A2B2E7FB5158C77F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 464 40b43f-40b449 465 40b450-40b454 464->465 466 40b44b-40b44e 464->466 468 40b464-40b472 call 4196a0 465->468 469 40b456-40b462 465->469 467 40b483-40b486 466->467 472 40b481 468->472 473 40b474-40b47f 468->473 469->467 474 40b426-40b43a call 40b490 472->474 473->467 474->464
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID:
                                • String ID: QQ
                                • API String ID: 0-3460843698
                                • Opcode ID: 75285a33f3e3a8226227495b54544be31729fa98091c7b21b9d872baf7ad745d
                                • Instruction ID: 8ebcda0000eecf523cbd085e01e090e350d6b15ac35dbad072ca10934f5ebcd5
                                • Opcode Fuzzy Hash: 75285a33f3e3a8226227495b54544be31729fa98091c7b21b9d872baf7ad745d
                                • Instruction Fuzzy Hash: D301FBB5A00109EBDB04DF54D840BAE73B4EB48304F10816AFD09A7382D339DB51DB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 476 40b84e-40b863 477 40b865-40b883 call 40df70 476->477 478 40b886-40b88a 476->478 477->478 487 40b885 477->487 479 40b8b9-40b8de call 40b420 478->479 480 40b88c-40b8b7 call 410ed0 call 410c60 478->480 486 40b8e3-40b8ed 479->486 493 40b904-40b907 480->493 489 40b901 486->489 490 40b8ef-40b8fe call 40a2b0 486->490 487->478 489->493 490->489
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __invalid_parameter_memset
                                • String ID:
                                • API String ID: 3961059608-0
                                • Opcode ID: 05b10813307af71d25597e47c8649d7a6d084c0bb43746682a81a9517d95371d
                                • Instruction ID: 1324000d97abd66836b031af892333075081cfb50ad0cef0dc97aef94c640520
                                • Opcode Fuzzy Hash: 05b10813307af71d25597e47c8649d7a6d084c0bb43746682a81a9517d95371d
                                • Instruction Fuzzy Hash: DC1166B1A40208BBDB04DF94CC82F9E3375EB54704F10856AF908BB3D1E778EA508799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 577 419164 578 41916b-41917b call 40b910 577->578 580 419180-41918a 578->580 581 419194-4191a7 580->581 582 41918c-41918f 580->582 584 4191b2-4191bf 581->584 583 41957a-41958b 582->583 585 4191c1-41921d 584->585 586 41921f-419225 584->586 585->584 588 419423-419439 586->588 589 41922b-41922f 586->589 592 41956b-419578 588->592 593 41943f-419454 588->593 589->588 591 419235-419256 589->591 594 419263 591->594 595 419258-419261 591->595 592->583 596 419462-41946d 593->596 597 419456-41945c 593->597 598 41926d-41927d 594->598 595->598 601 41947b-419488 596->601 602 41946f-419479 596->602 597->596 600 419554-419563 597->600 603 419288-419291 598->603 607 419566 600->607 604 41948e-4194a2 601->604 602->604 605 419353-41935a 603->605 606 419297-4192b6 call 40b910 603->606 615 419539-41954c 604->615 616 4194a8-4194ac 604->616 608 419377-41937d 605->608 617 4192c5-4192df 606->617 618 4192b8-4192c0 606->618 607->592 608->588 610 419383-419389 608->610 613 41938f-419395 610->613 614 41941e 610->614 613->614 620 41939b-4193a4 613->620 614->608 621 419552 615->621 616->615 622 4194b2-4194c3 616->622 623 4192ea-4192fc 617->623 618->605 620->614 626 4193a6-4193af 620->626 621->607 622->615 632 4194c5-4194d9 622->632 624 41934e 623->624 625 4192fe-41934c 623->625 624->603 625->623 630 4193c1-419405 call 41c4e0 626->630 631 4193b1-4193bf 626->631 638 419407-41940a 630->638 639 41940f-41941b 630->639 631->614 631->630 634 4194db-4194eb 632->634 635 4194ed-4194f9 632->635 640 41950b-419521 call 41c4e0 634->640 635->640 641 4194fb-419508 635->641 638->583 639->614 644 419523-419526 640->644 645 419528-419537 640->645 641->640 644->583 645->621
                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __nh_malloc_dbg
                                • String ID:
                                • API String ID: 2526938719-0
                                • Opcode ID: f9bf8707853167085b66593613993b00e5ed86952c72447d674ae544adeca308
                                • Instruction ID: c4f57cec82e4bd0dba32cc6c1f0b5ad598e6c7fbc5f644fcfa7b04f801fa35e6
                                • Opcode Fuzzy Hash: f9bf8707853167085b66593613993b00e5ed86952c72447d674ae544adeca308
                                • Instruction Fuzzy Hash: 95E020B1E84308A9E7309AA5580775C7720E744B31F20472FE235362C2D77504404F09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __encode_pointer.LIBCMTD ref: 00412407
                                  • Part of subcall function 00412330: __crt_wait_module_handle.LIBCMTD ref: 0041237C
                                  • Part of subcall function 00412330: RtlEncodePointer.NTDLL(?), ref: 004123B7
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: EncodePointer__crt_wait_module_handle__encode_pointer
                                • String ID:
                                • API String ID: 2010845264-0
                                • Opcode ID: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                • Instruction ID: 017c5cb46a1c4d55b1340ad0c3270c38816836f5326e70259e7eaab19cdf7902
                                • Opcode Fuzzy Hash: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                • Instruction Fuzzy Hash: 13A0127244420C23E00020933903B03750C43C0638F080021F91C051422886B5604097
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • ___security_init_cookie.LIBCMTD ref: 0040AE95
                                  • Part of subcall function 0040AEB0: _check_managed_app.LIBCMTD ref: 0040AF2C
                                  • Part of subcall function 0040AEB0: __heap_init.LIBCMTD ref: 0040AF36
                                  • Part of subcall function 0040AEB0: _fast_error_exit.LIBCMTD ref: 0040AF44
                                  • Part of subcall function 0040AEB0: __mtinit.LIBCMTD ref: 0040AF4C
                                  • Part of subcall function 0040AEB0: _fast_error_exit.LIBCMTD ref: 0040AF57
                                  • Part of subcall function 0040AEB0: __RTC_Initialize.LIBCMTD ref: 0040AF69
                                  • Part of subcall function 0040AEB0: ___crtGetEnvironmentStringsA.LIBCMTD ref: 0040AF93
                                  • Part of subcall function 0040AEB0: ___setargv.LIBCMTD ref: 0040AF9D
                                  • Part of subcall function 0040AEB0: __setenvp.LIBCMTD ref: 0040AFB0
                                  • Part of subcall function 0040AEB0: __cinit.LIBCMTD ref: 0040AFC5
                                  • Part of subcall function 0040AEB0: __wincmdln.LIBCMTD ref: 0040AFE2
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _fast_error_exit$EnvironmentInitializeStrings___crt___security_init_cookie___setargv__cinit__heap_init__mtinit__setenvp__wincmdln_check_managed_app
                                • String ID:
                                • API String ID: 2731678867-0
                                • Opcode ID: ee8f2d7c38ba407090a88614530fa8bfefe5418cda479201f07807e08c8461eb
                                • Instruction ID: 4163ddfda7dbc0b273293bbe506c37d36eb456cb6e14ae8899fefb7f074ccf43
                                • Opcode Fuzzy Hash: ee8f2d7c38ba407090a88614530fa8bfefe5418cda479201f07807e08c8461eb
                                • Instruction Fuzzy Hash: DCA02232080B0C02020033E3200B80B320E08C032C382002FBA0C022032C3CB8A000EF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C6D2
                                • _wcscat_s.LIBCMTD ref: 0041C8EA
                                  • Part of subcall function 00421870: __invalid_parameter.LIBCMTD ref: 004218E2
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C8F3
                                  • Part of subcall function 0040DBB0: __invoke_watson.LIBCMTD ref: 0040DBD1
                                • _wcscat_s.LIBCMTD ref: 0041C922
                                  • Part of subcall function 00421870: _memset.LIBCMT ref: 0042194B
                                  • Part of subcall function 00421870: __invalid_parameter.LIBCMTD ref: 004219A7
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C92B
                                • __snwprintf_s.LIBCMTD ref: 0041C984
                                  • Part of subcall function 0041BFE0: __vsnprintf_s_l.LIBCMTD ref: 0041C002
                                • __invoke_watson_if_oneof.LIBCMTD ref: 0041C9BD
                                • _wcscpy_s.LIBCMTD ref: 0041CA02
                                • __invoke_watson_if_error.LIBCMTD ref: 0041CA0B
                                • __cftoe.LIBCMTD ref: 0041CA7F
                                • __invoke_watson_if_oneof.LIBCMTD ref: 0041CAAE
                                • _wcscpy_s.LIBCMTD ref: 0041CAE6
                                • __invoke_watson_if_error.LIBCMTD ref: 0041CAEF
                                • __itow_s.LIBCMTD ref: 0041C6C9
                                  • Part of subcall function 00426280: _xtow_s@20.LIBCMTD ref: 004262AB
                                • __strftime_l.LIBCMTD ref: 0041C789
                                • __invoke_watson_if_oneof.LIBCMTD ref: 0041C7C2
                                • _wcscpy_s.LIBCMTD ref: 0041C807
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C810
                                • _wcscpy_s.LIBCMTD ref: 0041C863
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C86C
                                • _wcscat_s.LIBCMTD ref: 0041C89D
                                • __invoke_watson_if_error.LIBCMTD ref: 0041C8A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __invoke_watson_if_error$_wcscpy_s$__invoke_watson_if_oneof_wcscat_s$__invalid_parameter$__cftoe__invoke_watson__itow_s__snwprintf_s__strftime_l__vsnprintf_s_l_memset_xtow_s@20
                                • String ID: D\@$h8[@$t8j$t9j
                                • API String ID: 2582952045-1301031898
                                • Opcode ID: 8c649d36ace655ee30945a0357195b502b76c5f9a91b9f55d6bee1a9a8e625e2
                                • Instruction ID: 02178abfe23e56a54a67b4c7eb7c84d33cb54055c7f1e4f72fd57db3d001e6e7
                                • Opcode Fuzzy Hash: 8c649d36ace655ee30945a0357195b502b76c5f9a91b9f55d6bee1a9a8e625e2
                                • Instruction Fuzzy Hash: 660293B4A80714AADB20EF50DC8ABDF7374AB44745F5440AAF608762C1D7B89AC4CF99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __inc.LIBCMTD ref: 0041654C
                                • _isdigit.LIBCMTD ref: 00416572
                                • ___check_float_string.LIBCMTD ref: 004165D2
                                • __inc.LIBCMTD ref: 004165F0
                                • _isdigit.LIBCMTD ref: 004166A2
                                • ___check_float_string.LIBCMTD ref: 00416702
                                • ___check_float_string.LIBCMTD ref: 00416689
                                  • Part of subcall function 00416C60: __nh_malloc_dbg.LIBCMTD ref: 00416CBD
                                • __inc.LIBCMTD ref: 0041664D
                                  • Part of subcall function 00416DC0: __filbuf.LIBCMTD ref: 00416E01
                                • ___check_float_string.LIBCMTD ref: 00416796
                                • __inc.LIBCMTD ref: 004167B4
                                • ___check_float_string.LIBCMTD ref: 004167F7
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00416B66
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: ___check_float_string$__inc$Locale_isdigit$UpdateUpdate::~___filbuf__nh_malloc_dbg
                                • String ID: +
                                • API String ID: 1483831053-2126386893
                                • Opcode ID: 3f1cdc535125063f7d7ef7ae872c682c660c3678df03c0684fb82a37ac454917
                                • Instruction ID: 45a2f262c5410c48cc6ad1d3327226c1787b0f07e4967d97fcea125fd92b63d4
                                • Opcode Fuzzy Hash: 3f1cdc535125063f7d7ef7ae872c682c660c3678df03c0684fb82a37ac454917
                                • Instruction Fuzzy Hash: 26F16FB1D042199BCF14CF99C894AEEBB75AF44308F1482AED819A7342D739EA84CF55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __inc$__hextodec__un_inc_isxdigit
                                • String ID: 8$F
                                • API String ID: 3652663768-3144575033
                                • Opcode ID: c694fde765daef34fe86b015504b5841358a78d6cc7151bbf1d403a4172b6c69
                                • Instruction ID: 4e8990ed9834d67cabe5cdc1a52b903055c43b73c622471bf65cd64a9ca038d8
                                • Opcode Fuzzy Hash: c694fde765daef34fe86b015504b5841358a78d6cc7151bbf1d403a4172b6c69
                                • Instruction Fuzzy Hash: 1B028EB0D052698BCF25CF64C8943EEBBB1AF15308F1481DAD8196B342D33A9AC5CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
                                • String ID: -$9
                                • API String ID: 3451365851-1631151375
                                • Opcode ID: 73748dadc7ea5df593242549316a037bffe645614e081454c675fba9bebad1a7
                                • Instruction ID: a721a5725b6536229582cc34f6c4b56e6aafc0d91daa9a2dae563fcae3e2e464
                                • Opcode Fuzzy Hash: 73748dadc7ea5df593242549316a037bffe645614e081454c675fba9bebad1a7
                                • Instruction Fuzzy Hash: 9BF14BB1E012298FDB24CF58DC99BAEB7B1FB84304F5481DAD419A7281D7789E80CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
                                • String ID: 9
                                • API String ID: 3455034128-2366072709
                                • Opcode ID: 530e62bac20449fc3ef16af2ea562a2331bce4f960ca9bf1045f95520d08cb73
                                • Instruction ID: 87f28a10b6e7806872ac3917b900aa704c7eb3b4201bc77d767262b33af21855
                                • Opcode Fuzzy Hash: 530e62bac20449fc3ef16af2ea562a2331bce4f960ca9bf1045f95520d08cb73
                                • Instruction Fuzzy Hash: FDF16CB1E002299FDF24DF58DC81BAEB7B1BF85304F54419AE109A7241D778AE84CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042673B
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426771
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426792
                                • wcsncnt.LIBCMTD ref: 004267C9
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 0042682F
                                • _wcslen.LIBCMTD ref: 00426A3F
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00426A4D
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Locale$UpdateUpdate::~_$_wcslenwcsncnt
                                • String ID:
                                • API String ID: 1043867012-0
                                • Opcode ID: fc4f0b37faa7f4946a6c5e9665ee82d9b71174bf5f156293fab80b3a31791081
                                • Instruction ID: 7f75a814af551cf217c73b50f5ce39038cad51a7708300b5ccdc52a67e21c884
                                • Opcode Fuzzy Hash: fc4f0b37faa7f4946a6c5e9665ee82d9b71174bf5f156293fab80b3a31791081
                                • Instruction Fuzzy Hash: 84D12775A00218DFCB08DF94D894BEEB7B1FF85304F60C55AE4126B290DB38AE86DB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter_get_int_arg_wctomb_s_write_string
                                • String ID: -
                                • API String ID: 2357813345-2547889144
                                • Opcode ID: d2fd1506c183ec86f59f6aee48fb561d843edaa370c390d2ac749d9266cd7004
                                • Instruction ID: 09383132ef6e3c52153bc865bd17f4b6936478b15fe0a08a49ab86f91775dfed
                                • Opcode Fuzzy Hash: d2fd1506c183ec86f59f6aee48fb561d843edaa370c390d2ac749d9266cd7004
                                • Instruction Fuzzy Hash: F8A18C70E012298BDB24DF59DC49BAEB7B0EB84305F5481DAE1197B281D778AEC0CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _write_multi_char$_get_int_arg_strlen_wctomb_s_write_string
                                • String ID: -$I@
                                • API String ID: 2232461714-3662616159
                                • Opcode ID: c4d7bbb1e4a35970b1e2731a79c68ebfb12efde7635d023d49e88d8b318ebf39
                                • Instruction ID: 504cf34f6a1f140e24b7c590ea058f5024a33f02ea29967f28fa7e95d4e844db
                                • Opcode Fuzzy Hash: c4d7bbb1e4a35970b1e2731a79c68ebfb12efde7635d023d49e88d8b318ebf39
                                • Instruction Fuzzy Hash: 7EA18F74E012298FDB24CF55DC49BEEB7B0EB88305F5481DAD0196B291D778AE80CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Locale__inc$UpdateUpdate::~___mbtowc_l__un_inc_memset
                                • String ID: $]${${
                                • API String ID: 2643002128-1336171634
                                • Opcode ID: a0d6f3a7a88c6dea91ec17ea94e745941b8181ae169e3f2fdeed4f4618f4c2ce
                                • Instruction ID: 733e9da3a28c0a21848e95e8901b80b5ba50e6ecae14809abc89287093d81474
                                • Opcode Fuzzy Hash: a0d6f3a7a88c6dea91ec17ea94e745941b8181ae169e3f2fdeed4f4618f4c2ce
                                • Instruction Fuzzy Hash: A6B1D670D09798CBCF15CBA9D4946EDBBB1AF46304F14C19FE869AB342C2389A81CF15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _write_multi_char$__mbtowc_l_get_int_arg_strlen_write_string
                                • String ID: I@
                                • API String ID: 909868375-3008766272
                                • Opcode ID: 5160bf8aaf3c93fb7daea3ac61722fa4b3b9303f281fa05acda3142a6fb74e5b
                                • Instruction ID: aeb1a302864e0295b61b224f0f41cef40e82057aba0da1d2740614cba2eebc2e
                                • Opcode Fuzzy Hash: 5160bf8aaf3c93fb7daea3ac61722fa4b3b9303f281fa05acda3142a6fb74e5b
                                • Instruction Fuzzy Hash: 1AA181B0E002289FDB24DF55DC81BAEB7B5BF44304F54819AE61967282D738AE84CF5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Locale_write_multi_char$UpdateUpdate::~___get_printf_count_output__invalid_parameter__mbtowc_l_get_int_arg_write_string
                                • String ID:
                                • API String ID: 2386203720-0
                                • Opcode ID: f607765c8f2682145a9edb787064b82d444e2ed9b0f04ad2e4101b47de9843e8
                                • Instruction ID: 08d3cf6121706dbf829b6d05311f1c81cf8396b18442ce7c14708cc00a2cbdda
                                • Opcode Fuzzy Hash: f607765c8f2682145a9edb787064b82d444e2ed9b0f04ad2e4101b47de9843e8
                                • Instruction Fuzzy Hash: 61A1AFF0E002289BDB24DF55DC85BAEB774AF84304F50419AE6197B282D778AE84CF5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __inc$__mbtowc_l__un_inc
                                • String ID: $c
                                • API String ID: 579247601-3797896886
                                • Opcode ID: 98046de7fd322e1f917b2e6fd8048b3892d2d27587e911f3b1c5c2ec91a3c4cd
                                • Instruction ID: 7ecbc0b786a77850220586fe59660f87f2dbd110734eb0342331823304e5aa8a
                                • Opcode Fuzzy Hash: 98046de7fd322e1f917b2e6fd8048b3892d2d27587e911f3b1c5c2ec91a3c4cd
                                • Instruction Fuzzy Hash: B8918F70D05758DBCF24CF95D8946EEBB71AF85308F14819AE829AB342D7389AC1CF09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Message___crt__invoke_watson_if_error__invoke_watson_if_oneof__snwprintf_s_raise_wcscpy_s
                                • String ID: ^9@$`D@
                                • API String ID: 1485069716-273578848
                                • Opcode ID: 61b2dbe9ec1f8faa36acc654127eec5d54c4783b504d953776bc1184599c36c0
                                • Instruction ID: c0e6340a1cda6ef02aac5938a198a3969f3bcb851ff0069ec62fe23309543b73
                                • Opcode Fuzzy Hash: 61b2dbe9ec1f8faa36acc654127eec5d54c4783b504d953776bc1184599c36c0
                                • Instruction Fuzzy Hash: 7C316AB5A40218ABDB24DB91DC46FDA73B5BB58744F0041EAF308762C1D6B85EC08F99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: BytesCheck$HeapPointerValid__free_base_memset
                                • String ID: tDj
                                • API String ID: 25084783-2513116121
                                • Opcode ID: b9adceee1fe61f2cee6d43c756ee87a5a7a58a641edfea7588e9ec640f752860
                                • Instruction ID: faefe7da996400bbef58c54e5170c74f93222f4de7125747aeed027e64bc3a06
                                • Opcode Fuzzy Hash: b9adceee1fe61f2cee6d43c756ee87a5a7a58a641edfea7588e9ec640f752860
                                • Instruction Fuzzy Hash: C591B175A40204EBEB28DB84DDC2F6A7375AB44708F344269F604BB2C2D279EE41D79D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __inc$__mbtowc_l__un_inc
                                • String ID: ${
                                • API String ID: 579247601-4046706400
                                • Opcode ID: c4822b5e9e88f4911f299a29db30f343fa9385594b584e860edcc568e7ba0c09
                                • Instruction ID: f8bebf5dfd94e6c9dc363e16e45155c9ab91aad30fd5ed40b4ee189f875d7f82
                                • Opcode Fuzzy Hash: c4822b5e9e88f4911f299a29db30f343fa9385594b584e860edcc568e7ba0c09
                                • Instruction Fuzzy Hash: C54190B4D05758DBCF24CB95D8446EEBB71AF85305F14C1AEE429A7202D7389AC5CF09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: '$0$9
                                • API String ID: 3120068967-269856862
                                • Opcode ID: 61ff73877e2c891499c3fb64a8486ea2c305938b2ba7b0e0e707b528870ff651
                                • Instruction ID: 26c336a9f065971cb0d320951b209e2e278aa466309384de1234029c3de788cf
                                • Opcode Fuzzy Hash: 61ff73877e2c891499c3fb64a8486ea2c305938b2ba7b0e0e707b528870ff651
                                • Instruction Fuzzy Hash: B941F4B1E15229DFDB24CF58E899BAEB7B5FB84304F5481DAD448A7240C7389E81CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: '$0$9
                                • API String ID: 3120068967-269856862
                                • Opcode ID: 0685f91b45cbdf0ca138cdfba6d584006a9b8105de1a8e68d10636028a782ff3
                                • Instruction ID: 66da96a2bac71dcb13fa53c53b410c2ec7dc3b67ccd4c81c7949b8dad1257f88
                                • Opcode Fuzzy Hash: 0685f91b45cbdf0ca138cdfba6d584006a9b8105de1a8e68d10636028a782ff3
                                • Instruction Fuzzy Hash: AE41D3719082299FDB64CF58C989BEEB7B5BB84304F1445DAE409AB241C7389EC1CF45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __inc$__hextodec__un_inc_isdigit_isxdigit
                                • String ID: 0$p
                                • API String ID: 500523077-2059906072
                                • Opcode ID: 04da5069397b075e653506d4188bde8c25525b423427e154921d5491573031cb
                                • Instruction ID: 6b59d60e470b2688df4fca62ab249f9125279fcdb80552354e7482094790bb3c
                                • Opcode Fuzzy Hash: 04da5069397b075e653506d4188bde8c25525b423427e154921d5491573031cb
                                • Instruction Fuzzy Hash: 75414CB1D042A99ACF25CF65C8942EEBB71AF05308F2581EFD81966302D239DAC5CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 0$9
                                • API String ID: 3120068967-1975997740
                                • Opcode ID: adf89d3c19f081dca0014650f750430d885a7cf6bbcb9a16a6fa2b3a43d07e97
                                • Instruction ID: 74cb3aa1fb84b278cd05ca6ea8a4370dc3a41d3c72b4f31d23988da057b4ed0c
                                • Opcode Fuzzy Hash: adf89d3c19f081dca0014650f750430d885a7cf6bbcb9a16a6fa2b3a43d07e97
                                • Instruction Fuzzy Hash: 114105B1E15228DFDB24CF58E889BAEBBB5FB84304F50819AD448A7240C7385E81CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 0$9
                                • API String ID: 3120068967-1975997740
                                • Opcode ID: 65d4fb54393684fd377d7b0f3d77692b0563070c7f279eb9e5d07005dacc9ba6
                                • Instruction ID: e675631b09abcb4a3db81451e5924fefa61cd99c30674d547d3908986f46349b
                                • Opcode Fuzzy Hash: 65d4fb54393684fd377d7b0f3d77692b0563070c7f279eb9e5d07005dacc9ba6
                                • Instruction Fuzzy Hash: 5041E2B1D082299FDB64CF48C989BEEB7B5BB84304F1445DAE449AB241C7389EC1CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: '$9
                                • API String ID: 3120068967-1823400153
                                • Opcode ID: b53842285cc36683f1c6ce8fb90574166aff5df858b6c8ef311ad64556746230
                                • Instruction ID: 88a54ba87f90a9f5b032cfd84d745c94e298abe8153fd9a8b2ffa27ed5e4d3c8
                                • Opcode Fuzzy Hash: b53842285cc36683f1c6ce8fb90574166aff5df858b6c8ef311ad64556746230
                                • Instruction Fuzzy Hash: 994107B1E10129AFDF24CF48D981BAEB7B5FF85318F50409AD148AB241D7789E81CF5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __hextodec__inc_isxdigit
                                • String ID: +$p
                                • API String ID: 3003077261-1790238857
                                • Opcode ID: f8efa3abca31849c5592b86eeb0e740c30bf76091945ac1854910c1bafb44064
                                • Instruction ID: adce234988b22d8bd5ae00344cc608b77643e63ba8c088d33e61c2c02cac5546
                                • Opcode Fuzzy Hash: f8efa3abca31849c5592b86eeb0e740c30bf76091945ac1854910c1bafb44064
                                • Instruction Fuzzy Hash: 33317E70D042999BCF25CFA8C8553EEBB71AF05308F1581EBD85966303D2399AC5CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __set_error_mode$_strlen
                                • String ID: jjj$t/j
                                • API String ID: 3008368703-194299851
                                • Opcode ID: 5237a7f9a8c83429df2317257b9317bfec3c0575f1e6d1d1950fffdc02ce5e66
                                • Instruction ID: 6db5c2610d0dec12d3da948c66cac38ab562fe90bf1a157d35b76242cbf996f9
                                • Opcode Fuzzy Hash: 5237a7f9a8c83429df2317257b9317bfec3c0575f1e6d1d1950fffdc02ce5e66
                                • Instruction Fuzzy Hash: 0A21C174904208FBDB20DB94DD45BEE3770EB89314F2082AAE40567391D3799E91DF8A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __raise_exc.LIBCMTD ref: 0041E231
                                  • Part of subcall function 0041E800: __raise_exc_ex.LIBCMTD ref: 0041E81F
                                • __umatherr.LIBCMTD ref: 0041E286
                                  • Part of subcall function 0041EB40: __ctrlfp.LIBCMTD ref: 0041EB90
                                • __ctrlfp.LIBCMTD ref: 0041E2AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __ctrlfp$__raise_exc__raise_exc_ex__umatherr
                                • String ID: Q.$RB
                                • API String ID: 3448981373-1859500299
                                • Opcode ID: 79aa403e752d0bb788226e970f0c201ec913c65f09f5babb0604909f941a5acb
                                • Instruction ID: 65805f5889b076a55894a1ab3ee9b8424b6840a77c5e5b563534fe767c40347b
                                • Opcode Fuzzy Hash: 79aa403e752d0bb788226e970f0c201ec913c65f09f5babb0604909f941a5acb
                                • Instruction Fuzzy Hash: 9A11A5FA800104DBCF14EF95ECC6ADA7374BF48304F0446DDED454A14AEA35D9A8CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • ___libm_error_support.LIBCMTD ref: 0040A155
                                  • Part of subcall function 0040E600: __encode_pointer.LIBCMTD ref: 0040E6E1
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: ___libm_error_support__encode_pointer
                                • String ID:
                                • API String ID: 3390238661-0
                                • Opcode ID: f2b5aa644959d262cfab37b3245a945c98fff48b4c57d48cb8fde3180fc3fbeb
                                • Instruction ID: 7b92bbdbbb07480f0aed9223c0c225ba86dfd7bf963a0cba62cf58ff75b82bfd
                                • Opcode Fuzzy Hash: f2b5aa644959d262cfab37b3245a945c98fff48b4c57d48cb8fde3180fc3fbeb
                                • Instruction Fuzzy Hash: 98412935C04704D6CB21AF79DA4516E77B0EF85344F10CB7AF88876291EB348959D34B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __getbuf__isatty__write
                                • String ID: 8uA
                                • API String ID: 2861569966-2259325327
                                • Opcode ID: cc1b0abdc2988826ec5a43669376b69e5abb6e32c2e8dc166d42234ab6b96b39
                                • Instruction ID: 0dd3b1d60e5f64f8659b5d50802fca4c560dc3e1392e070fed4939187e0a6d64
                                • Opcode Fuzzy Hash: cc1b0abdc2988826ec5a43669376b69e5abb6e32c2e8dc166d42234ab6b96b39
                                • Instruction Fuzzy Hash: 87510874A00208EFDB04CF94D491AADFBB1FF89324F548299E8856B391C739EA81CF44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _memset$__invalid_parameter
                                • String ID: P
                                • API String ID: 2178901135-3110715001
                                • Opcode ID: c1c4b16355b8126a1f74390666c0cf54e97bcb35e05dabf74a386e16d8580c85
                                • Instruction ID: 246fb221c4c39f57b5f0615587a7835857ec6ffcce735e185f1bf46c02527c7d
                                • Opcode Fuzzy Hash: c1c4b16355b8126a1f74390666c0cf54e97bcb35e05dabf74a386e16d8580c85
                                • Instruction Fuzzy Hash: AB418974B04319EBCF24CF58D8857AE7771FB41328F21866AE8252A3C0D3799995CF89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 9
                                • API String ID: 3120068967-2366072709
                                • Opcode ID: a9d99888770cab9d7e0f0c34f27cf5cecb2e14e8e89c15b6abf3e2c8dcae7157
                                • Instruction ID: 0f748674789098517c81c6bfd64f9e761f8b5fa2f9a4a8db8edf5eac7631dedc
                                • Opcode Fuzzy Hash: a9d99888770cab9d7e0f0c34f27cf5cecb2e14e8e89c15b6abf3e2c8dcae7157
                                • Instruction Fuzzy Hash: F04117B1E10129AFDF24CF48D881BAEB7B4FF85318F50409AD148AB241D7789E85CF4A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 9
                                • API String ID: 3120068967-2366072709
                                • Opcode ID: 71fc9a78994e6d16d0c1169087281eb279d550b6d0d5854cb0eb6f4c469db18a
                                • Instruction ID: 7d622ab20ed276f116396610c0aec0db95fc003ade2d99466f96e2832dab4621
                                • Opcode Fuzzy Hash: 71fc9a78994e6d16d0c1169087281eb279d550b6d0d5854cb0eb6f4c469db18a
                                • Instruction Fuzzy Hash: 2041E4B1E15229DFEB24CF58EC99BAEB7B5FB84300F50859AD449A7240D7385E81CF48
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 9
                                • API String ID: 3120068967-2366072709
                                • Opcode ID: d9517b125610d09cf6686e9e1e60e3f7890620e4f9ac7ed4a8b95ee4aad8908b
                                • Instruction ID: c5f49ca03594f23acbc4f4cd6f5b4d54cf19c5277b46b3f938c6ca43fe85ffb3
                                • Opcode Fuzzy Hash: d9517b125610d09cf6686e9e1e60e3f7890620e4f9ac7ed4a8b95ee4aad8908b
                                • Instruction Fuzzy Hash: F54106B1E10129AFDB24CF48DD81BAEB7B5FF85314F508199D148AB241D7789E80CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: __aulldiv__aullrem_get_int64_arg
                                • String ID: 9
                                • API String ID: 3120068967-2366072709
                                • Opcode ID: 20673bb0dd0d476465353f81658d8a072f6559d7ea614f6567867374e6f90a8a
                                • Instruction ID: a4f503f4a05c619a2cb2715f3afc384eec036e56c76c5104009c60b3daeeaa8c
                                • Opcode Fuzzy Hash: 20673bb0dd0d476465353f81658d8a072f6559d7ea614f6567867374e6f90a8a
                                • Instruction Fuzzy Hash: 6041E471E0862A9FDB64DF48C989BEEB7B5BB84300F1485DAE009A7241D7389EC1CF45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _get_int64_arg$__aulldiv__aullrem
                                • String ID: 9
                                • API String ID: 2124759748-2366072709
                                • Opcode ID: 52b33b09ba93cfe225179afbd334edf23daf10a9ddb99f53eed7ec5f04d9215f
                                • Instruction ID: 584235817bc73f8ae962284972e65426d18d9de26950287a78096d0aaed1cb15
                                • Opcode Fuzzy Hash: 52b33b09ba93cfe225179afbd334edf23daf10a9ddb99f53eed7ec5f04d9215f
                                • Instruction Fuzzy Hash: FF41D5B1E15228DFDB24CF58E889BAEB7B5FB84300F60859AD449A7240D7385E81CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _get_int64_arg$__aulldiv__aullrem
                                • String ID: 9
                                • API String ID: 2124759748-2366072709
                                • Opcode ID: 86485ad8320365a21d973e09cedde198a619cafc6831d8c362282d666b7d4256
                                • Instruction ID: 80de0027016aba27cfb710d9a3c87b46e20102838d83ac131788fc0b50bedefa
                                • Opcode Fuzzy Hash: 86485ad8320365a21d973e09cedde198a619cafc6831d8c362282d666b7d4256
                                • Instruction Fuzzy Hash: 4041E4B1E082299FDB64DF58C989BEEB7B5BB84300F1045DAE409A7241D7389EC1CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: _get_int64_arg$__aulldiv__aullrem
                                • String ID: 9
                                • API String ID: 2124759748-2366072709
                                • Opcode ID: 0dfdaa36073ef9f1184e557c8796e4b4eb4d7ebd374c62414a2cd066758d1c8f
                                • Instruction ID: 0be7bbea8f8936df4ac83a2c52f3f5a9c458ef7ad509494722a83a080cae16c0
                                • Opcode Fuzzy Hash: 0dfdaa36073ef9f1184e557c8796e4b4eb4d7ebd374c62414a2cd066758d1c8f
                                • Instruction Fuzzy Hash: A64105B1E00129AFDB24CF48D981B9EB7B4FF85318F50419AE148A7201D7789E80CF5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • ___dtold.LIBCMTD ref: 0041FAAA
                                • _$I10_OUTPUT.LIBCMTD ref: 0041FAD2
                                • _wcscpy_s.LIBCMTD ref: 0041FB12
                                  • Part of subcall function 0040D730: __invalid_parameter.LIBCMTD ref: 0040D7A2
                                • __invoke_watson_if_error.LIBCMTD ref: 0041FB1B
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: I10____dtold__invalid_parameter__invoke_watson_if_error_wcscpy_s
                                • String ID:
                                • API String ID: 289039318-0
                                • Opcode ID: 92aaf2b82aea1797b1c4990a34dc3c2eaf7d02ca6b795ae88429b16248d6c0e2
                                • Instruction ID: 5976e6ebbafa2d317bb44c7ecfea3bb8eedc22a98761cefad2f2701c318cf0c0
                                • Opcode Fuzzy Hash: 92aaf2b82aea1797b1c4990a34dc3c2eaf7d02ca6b795ae88429b16248d6c0e2
                                • Instruction Fuzzy Hash: 20214DB5A002089BCB04EFA4D942ADEB7F4EF8C704F108569F90567382E634E915CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __whiteout.LIBCMTD ref: 00415B5F
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00416B66
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Locale$UpdateUpdate::~___whiteout
                                • String ID: n
                                • API String ID: 2661511698-2013832146
                                • Opcode ID: 2516c8dfc543d407d4c8a144eb9cf6009eb1a8c8fb2bed4a5b4bfbd473836ec5
                                • Instruction ID: ecfd4378f8583d72b307479f6d223e2097ebd30da65c6bdb4e1d2919ce9eeb8a
                                • Opcode Fuzzy Hash: 2516c8dfc543d407d4c8a144eb9cf6009eb1a8c8fb2bed4a5b4bfbd473836ec5
                                • Instruction Fuzzy Hash: B241A070909659CBCF24CF54D4957EEBBB1AF41315F14829BD8156B282C338AEC1CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __whiteout.LIBCMTD ref: 00415B5F
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00416B66
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Locale$UpdateUpdate::~___whiteout
                                • String ID: n
                                • API String ID: 2661511698-2013832146
                                • Opcode ID: d2cf797c362700c7c598d5f58046728f5b52e3385e363cb4ed932ee8fd006abd
                                • Instruction ID: ecfd4378f8583d72b307479f6d223e2097ebd30da65c6bdb4e1d2919ce9eeb8a
                                • Opcode Fuzzy Hash: d2cf797c362700c7c598d5f58046728f5b52e3385e363cb4ed932ee8fd006abd
                                • Instruction Fuzzy Hash: B241A070909659CBCF24CF54D4957EEBBB1AF41315F14829BD8156B282C338AEC1CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __whiteout.LIBCMTD ref: 00415B5F
                                • _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00416B66
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Locale$UpdateUpdate::~___whiteout
                                • String ID: n
                                • API String ID: 2661511698-2013832146
                                • Opcode ID: 81b4a4ac1d906f0f7d1c4b56dcd511b19de96e8159785e3cfc507fb03a1586ed
                                • Instruction ID: 877292e96ff1bb00e21e4e8a2193c3722173543034e2bdd30c2b242f653ec0a3
                                • Opcode Fuzzy Hash: 81b4a4ac1d906f0f7d1c4b56dcd511b19de96e8159785e3cfc507fb03a1586ed
                                • Instruction Fuzzy Hash: 4A318270909668CBCF24CF55D4957EEBBB0AF41315F14829BD8656B282C338AEC1CF19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000007.00000002.440706921.0000000000409000.00000020.00000001.01000000.00000006.sdmp, Offset: 00409000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_409000_erhuush.jbxd
                                Similarity
                                • API ID: Locale__hextodec__inc__un_inc_isdigit_isxdigit$UpdateUpdate::~_
                                • String ID: p
                                • API String ID: 1652772854-2181537457
                                • Opcode ID: 1588b932da412bbf87f59dad724f1803a9f1c0a02590b428f0eafa555efa337b
                                • Instruction ID: 2e713e9dbd54042634f8fed090cb0d75afbde769bb5addf1dc00d549ecf89bff
                                • Opcode Fuzzy Hash: 1588b932da412bbf87f59dad724f1803a9f1c0a02590b428f0eafa555efa337b
                                • Instruction Fuzzy Hash: 25219071D042698ACF25CF65C8443FEBBB5AF05308F1581EBD81966302D239CAC1CF89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Execution Graph

                                Execution Coverage:25.6%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:39
                                Total number of Limit Nodes:8
                                execution_graph 1143 5082b6c 1147 5082b84 1143->1147 1144 5082f6e VirtualProtect VirtualProtect VirtualProtect 1144->1147 1145 50831d4 1146 508306e VirtualAlloc 1146->1147 1147->1144 1147->1145 1147->1146 1148 5151f20 3 API calls 1147->1148 1148->1147 1103 5082b71 1107 5082b84 1103->1107 1104 5082f6e VirtualProtect VirtualProtect VirtualProtect 1104->1107 1105 50831d4 1106 508306e VirtualAlloc 1106->1107 1107->1104 1107->1105 1107->1106 1109 5151f20 1107->1109 1110 5151f70 1109->1110 1111 515226f 1110->1111 1113 5152ac0 1110->1113 1111->1107 1115 5152b27 1113->1115 1114 51536ba 1114->1110 1115->1114 1120 51519dd 1115->1120 1124 5154418 VirtualFree 1115->1124 1127 51539a0 1115->1127 1133 515398d 1115->1133 1121 51519e3 VirtualAlloc 1120->1121 1122 5151991 1120->1122 1121->1122 1122->1120 1123 51519b2 1122->1123 1123->1115 1125 51543e1 1124->1125 1125->1124 1126 5154468 1125->1126 1126->1115 1128 51539f6 1127->1128 1128->1128 1129 5154127 1128->1129 1130 5154418 VirtualFree 1128->1130 1131 51519dd VirtualAlloc 1128->1131 1139 5151000 1128->1139 1129->1115 1130->1128 1131->1128 1135 51539a0 1133->1135 1134 5154127 1134->1115 1135->1134 1136 5151000 NtCreateThreadEx 1135->1136 1137 5154418 VirtualFree 1135->1137 1138 51519dd VirtualAlloc 1135->1138 1136->1135 1137->1135 1138->1135 1141 51510a6 1139->1141 1140 51511d3 NtCreateThreadEx 1140->1141 1141->1140 1142 515125b 1141->1142 1142->1128

                                Callgraph

                                Control-flow Graph

                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 05082F8B
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 05082FAB
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 05082FCB
                                Memory Dump Source
                                • Source File: 0000000D.00000002.476573820.0000000005081000.00000020.00001000.00020000.00000000.sdmp, Offset: 05081000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_5081000_regsvr32.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: d67ae0f6c3b0dbc33e0c3acd2ed51920f1be3291a69c20c17ebd32c678925008
                                • Instruction ID: 531de4570f36d656be9c38c82be310caf13423bad07a55519043eed3463b1a99
                                • Opcode Fuzzy Hash: d67ae0f6c3b0dbc33e0c3acd2ed51920f1be3291a69c20c17ebd32c678925008
                                • Instruction Fuzzy Hash: 92023B75E002299BCB58DF68DC91BEDB7B1BF88714F14859AD549EB340DB30AA81CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 45 5151000-51510a3 46 51510a6-51510cb 45->46 46->46 47 51510cd-51510fb 46->47 48 51510fe-5151100 47->48 49 51511a7-51511b1 48->49 50 5151106-51511a2 48->50 51 51511b7-51511c1 49->51 52 51512a3-51512aa 49->52 50->48 54 51511c7-51511d1 51->54 55 51512af-5151314 51->55 52->48 56 5151233-515123d 54->56 57 51511d3-515121f NtCreateThreadEx 54->57 59 5151223-515122e 55->59 60 515123f-5151249 56->60 61 515128b-515129e 56->61 57->59 59->48 62 5151271-5151286 60->62 63 515124b-5151255 60->63 61->48 62->48 63->48 64 515125b-515126e 63->64
                                APIs
                                • NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 05151216
                                Memory Dump Source
                                • Source File: 0000000D.00000002.477821755.0000000005151000.00000020.00001000.00020000.00000000.sdmp, Offset: 05151000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_5151000_regsvr32.jbxd
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: 7eb43aab4efcc3de7a31bfca7b793fa7d04a26d42464197c98bcc33c3cb16c47
                                • Instruction ID: 757db3a90fe77c6d4d3eb4f73f0a6fb342948fc77e2eaec4c25b029a397e1f9b
                                • Opcode Fuzzy Hash: 7eb43aab4efcc3de7a31bfca7b793fa7d04a26d42464197c98bcc33c3cb16c47
                                • Instruction Fuzzy Hash: F1917136618341DFD724CF28C840A9AB7E3FFC9324F268A18E9D997354D771A846CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 82 5154418-5154451 VirtualFree 83 5154453-515445c 82->83 84 51543e1-51543e3 83->84 85 51543e5-51543f9 84->85 86 51543fe-5154409 84->86 87 51544aa-51544ae 85->87 88 51544b3-51545a6 86->88 89 515440f-5154417 86->89 87->84 88->83 89->82 90 515445e-5154466 89->90 92 5154478-5154480 90->92 93 5154468-5154477 90->93 94 5154495-51544a4 92->94 95 5154482-515448a 92->95 94->87 95->84 96 5154490-5154493 95->96 96->87
                                APIs
                                • VirtualFree.KERNELBASE(?,?,?), ref: 05154438
                                Memory Dump Source
                                • Source File: 0000000D.00000002.477821755.0000000005151000.00000020.00001000.00020000.00000000.sdmp, Offset: 05151000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_5151000_regsvr32.jbxd
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: 65b2b484bf10636dde6829dd02dbe3d3f020211f918f641257ad7756cf0f29a3
                                • Instruction ID: 4f060e6b18ad06abdd1db40ecbb8478d34339e93804741a04ba6bdd056033432
                                • Opcode Fuzzy Hash: 65b2b484bf10636dde6829dd02dbe3d3f020211f918f641257ad7756cf0f29a3
                                • Instruction Fuzzy Hash: BD511E76E10119CFDF14CFA9C881A9DBBB7BF88320F168155D919BB294D774A982CF80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 65 51519dd-51519e2 66 5151991-5151993 65->66 67 51519e3-5151a20 VirtualAlloc 65->67 69 5151a62-5151a7c 66->69 70 5151999-515199f 66->70 68 5151a23-5151a3f 67->68 68->66 69->66 71 5151a55 70->71 72 51519a5-51519b0 70->72 75 5151a58-5151a5d 71->75 73 51519c2-51519ca 72->73 74 51519b2-51519c1 72->74 76 5151a81-5151b65 73->76 77 51519d0-51519d8 73->77 75->66 76->68 78 5151a44-5151a53 77->78 79 51519da-51519dc 77->79 78->75 79->65
                                APIs
                                • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05151A0F
                                Memory Dump Source
                                • Source File: 0000000D.00000002.477821755.0000000005151000.00000020.00001000.00020000.00000000.sdmp, Offset: 05151000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_5151000_regsvr32.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 72811427c7125005a66f81e193421bd24a6dbe3df2fe88cabc43ab9c77ee4d8b
                                • Instruction ID: 1cd69722c51ee7d6b0b837c65faa5791ae209b1045b479c67c9c86b51478a9a3
                                • Opcode Fuzzy Hash: 72811427c7125005a66f81e193421bd24a6dbe3df2fe88cabc43ab9c77ee4d8b
                                • Instruction Fuzzy Hash: DD512B76E10219DFCF15CFA9C980A9DBBB2FF88320F268659D859EB244D730A941CF40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Execution Graph

                                Execution Coverage:2.5%
                                Dynamic/Decrypted Code Coverage:11.4%
                                Signature Coverage:19.7%
                                Total number of Nodes:315
                                Total number of Limit Nodes:13
                                execution_graph 16634 40ad40 16637 418370 16634->16637 16636 40ad4a 16638 4183b1 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 16637->16638 16639 418392 16637->16639 16640 418413 16638->16640 16639->16638 16641 41839e 16639->16641 16640->16641 16641->16636 16759 40cd40 16760 40cd53 __CrtIsValidHeapPointer 16759->16760 16764 40cd4c ___sbh_verify_block 16759->16764 16761 40cdc0 HeapValidate 16760->16761 16762 40cd77 ___sbh_find_block 16760->16762 16760->16764 16761->16764 16763 40cda6 HeapValidate 16762->16763 16762->16764 16763->16764 16642 414840 16649 4121c0 16642->16649 16644 41484b __initp_misc_winsig __init_pointers 16652 422530 16644->16652 16650 4120f0 __encode_pointer 7 API calls 16649->16650 16651 4121cc 16650->16651 16651->16644 16653 4120f0 __encode_pointer 7 API calls 16652->16653 16654 4148ab 16653->16654 16655 4120f0 TlsGetValue 16654->16655 16656 412137 16655->16656 16657 41210f 16655->16657 16667 412190 GetModuleHandleW 16656->16667 16657->16656 16659 412118 TlsGetValue 16657->16659 16663 41212e 16659->16663 16661 41214d GetProcAddress 16662 41215f 16661->16662 16664 412161 16662->16664 16663->16656 16663->16664 16665 412173 RtlEncodePointer 16664->16665 16666 41217d 16664->16666 16665->16666 16668 412141 16667->16668 16669 4121ae 16667->16669 16668->16661 16668->16662 16671 414290 16669->16671 16672 4142a6 16671->16672 16673 4142d8 16672->16673 16674 4142ac Sleep GetModuleHandleW 16672->16674 16673->16668 16674->16672 16674->16673 16675 4194c0 HeapCreate 16676 4194ee __heap_init 16675->16676 16678 4194ea 16675->16678 16677 419501 16676->16677 16676->16678 16682 41a490 HeapAlloc 16677->16682 16681 419512 HeapDestroy 16681->16678 16683 41950b 16682->16683 16683->16678 16683->16681 16837 426100 16840 425d80 16837->16840 16839 426120 16842 425d95 16840->16842 16841 425dea 16843 410a20 __invalid_parameter 16 API calls 16841->16843 16842->16841 16844 425e1d _memset 16842->16844 16850 425e10 _memset _LocaleUpdate::~_LocaleUpdate 16843->16850 16845 425f2c __isleadbyte_l 16844->16845 16846 425eec 16844->16846 16852 425a30 16845->16852 16847 410a20 __invalid_parameter 16 API calls 16846->16847 16847->16850 16849 425f46 _memset 16849->16850 16851 410a20 __invalid_parameter 16 API calls 16849->16851 16850->16839 16851->16850 16855 425a45 16852->16855 16853 425aca 16857 425ae0 __isleadbyte_l 16853->16857 16858 425ce4 __isleadbyte_l 16853->16858 16854 425a9c 16856 410a20 __invalid_parameter 16 API calls 16854->16856 16855->16853 16855->16854 16864 425a4b _LocaleUpdate::~_LocaleUpdate _strlen 16855->16864 16856->16864 16859 425b72 MultiByteToWideChar 16857->16859 16857->16864 16860 425d26 MultiByteToWideChar 16858->16860 16858->16864 16861 425ba0 GetLastError 16859->16861 16859->16864 16860->16864 16863 425bd5 __isleadbyte_l 16861->16863 16861->16864 16862 425c8a MultiByteToWideChar 16862->16864 16863->16862 16863->16864 16864->16849 16893 40e290 16901 40e450 16893->16901 16895 40e43b 16896 40e450 _ValidateLocalCookies 5 API calls 16896->16895 16897 40e356 __except_handler4 16897->16895 16897->16896 16899 40e2d1 __IsNonwritableInCurrentImage __except_handler4 16899->16897 16900 40e450 _ValidateLocalCookies 5 API calls 16899->16900 16907 41c34a RtlUnwind 16899->16907 16900->16899 16902 40e460 16901->16902 16903 40e485 16901->16903 16904 414ff0 _abort 5 API calls 16902->16904 16905 414ff0 _abort 5 API calls 16903->16905 16904->16903 16906 40e4ab 16905->16906 16906->16899 16908 41c35f 16907->16908 16908->16899 16909 412290 TlsGetValue 16910 4122ab 16909->16910 16911 4122cd 16909->16911 16912 4121e0 __encode_pointer 6 API calls 16910->16912 16913 4122b7 TlsSetValue 16912->16913 16913->16911 16914 41a290 16915 41a2d4 16914->16915 16925 41a2cf __free_base 16914->16925 16916 41a36c HeapFree 16915->16916 16918 41a2e1 ___sbh_find_block 16915->16918 16917 41a387 GetLastError 16916->16917 16916->16925 16917->16925 16921 41a314 16918->16921 16926 41a5c0 16918->16926 16933 41a325 16921->16933 16923 41a336 HeapFree 16924 41a352 GetLastError 16923->16924 16923->16925 16924->16925 16930 41a61d 16926->16930 16932 41a618 16926->16932 16927 41aa23 VirtualFree 16928 41aab0 16927->16928 16929 41aad4 VirtualFree HeapFree 16928->16929 16928->16932 16936 41fb50 16929->16936 16930->16927 16930->16932 16932->16921 16940 40de00 LeaveCriticalSection 16933->16940 16935 41a323 16935->16923 16935->16925 16937 41fb68 16936->16937 16938 41fb97 16937->16938 16939 41fb8f __VEC_memcpy 16937->16939 16938->16932 16939->16938 16940->16935 16765 426d50 16767 426d5e 16765->16767 16766 426da4 16778 410a20 16766->16778 16767->16766 16770 426dd4 _memset 16767->16770 16769 426e6d 16771 410a20 __invalid_parameter 16 API calls 16769->16771 16770->16769 16772 426e9d _memset 16770->16772 16774 426dc7 _memset 16771->16774 16773 426f7d 16772->16773 16775 426fad _memset 16772->16775 16776 410a20 __invalid_parameter 16 API calls 16773->16776 16775->16774 16777 410a20 __invalid_parameter 16 API calls 16775->16777 16776->16774 16777->16774 16783 4121e0 TlsGetValue 16778->16783 16780 410a37 __invalid_parameter 16781 410a43 16780->16781 16782 410a90 __invoke_watson 10 API calls 16780->16782 16781->16774 16782->16781 16784 4121ff 16783->16784 16788 41221e 16783->16788 16785 412208 TlsGetValue 16784->16785 16784->16788 16785->16788 16786 412190 __crt_wait_module_handle 3 API calls 16787 412231 16786->16787 16789 41223d GetProcAddress 16787->16789 16790 41224f 16787->16790 16788->16786 16788->16790 16789->16790 16790->16780 16791 422550 16793 42258a 16791->16793 16795 40a7a0 16793->16795 16796 40a7c6 16795->16796 16805 414ce0 16796->16805 16798 40a8be 16808 4143b0 16798->16808 16799 40a7d5 _memset 16799->16798 16801 40a884 SetUnhandledExceptionFilter UnhandledExceptionFilter 16799->16801 16801->16798 16803 414ff0 _abort 5 API calls 16804 40a8cf 16803->16804 16806 4121e0 __encode_pointer 6 API calls 16805->16806 16807 414cf0 16806->16807 16807->16799 16811 4145a0 16808->16811 16813 4145d7 _doexit 16811->16813 16815 4121e0 __encode_pointer 6 API calls 16813->16815 16820 41468a __initterm 16813->16820 16816 414613 16815->16816 16819 4121e0 __encode_pointer 6 API calls 16816->16819 16816->16820 16817 40a8c5 16817->16803 16822 41462f 16819->16822 16826 414758 16820->16826 16822->16820 16824 4121c0 7 API calls ___crtMessageBoxW 16822->16824 16825 4121e0 6 API calls __encode_pointer 16822->16825 16824->16822 16825->16822 16827 414756 16826->16827 16828 41475e 16826->16828 16827->16817 16830 414820 16827->16830 16829 414820 _doexit LeaveCriticalSection 16828->16829 16829->16827 16836 40de00 LeaveCriticalSection 16830->16836 16832 41477b 16833 4147e0 16832->16833 16834 4147a0 16833->16834 16835 4147ee ExitProcess 16834->16835 16836->16832 16684 2545000 16685 2545017 16684->16685 16688 2545026 16685->16688 16689 2545035 16688->16689 16692 25457c6 16689->16692 16695 25457e1 16692->16695 16693 25457ea CreateToolhelp32Snapshot 16694 2545806 Module32First 16693->16694 16693->16695 16696 2545815 16694->16696 16697 2545021 16694->16697 16695->16693 16695->16694 16699 2545485 16696->16699 16700 25454b0 16699->16700 16701 25454c1 VirtualAlloc 16700->16701 16702 25454f9 16700->16702 16701->16702 16702->16702 16889 41cad5 16892 40de00 LeaveCriticalSection 16889->16892 16891 41cadc 16892->16891 16703 26f0630 16704 26f064c 16703->16704 16706 26f1577 16704->16706 16709 26f05b0 16706->16709 16712 26f05dc 16709->16712 16710 26f061e 16711 26f05e2 GetFileAttributesA 16711->16712 16712->16710 16712->16711 16714 26f0420 16712->16714 16715 26f04f3 16714->16715 16716 26f04ff CreateWindowExA 16715->16716 16717 26f04fa 16715->16717 16716->16717 16718 26f0540 PostMessageA 16716->16718 16717->16712 16719 26f055f 16718->16719 16719->16717 16721 26f0110 VirtualAlloc GetModuleFileNameA 16719->16721 16722 26f017d CreateProcessA 16721->16722 16723 26f0414 16721->16723 16722->16723 16725 26f025f VirtualFree VirtualAlloc GetThreadContext 16722->16725 16723->16719 16725->16723 16726 26f02a9 ReadProcessMemory 16725->16726 16727 26f02e5 VirtualAllocEx NtWriteVirtualMemory 16726->16727 16728 26f02d5 NtUnmapViewOfSection 16726->16728 16729 26f033b 16727->16729 16728->16727 16730 26f039d WriteProcessMemory SetThreadContext ResumeThread 16729->16730 16731 26f0350 NtWriteVirtualMemory 16729->16731 16732 26f03fb ExitProcess 16730->16732 16731->16729 16875 40d5e0 16877 40d5ee 16875->16877 16876 40d634 16878 410a20 __invalid_parameter 16 API calls 16876->16878 16877->16876 16880 40d664 _memset 16877->16880 16882 40d657 _memset 16878->16882 16879 40d6f9 16881 410a20 __invalid_parameter 16 API calls 16879->16881 16880->16879 16883 40d729 _memset 16880->16883 16881->16882 16883->16882 16884 410a20 __invalid_parameter 16 API calls 16883->16884 16884->16882 16885 40da60 16886 40da6b 16885->16886 16887 40da6d 16885->16887 16888 410a90 __invoke_watson 10 API calls 16887->16888 16888->16886 16986 40db20 16989 40db38 16986->16989 16987 40db8f 16989->16987 16990 41c390 InitializeCriticalSectionAndSpinCount 16989->16990 16991 41c421 16990->16991 16991->16989 17005 4127a0 17006 4127e2 17005->17006 17010 412906 17005->17010 17007 4128d5 InterlockedDecrement 17006->17007 17008 4128e3 17006->17008 17007->17008 17011 412908 17008->17011 17014 40de00 LeaveCriticalSection 17011->17014 17013 41290f 17013->17010 17014->17013 16941 4212a0 16942 4212ae 16941->16942 16943 42130d 16942->16943 16946 42133d _memset 16942->16946 16948 4212ba _memset 16942->16948 16944 410a20 __invalid_parameter 16 API calls 16943->16944 16944->16948 16945 421434 16947 410a20 __invalid_parameter 16 API calls 16945->16947 16946->16945 16946->16948 16949 421464 _memset _strncpy_s 16946->16949 16947->16948 16949->16948 16950 410a20 __invalid_parameter 16 API calls 16949->16950 16950->16948 16951 4226a0 16952 4226bb 16951->16952 16953 410a20 __invalid_parameter 16 API calls 16952->16953 16954 4226c9 16952->16954 16953->16954 16959 422760 16960 4121c0 ___crtMessageBoxW 7 API calls 16959->16960 16961 422774 16960->16961 16962 422799 LoadLibraryA 16961->16962 16965 42285f 16961->16965 16963 4227b4 GetProcAddress 16962->16963 16964 4227ad 16962->16964 16963->16964 16966 4227d3 16963->16966 16967 4121e0 __encode_pointer 6 API calls 16965->16967 16982 42289a 16965->16982 16968 4120f0 __encode_pointer 7 API calls 16966->16968 16971 422888 16967->16971 16972 4227dc GetProcAddress 16968->16972 16969 4121e0 __encode_pointer 6 API calls 16969->16964 16970 4121e0 __encode_pointer 6 API calls 16975 422908 16970->16975 16973 4121e0 __encode_pointer 6 API calls 16971->16973 16974 4120f0 __encode_pointer 7 API calls 16972->16974 16973->16982 16976 4227f9 GetProcAddress 16974->16976 16977 4121e0 __encode_pointer 6 API calls 16975->16977 16979 4228e4 16975->16979 16978 4120f0 __encode_pointer 7 API calls 16976->16978 16977->16979 16980 422816 GetProcAddress 16978->16980 16979->16969 16981 4120f0 __encode_pointer 7 API calls 16980->16981 16983 422839 16981->16983 16982->16970 16982->16975 16982->16979 16983->16965 16984 42284a GetProcAddress 16983->16984 16985 4120f0 __encode_pointer 7 API calls 16984->16985 16985->16965 16992 421720 16995 42172e 16992->16995 16993 421774 16996 410a20 __invalid_parameter 16 API calls 16993->16996 16994 421869 _memset 17001 421944 16994->17001 17003 421974 _memset 16994->17003 16995->16993 16998 4217a4 _memset 16995->16998 17000 421797 _memset 16996->17000 16997 421839 16999 410a20 __invalid_parameter 16 API calls 16997->16999 16998->16994 16998->16997 16999->17000 17002 410a20 __invalid_parameter 16 API calls 17001->17002 17002->17000 17003->17000 17004 410a20 __invalid_parameter 16 API calls 17003->17004 17004->17000 16737 40d4f0 16738 40d50b 16737->16738 16739 40d4fb 16737->16739 16739->16738 16741 410a90 16739->16741 16748 40ac40 16741->16748 16743 410abf IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16744 410bb9 GetCurrentProcess TerminateProcess 16743->16744 16745 410ba9 __invalid_parameter 16743->16745 16750 414ff0 16744->16750 16745->16744 16747 410bd5 16747->16738 16749 40ac4c __VEC_memzero 16748->16749 16749->16743 16751 414ff8 16750->16751 16752 414ffa IsDebuggerPresent 16750->16752 16751->16747 16758 419c00 16752->16758 16755 422a4f SetUnhandledExceptionFilter UnhandledExceptionFilter 16756 422a78 GetCurrentProcess TerminateProcess 16755->16756 16757 422a6e __invalid_parameter 16755->16757 16756->16747 16757->16756 16758->16755 16955 41c2b8 16956 41c2ca 16955->16956 16957 41c2d8 @_EH4_CallFilterFunc@8 16955->16957 16958 414ff0 _abort 5 API calls 16956->16958 16958->16957 16734 41cc3f 16735 41cc50 16734->16735 16736 41cc45 InterlockedDecrement 16734->16736 16736->16735

                                Control-flow Graph

                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 026F0156
                                • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 026F016C
                                • CreateProcessA.KERNELBASE(?,00000000), ref: 026F0255
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 026F0270
                                • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 026F0283
                                • GetThreadContext.KERNELBASE(00000000,?), ref: 026F029F
                                • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 026F02C8
                                • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 026F02E3
                                • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 026F0304
                                • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 026F032A
                                • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 026F0399
                                • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 026F03BF
                                • SetThreadContext.KERNELBASE(00000000,?), ref: 026F03E1
                                • ResumeThread.KERNELBASE(00000000), ref: 026F03ED
                                • ExitProcess.KERNEL32(00000000), ref: 026F0412
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                • String ID:
                                • API String ID: 2875986403-0
                                • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                • Instruction ID: f13f60e8c58926e614ed86f55abfb4ffd670488b30d84ea72b1e75d59586b8bc
                                • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                • Instruction Fuzzy Hash: F3B1C674A00209AFDB44CF98C895F9EBBB5FF88314F248158E608AB395D771AE41CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 15 26f0420-26f04f8 17 26f04ff-26f053c CreateWindowExA 15->17 18 26f04fa 15->18 20 26f053e 17->20 21 26f0540-26f0558 PostMessageA 17->21 19 26f05aa-26f05ad 18->19 20->19 22 26f055f-26f0563 21->22 22->19 23 26f0565-26f0579 22->23 23->19 25 26f057b-26f0582 23->25 26 26f05a8 25->26 27 26f0584-26f0588 25->27 26->22 27->26 28 26f058a-26f0591 27->28 28->26 29 26f0593-26f0597 call 26f0110 28->29 31 26f059c-26f05a5 29->31 31->26
                                APIs
                                • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 026F0533
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateWindow
                                • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                • API String ID: 716092398-2341455598
                                • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                • Instruction ID: 328dd358fa8ba898349e2b39869626b604e78c5789c625e2367e5a0da11a91fc
                                • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                • Instruction Fuzzy Hash: 7E512870D08388DAEF11CBE8C949BDDBFB6AF11708F144058D5446F28AC3FA5659CB66
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 32 26f05b0-26f05d5 33 26f05dc-26f05e0 32->33 34 26f061e-26f0621 33->34 35 26f05e2-26f05f5 GetFileAttributesA 33->35 36 26f05f7-26f05fe 35->36 37 26f0613-26f061c 35->37 36->37 38 26f0600-26f060b call 26f0420 36->38 37->33 40 26f0610 38->40 40->37
                                APIs
                                • GetFileAttributesA.KERNELBASE(apfHQ), ref: 026F05EC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: AttributesFile
                                • String ID: apfHQ$o
                                • API String ID: 3188754299-2999369273
                                • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                • Instruction ID: dcfe0c3e538cb2b3c3c0572a8f8800ec27a57cce1cb67bb959ed21f50f7199de
                                • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                • Instruction Fuzzy Hash: 5C011E70C0425CEADF54DB98C5183AEBFB5AF41308F148099C5092B342D7B69B59CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 41 25457c6-25457df 42 25457e1-25457e3 41->42 43 25457e5 42->43 44 25457ea-25457f6 CreateToolhelp32Snapshot 42->44 43->44 45 2545806-2545813 Module32First 44->45 46 25457f8-25457fe 44->46 47 2545815-2545816 call 2545485 45->47 48 254581c-2545824 45->48 46->45 51 2545800-2545804 46->51 52 254581b 47->52 51->42 51->45 52->48
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 025457EE
                                • Module32First.KERNEL32(00000000,00000224), ref: 0254580E
                                Memory Dump Source
                                • Source File: 0000000E.00000002.494725828.0000000002545000.00000040.00000800.00020000.00000000.sdmp, Offset: 02545000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_2545000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                • String ID:
                                • API String ID: 3833638111-0
                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                • Instruction ID: e9f3f7ca4e46d36a32fe97bd1d8cd0e7f4989d2590682eeed6ac78a43ffb93df
                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                • Instruction Fuzzy Hash: A0F09C351007116FD7203BF5988DF6EB6E8BF5567DF500538E542910C0EF70E8458655
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 54 4121c0-4121c7 call 4120f0 56 4121cc-4121d0 54->56
                                C-Code - Quality: 100%
                                			E004121C0() {
                                				void* _t1;
                                
                                				_t1 = E004120F0(0); // executed
                                				return _t1;
                                			}




                                0x004121c7
                                0x004121d0

                                APIs
                                • __encode_pointer.LIBCMTD ref: 004121C7
                                  • Part of subcall function 004120F0: TlsGetValue.KERNEL32(00000004), ref: 00412105
                                  • Part of subcall function 004120F0: TlsGetValue.KERNEL32(00000004,00000005), ref: 00412126
                                  • Part of subcall function 004120F0: __crt_wait_module_handle.LIBCMTD ref: 0041213C
                                  • Part of subcall function 004120F0: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00412156
                                  • Part of subcall function 004120F0: RtlEncodePointer.NTDLL(?), ref: 00412177
                                Memory Dump Source
                                • Source File: 0000000E.00000002.493613078.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000E.00000002.493523065.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.493860522.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.493899985.0000000000436000.00000008.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494094997.00000000004C7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494402030.00000000008C7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494433804.00000000008CA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_87B9.jbxd
                                Similarity
                                • API ID: Value$AddressEncodePointerProc__crt_wait_module_handle__encode_pointer
                                • String ID:
                                • API String ID: 568403282-0
                                • Opcode ID: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                • Instruction ID: 56bd8f253069a7568e0a68e63b4c6b3685c6f2a49c54f90427001d980ce716fe
                                • Opcode Fuzzy Hash: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                • Instruction Fuzzy Hash: ABA011B288820823EA0020833803B023A0E83C0A38F080022FA0C0A2822882A8A080AB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 57 40ad40-40ad45 call 418370 59 40ad4a call 40ad60 57->59
                                C-Code - Quality: 100%
                                			_entry_() {
                                				void* _t3;
                                				void* _t4;
                                				void* _t5;
                                
                                				E00418370(); // executed
                                				return L0040AD60(_t3, _t4, _t5);
                                			}






                                0x0040ad45
                                0x0040ad50

                                APIs
                                • ___security_init_cookie.LIBCMTD ref: 0040AD45
                                Memory Dump Source
                                • Source File: 0000000E.00000002.493613078.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000E.00000002.493523065.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.493860522.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.493899985.0000000000436000.00000008.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494094997.00000000004C7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494402030.00000000008C7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494433804.00000000008CA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_87B9.jbxd
                                Similarity
                                • API ID: ___security_init_cookie
                                • String ID:
                                • API String ID: 3657697845-0
                                • Opcode ID: 2ee9993cee9888740ab7b244044e9f3a06580834980761ffb4b15bbb2664e5cd
                                • Instruction ID: 1aa6f64352c82f2f7399416b74ec9f369f850dca5733670cb696924c3eb91816
                                • Opcode Fuzzy Hash: 2ee9993cee9888740ab7b244044e9f3a06580834980761ffb4b15bbb2664e5cd
                                • Instruction Fuzzy Hash: BAA0022504478C66416073B7041794AB54E4DC0B1979D402E7968125435C6DE85140AF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 61 2545485-25454bf call 2545798 64 25454c1-25454f4 VirtualAlloc call 2545512 61->64 65 254550d 61->65 67 25454f9-254550b 64->67 65->65 67->65
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 025454D6
                                Memory Dump Source
                                • Source File: 0000000E.00000002.494725828.0000000002545000.00000040.00000800.00020000.00000000.sdmp, Offset: 02545000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_2545000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                • Instruction ID: a5658c9da31a931ee5485c01809f8a0a62f825dc7609f26e98eb85e0f1a2f803
                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                • Instruction Fuzzy Hash: E4116C79A00208EFDB01DF98C985E98BFF1AF08350F0580A4F9489B361E731EA90DF84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                C-Code - Quality: 85%
                                			E00414FF0(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
                                				intOrPtr _v0;
                                				void* _v804;
                                				intOrPtr _v808;
                                				intOrPtr _v812;
                                				intOrPtr _t6;
                                				intOrPtr _t11;
                                				long _t15;
                                				intOrPtr _t19;
                                				intOrPtr _t20;
                                				intOrPtr _t21;
                                				intOrPtr _t22;
                                				intOrPtr _t23;
                                				intOrPtr _t24;
                                				intOrPtr _t25;
                                				intOrPtr* _t29;
                                				void* _t34;
                                
                                				_t25 = __esi;
                                				_t24 = __edi;
                                				_t22 = __edx;
                                				_t20 = __ecx;
                                				_t19 = __ebx;
                                				_t6 = __eax;
                                				_t34 = _t20 -  *0x4c74b4; // 0x29cd8344
                                				if(_t34 == 0) {
                                					asm("repe ret");
                                				}
                                				 *0x8c7fd8 = _t6;
                                				 *0x8c7fd4 = _t20;
                                				 *0x8c7fd0 = _t22;
                                				 *0x8c7fcc = _t19;
                                				 *0x8c7fc8 = _t25;
                                				 *0x8c7fc4 = _t24;
                                				 *0x8c7ff0 = ss;
                                				 *0x8c7fe4 = cs;
                                				 *0x8c7fc0 = ds;
                                				 *0x8c7fbc = es;
                                				 *0x8c7fb8 = fs;
                                				 *0x8c7fb4 = gs;
                                				asm("pushfd");
                                				_pop( *0x8c7fe8);
                                				 *0x8c7fdc =  *_t29;
                                				 *0x8c7fe0 = _v0;
                                				 *0x8c7fec =  &_a4;
                                				 *0x8c7f28 = 0x10001;
                                				_t11 =  *0x8c7fe0; // 0x0
                                				 *0x8c7edc = _t11;
                                				 *0x8c7ed0 = 0xc0000409;
                                				 *0x8c7ed4 = 1;
                                				_t21 =  *0x4c74b4; // 0x29cd8344
                                				_v812 = _t21;
                                				_t23 =  *0x4c74b8; // 0xd6327cbb
                                				_v808 = _t23;
                                				 *0x8c7f20 = IsDebuggerPresent();
                                				_push(1);
                                				E00419C00(_t12);
                                				SetUnhandledExceptionFilter(0);
                                				_t15 = UnhandledExceptionFilter(0x407424);
                                				if( *0x8c7f20 == 0) {
                                					_push(1);
                                					E00419C00(_t15);
                                				}
                                				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
                                			}



















                                0x00414ff0
                                0x00414ff0
                                0x00414ff0
                                0x00414ff0
                                0x00414ff0
                                0x00414ff0
                                0x00414ff0
                                0x00414ff6
                                0x00414ff8
                                0x00414ff8
                                0x0042298b
                                0x00422990
                                0x00422996
                                0x0042299c
                                0x004229a2
                                0x004229a8
                                0x004229ae
                                0x004229b5
                                0x004229bc
                                0x004229c3
                                0x004229ca
                                0x004229d1
                                0x004229d8
                                0x004229d9
                                0x004229e2
                                0x004229ea
                                0x004229f2
                                0x004229fd
                                0x00422a07
                                0x00422a0c
                                0x00422a11
                                0x00422a1b
                                0x00422a25
                                0x00422a2b
                                0x00422a31
                                0x00422a37
                                0x00422a43
                                0x00422a48
                                0x00422a4a
                                0x00422a54
                                0x00422a5f
                                0x00422a6c
                                0x00422a6e
                                0x00422a70
                                0x00422a75
                                0x00422a8d

                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 00422A3D
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00422A54
                                • UnhandledExceptionFilter.KERNEL32(00407424), ref: 00422A5F
                                • GetCurrentProcess.KERNEL32(C0000409), ref: 00422A7D
                                • TerminateProcess.KERNEL32(00000000), ref: 00422A84
                                Memory Dump Source
                                • Source File: 0000000E.00000002.493613078.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000E.00000002.493523065.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.493860522.0000000000430000.00000020.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.493899985.0000000000436000.00000008.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494094997.00000000004C7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494402030.00000000008C7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 0000000E.00000002.494433804.00000000008CA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_400000_87B9.jbxd
                                Similarity
                                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                • String ID:
                                • API String ID: 2579439406-0
                                • Opcode ID: 20ba4a53340203b7253ed8d8ad130542b95855e528025d143a85a03c04e694f9
                                • Instruction ID: 477f6a4badbea5c725874083a945a85caf440e46fc1222ffedf0e1de5a151d7a
                                • Opcode Fuzzy Hash: 20ba4a53340203b7253ed8d8ad130542b95855e528025d143a85a03c04e694f9
                                • Instruction Fuzzy Hash: 0F210EB98282049FC304DF19FE84E587BB4BB1C300F4041AEE909973B1EBB45981CF9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Memory Dump Source
                                • Source File: 0000000E.00000002.494725828.0000000002545000.00000040.00000800.00020000.00000000.sdmp, Offset: 02545000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_2545000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
                                • Instruction ID: 2fe1e5304ab3599173cb3ab50fa312ea859c17b7dc1ade8051a62beeec96aa88
                                • Opcode Fuzzy Hash: 1d6b6acc52598ba466396b9b98489674ce8409ccf4a4742af8d6b4b599497031
                                • Instruction Fuzzy Hash: B43155398062429FDB15CE70D890BA5FB74FF87238F18999CC0818B106D726A04BCB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 353 2713f16-2713f2f 354 2713f31-2713f3b call 2715ba8 call 2714c72 353->354 355 2713f49-2713f5e call 271bdc0 353->355 362 2713f40 354->362 355->354 360 2713f60-2713f63 355->360 363 2713f65 360->363 364 2713f77-2713f7d 360->364 365 2713f42-2713f48 362->365 366 2713f67-2713f69 363->366 367 2713f6b-2713f75 call 2715ba8 363->367 368 2713f89-2713f9a call 2720504 call 27201a3 364->368 369 2713f7f 364->369 366->364 366->367 367->362 377 2713fa0-2713fac call 27201cd 368->377 378 2714185-271418f call 2714c9d 368->378 369->367 371 2713f81-2713f87 369->371 371->367 371->368 377->378 383 2713fb2-2713fbe call 27201f7 377->383 383->378 386 2713fc4-2713fcb 383->386 387 271403b-2714046 call 27202d9 386->387 388 2713fcd 386->388 387->365 394 271404c-271404f 387->394 390 2713fd7-2713ff3 call 27202d9 388->390 391 2713fcf-2713fd5 388->391 390->365 398 2713ff9-2713ffc 390->398 391->387 391->390 396 2714051-271405a call 2720554 394->396 397 271407e-271408b 394->397 396->397 408 271405c-271407c 396->408 399 271408d-271409c call 2720f40 397->399 400 2714002-271400b call 2720554 398->400 401 271413e-2714140 398->401 409 27140a9-27140d0 call 2720e90 call 2720f40 399->409 410 271409e-27140a6 399->410 400->401 411 2714011-2714029 call 27202d9 400->411 401->365 408->399 419 27140d2-27140db 409->419 420 27140de-2714105 call 2720e90 call 2720f40 409->420 410->409 411->365 416 271402f-2714036 411->416 416->401 419->420 425 2714113-2714122 call 2720e90 420->425 426 2714107-2714110 420->426 429 2714124 425->429 430 271414f-2714168 425->430 426->425 431 2714126-2714128 429->431 432 271412a-2714138 429->432 433 271413b 430->433 434 271416a-2714183 430->434 431->432 435 2714145-2714147 431->435 432->433 433->401 434->401 435->401 436 2714149 435->436 436->430 437 271414b-271414d 436->437 437->401 437->430
                                APIs
                                • _memset.LIBCMT ref: 02713F51
                                  • Part of subcall function 02715BA8: __getptd_noexit.LIBCMT ref: 02715BA8
                                • __gmtime64_s.LIBCMT ref: 02713FEA
                                • __gmtime64_s.LIBCMT ref: 02714020
                                • __gmtime64_s.LIBCMT ref: 0271403D
                                • __allrem.LIBCMT ref: 02714093
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 027140AF
                                • __allrem.LIBCMT ref: 027140C6
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 027140E4
                                • __allrem.LIBCMT ref: 027140FB
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02714119
                                • __invoke_watson.LIBCMT ref: 0271418A
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                • String ID:
                                • API String ID: 384356119-0
                                • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                • Instruction ID: dc8064418785bee7030b7546196399908d7ea8bd75ca8bdf22ed79a3a890212c
                                • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                • Instruction Fuzzy Hash: 39712672A00727ABE715AF7DCC55B6AB3B9AF11324F14427AE514E7680E770D9048BD0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ExitProcess___crt
                                • String ID:
                                • API String ID: 1022109855-0
                                • Opcode ID: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                • Instruction ID: e0b17afb17f667c11b35bbf3af587469114bfffec4f7f5be7b02623547428add
                                • Opcode Fuzzy Hash: 351ddd14b24f1e3a4d385d89d907221036510e379468225c84414e37ce72688f
                                • Instruction Fuzzy Hash: 5E31C531900260DFDB229F1DFC8584D77A6FF14324754862AEA085B2B0CBB459C9AF96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • std::exception::exception.LIBCMT ref: 0273FC1F
                                • __CxxThrowException@8.LIBCMT ref: 0273FC34
                                • std::exception::exception.LIBCMT ref: 0273FC4D
                                • __CxxThrowException@8.LIBCMT ref: 0273FC62
                                • std::regex_error::regex_error.LIBCPMT ref: 0273FC74
                                  • Part of subcall function 0273F914: std::exception::exception.LIBCMT ref: 0273F92E
                                • __CxxThrowException@8.LIBCMT ref: 0273FC82
                                • std::exception::exception.LIBCMT ref: 0273FC9B
                                • __CxxThrowException@8.LIBCMT ref: 0273FCB0
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throwstd::exception::exception$std::regex_error::regex_error
                                • String ID: leM
                                • API String ID: 2862078307-2926266777
                                • Opcode ID: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                • Instruction ID: ab05b6671ea12a0a1402bf6ac04151d103bd85f2541a8c8dfc6f8a22d5e2dc33
                                • Opcode Fuzzy Hash: ed214ebb3701571be2f43069d920533da395f334550e3d3fd8b3428f3c6f404b
                                • Instruction Fuzzy Hash: 9111BC79C0020DBBCF01FFA5D499CDDBB7DBA04344B808566ED1897641EB74A3488F95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free_malloc_wprintf$_sprintf
                                • String ID:
                                • API String ID: 3721157643-0
                                • Opcode ID: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                • Instruction ID: 874de40cfd86eb632812124e8d7c59c38e4ef28d57c799a797d4908af60c8629
                                • Opcode Fuzzy Hash: 02ca39b803bb7accc6b95a63f2f9baed07ed6e7a95ba34453850edf5138b640f
                                • Instruction Fuzzy Hash: 541136B29006A07AC762B6B90C16FFF3BDD9F45302F4800A9FF8CD5180DA185A049BB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw$_memset$_malloc_sprintf
                                • String ID:
                                • API String ID: 65388428-0
                                • Opcode ID: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                • Instruction ID: 00a3513da542f7f94c6f6828f942502954b6dcb99bf9270f0d68133e93e610f5
                                • Opcode Fuzzy Hash: 76dd775f958ae6873f0575faef2ecf56324248e316e82f6433bbffcf9f7903c6
                                • Instruction Fuzzy Hash: 79512CB1D40219EBDB11DBA5DC8AFEFBBB9FF04744F100029F909B6190E7745A058BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw$_memset_sprintf
                                • String ID:
                                • API String ID: 217217746-0
                                • Opcode ID: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                • Instruction ID: e5c8fc0af1c73ac428bcefa6ebd8ba2045e13b861210f154ebb0c34fca3e1902
                                • Opcode Fuzzy Hash: 3deed8c6e3840860115ea43936f1cfce13c92bcc70370307f91e5f5c9cd17acd
                                • Instruction Fuzzy Hash: EF514F71D40249AADF11DFA5DC86FEEBBB9AF05704F100029FA05B62C0D775AA058BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw$_memset_sprintf
                                • String ID:
                                • API String ID: 217217746-0
                                • Opcode ID: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                • Instruction ID: 2e297b61a455df3a8f9e132d0753f447bd02fc1154528b468e905658e82d5a4a
                                • Opcode Fuzzy Hash: 16aaa772ddb988d461e4337924cf716956fc1cb963719ed600faa1ffd715582e
                                • Instruction Fuzzy Hash: 90515271D40249AADF21DFA5DC86FEEBBB9FF04704F100129FA05B62C0D774AA058BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • __getptd_noexit.LIBCMT ref: 027B66DD
                                  • Part of subcall function 027159BF: __calloc_crt.LIBCMT ref: 027159E2
                                  • Part of subcall function 027159BF: __initptd.LIBCMT ref: 02715A04
                                • __calloc_crt.LIBCMT ref: 027B6700
                                • __get_sys_err_msg.LIBCMT ref: 027B671E
                                • __invoke_watson.LIBCMT ref: 027B673B
                                • __get_sys_err_msg.LIBCMT ref: 027B676D
                                • __invoke_watson.LIBCMT ref: 027B678B
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: __calloc_crt__get_sys_err_msg__invoke_watson$__getptd_noexit__initptd
                                • String ID:
                                • API String ID: 4066021419-0
                                • Opcode ID: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                • Instruction ID: 573f560f762483f4b7a3b828448c350b878f1d4a26858bcec0015d89b5868110
                                • Opcode Fuzzy Hash: 560737a3d48f69e2c1bbacaa64e20750b253c0be39bebdd764001766347183bc
                                • Instruction Fuzzy Hash: BC11E3726012196BEB237E29DC05BFB738EEF007A4F000466FF08A6A40E732DD014AE5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                • String ID:
                                • API String ID: 1559183368-0
                                • Opcode ID: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                • Instruction ID: f71b0a3bb356d990f009ae40e2929e353b62ba84bc5c2c184c8d5f72dcf2a0d9
                                • Opcode Fuzzy Hash: 7a4cfea45ad1cabaf48d6d85d658ec87b7d71ccae72904ede4351d6e655b18a3
                                • Instruction Fuzzy Hash: 1751B370A0132A9BDB398F7DCC84AAE77B6AF40324F148729ED35962D2E7709951CF44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: _memset
                                • String ID: D
                                • API String ID: 2102423945-2746444292
                                • Opcode ID: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                • Instruction ID: 23d381bd7dda34dada29c75e5fb6aeb40eca5b4199e57a00032d54d6c629dcf8
                                • Opcode Fuzzy Hash: dedb8dcdcede06716d2048126f6c935cbca30f7ec4e51b62ea2b6cedae773fd8
                                • Instruction Fuzzy Hash: 52E14E72D00219EADF65DBA0CD89FEEB7B8BF04304F144069EA09F6191EB746A49CF54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: _memset
                                • String ID: $$$(
                                • API String ID: 2102423945-3551151888
                                • Opcode ID: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                • Instruction ID: d3623191b57079487b63ed15f34aad2639fa24312bff41c4f6322e5e1c021ace
                                • Opcode Fuzzy Hash: d910fc5c6766dfc0bc4f58c39da0494fd508bff05af182706436a08bc08c5056
                                • Instruction Fuzzy Hash: BC91BEB1D00218EAEF21CFA4CC99BEEBBB5AF05308F144169D505772C1DBB66A48CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                • std::exception::exception.LIBCMT ref: 0273FBF1
                                • __CxxThrowException@8.LIBCMT ref: 0273FC06
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throwstd::exception::exception
                                • String ID: TeM$TeM
                                • API String ID: 3728558374-3870166017
                                • Opcode ID: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                • Instruction ID: 8c62b8e21a8754684fdc97649330c5cd2a0dd2ce96c9d9aaf3b5acd99312a58b
                                • Opcode Fuzzy Hash: 96199cc15ff6b6db5c9edb5d1ae12cb70dd59b1139974201ea7fd9c915f9b6e6
                                • Instruction Fuzzy Hash: F2D06775C0025CBBCB01EFA5D499CDDBBB9AA04344B408466E91897241EA74A34D8F94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                  • Part of subcall function 0271197D: __wfsopen.LIBCMT ref: 02711988
                                • _fgetws.LIBCMT ref: 026FD15C
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: __wfsopen_fgetws
                                • String ID:
                                • API String ID: 853134316-0
                                • Opcode ID: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                • Instruction ID: 9ce9700aae661c56e95719d10a2449f61aa114e94654cfb20c09d74e9e315d51
                                • Opcode Fuzzy Hash: fb686944b339c976eacea12c72b2cba8865104c98ae0a1a06473ea49a68c22d9
                                • Instruction Fuzzy Hash: 1791B272D00219ABCF61DFA8CC89BAEB7B5BF05314F140529EA15A3240E775BA48CBD5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.495843293.00000000026F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_26f0000_87B9.jbxd
                                Yara matches
                                Similarity
                                • API ID: _malloc$__except_handler4_fprintf
                                • String ID:
                                • API String ID: 1783060780-0
                                • Opcode ID: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                • Instruction ID: ac7e43378d7f1c130b583ca12d7cdc7bbedd3002e06e256c1528b43cbd70a727
                                • Opcode Fuzzy Hash: bc6d813e7e752583a03017172366884d0a88b051dc04778f03b6bdc3bc976eb1
                                • Instruction Fuzzy Hash: 98A151B1C00259DBEF12EFE4CC49BDEBB76AF15308F140028D50576292D7B65A58CFA6
                                Uniqueness

                                Uniqueness Score: -1.00%